sethc.exe

  • File Path: C:\windows\SysWOW64\sethc.exe
  • Description: Accessibility shortcut keys

Hashes

Type Hash
MD5 5EBDA250D9AD873C3879282AC6F49FB7
SHA1 4D1E70C0C8507794E6239EEE16C54C310C3C5AA6
SHA256 10FB638DC9C7E7D0961ACE87320A0BD7CA48918BBB818038AC807B1172033C36
SHA384 73A7CEDAA9AE10B958EB76D32321E443751763413332504A77794351B0814704E556ED2B7CCA4C112DE6A078EE016CCB
SHA512 73F6FCC46FF0C84CBB3561718E3C2F28894AE203E42EE179701B14D3835FD76F19DF4595E3E55658BC0B3E1D1E97A3F1D9EB1FCDC99544A1A399A297AF625397
SSDEEP 6144:5XzrCPOj+jC6uFz2LJGRg4kLNnei36cw:QwFCdUc

Signature

  • Status: The file C:\windows\SysWOW64\sethc.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: sethc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\EaseOfAccessDialog.exe 65
C:\windows\system32\EaseOfAccessDialog.exe 82
C:\Windows\system32\EaseOfAccessDialog.exe 80
C:\Windows\system32\EaseOfAccessDialog.exe 63
C:\Windows\system32\sethc.exe 63
C:\Windows\system32\sethc.exe 79
C:\windows\system32\sethc.exe 82
C:\Windows\system32\sethc.exe 63
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 65
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 74
C:\windows\SysWOW64\EaseOfAccessDialog.exe 77
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 65
C:\Windows\SysWOW64\sethc.exe 65
C:\Windows\SysWOW64\sethc.exe 66
C:\Windows\SysWOW64\sethc.exe 74

Possible Misuse

The following table contains possible examples of sethc.exe being misused. While sethc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\sethc.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe sethc.exe *' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md Replace sticky keys binary (sethc.exe) with cmd.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md takeown /F C:\Windows\System32\sethc.exe /A MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
signature-base cn_pentestset_scripts.yar $s1 = “success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| “ ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s1 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Sethc.exe has been replaced - Indicates Remote Access Hack RDP” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “SETHC.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sethc.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.