sethc.exe

  • File Path: C:\WINDOWS\SysWOW64\sethc.exe
  • Description: Accessibility shortcut keys

Hashes

Type Hash
MD5 0E6CDF17D71D663ECA4659AAA94735DB
SHA1 7BF5163B0F870AD28B6C60B5EEDF6E667990B356
SHA256 408E8B6C66411A1F3E05E5FD330B1B921E63FE3DBDF436C17F9670FE72BA76B6
SHA384 84DF2514C33622078577E40717B9A24A41B4EA404C33E898756EA35E3D1B28CF3716395833C55724EA46DF6AE02BBDDE
SHA512 D1AE02BC7D8BA87836B31DCB5DFE069A80ED87617127198A6FEA9594D2941F56CA19EC095EDA765177501A52DFB9DF4E997F768ADBCD5AA490C5E04E4A3C2504
SSDEEP 1536:P+a0Kgw4XuTQD4gyB0HN5g5r1qzWO0vmTZB1+hKW/Gzg30:f0K2+T0Kut5g5lAg30

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sethc.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.449 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.449
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 47
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 44
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 47
C:\WINDOWS\SysWOW64\EaseOfAccessDialog.exe 43
C:\Windows\SysWOW64\sethc.exe 50
C:\Windows\SysWOW64\sethc.exe 54

Possible Misuse

The following table contains possible examples of sethc.exe being misused. While sethc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'sethc.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'sethc.exe' DRL 1.0
sigma proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md Replace sticky keys binary (sethc.exe) with cmd.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md takeown /F C:\Windows\System32\sethc.exe /A MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
signature-base cn_pentestset_scripts.yar $s1 = “success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| “ ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s1 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Sethc.exe has been replaced - Indicates Remote Access Hack RDP” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “SETHC.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sethc.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.