sethc.exe

  • File Path: C:\WINDOWS\system32\sethc.exe
  • Description: Accessibility shortcut keys

Hashes

Type Hash
MD5 0BCF9C8FBF8E5F042DA2B14AEA166E92
SHA1 A568CDE365A00F184C82EA1F1E189E04B4C0BE94
SHA256 8645CE8236E4E17CDA5914556FB76E578ABFE4996CE367D1E3DFA3F53B221139
SHA384 4280DD5694FC4E34BCB339D6C836066ACCAB49FD63FFC371E11F28C01FD74683C36C20CE2C16E3660594DE9E2D3D9E79
SHA512 0F714A907B00AE735E866173A50C29E57914C6EC568C05C939B63DBD427E099310CB55AD3BF969634F6BB2FDC09D75B10396A7213C07269A253E46120BC101E2
SSDEEP 3072:4bwcAX4iKIf/zVHqaL96pZyOpfPiFIdhP5fhYHJ3h7w:MwcUtqhBiF33h
IMP FED48C57AAEFE98E1A80FD6C1DB1365B
PESHA1 3E000062602AE6A5FB35E68ECF568C96F8936B41
PE256 238433783A923DD7C51EC22C23AE2B68ACA820591641333A6AA7146A6055445B

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\sethc.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sethc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/8645ce8236e4e17cda5914556fb76e578abfe4996ce367d1e3dfa3f53b221139/detection

Possible Misuse

The following table contains possible examples of sethc.exe being misused. While sethc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'sethc.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'sethc.exe' DRL 1.0
sigma proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md Replace sticky keys binary (sethc.exe) with cmd.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md takeown /F C:\Windows\System32\sethc.exe /A MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
signature-base cn_pentestset_scripts.yar $s1 = “success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| “ ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s1 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Sethc.exe has been replaced - Indicates Remote Access Hack RDP” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “SETHC.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sethc.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.