sethc.exe

  • File Path: C:\WINDOWS\SysWOW64\sethc.exe
  • Description: Accessibility shortcut keys

Hashes

Type Hash
MD5 EDF67333AC7FC5506BCB75D6BAEAF069
SHA1 87C4E7F88F324C902C93670E3D11FA23A5321D85
SHA256 21C5E81D840B99627D2DA2EF4F67751BD977CB046D670ACA1863DD0816532D40
SHA384 6FB69AC8471EE2B05E9E91A7C069EB95194527D134B5036D74B75CDBD251173D08BB92B7256E5546724D151B809FDAB4
SHA512 8CA55EA8CDB259852EA3745B84A1ECE56AB4AE5B690BB78FD840D259B98A5BB39FE5AB48CB2897E62FE603D30DF5EFAADE1780263035A8310B4F668CFBC46123
SSDEEP 3072:322X6iNnd66RNpe0SO0QamgwaZf8/wmF:322FNnM6RNaOewaZf4wm
IMP 3559EBF82095A415D26ABA1DDD417B7F
PESHA1 C5D63486050CA7EC8BDDE69762FA50EB99062B3F
PE256 4C6AAC9A57F11829B2CFF1E3928B630772561E885FA859FBD878F66278B84E2E

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\sethc.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sethc.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/21c5e81d840b99627d2da2ef4f67751bd977cb046d670aca1863dd0816532d40/detection

Possible Misuse

The following table contains possible examples of sethc.exe being misused. While sethc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'sethc.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'sethc.exe' DRL 1.0
sigma proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md Replace sticky keys binary (sethc.exe) with cmd.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md takeown /F C:\Windows\System32\sethc.exe /A MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
signature-base cn_pentestset_scripts.yar $s1 = “success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| “ ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s1 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Sethc.exe has been replaced - Indicates Remote Access Hack RDP” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “SETHC.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sethc.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.