sethc.exe

  • File Path: C:\windows\system32\sethc.exe
  • Description: Accessibility shortcut keys

Hashes

Type Hash
MD5 F00FAB17E7FE21D930AA4A6CABD2381F
SHA1 F8DF7CD7482FCF621924C97BBB44DF380CC612BB
SHA256 746D48A2FC0198E20C6ABCB301ED5C0FFEBDE33D0C0C890044EC98C9EE5E21EC
SHA384 713BBEC0EDB327F6BF5AEDA7CF275B645A6145EAED79ECABA3AF730C514DC5F162E2E79C3A8967E8571D5B6A0FA6E812
SHA512 6EDEF670E6DED9B7F82A87B06C683654C155C5A5E17ACD9720A5F13AE50B6CEC9E14C14536CCFE4E7B0C62064CFEB28AF132479E94797E276A0FFCB981236F18
SSDEEP 6144:9aytK6jeTAf89AlGr66uFz2LJGRg4kLNnei36cw:wytMbyFCdUc

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sethc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\EaseOfAccessDialog.exe 66
C:\windows\system32\EaseOfAccessDialog.exe 63
C:\Windows\system32\EaseOfAccessDialog.exe 65
C:\Windows\system32\EaseOfAccessDialog.exe 68
C:\Windows\system32\sethc.exe 72
C:\Windows\system32\sethc.exe 61
C:\windows\system32\sethc.exe 61
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 69
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 60
C:\windows\SysWOW64\EaseOfAccessDialog.exe 68
C:\Windows\SysWOW64\EaseOfAccessDialog.exe 66
C:\Windows\SysWOW64\sethc.exe 74
C:\windows\SysWOW64\sethc.exe 63
C:\Windows\SysWOW64\sethc.exe 74
C:\Windows\SysWOW64\sethc.exe 63

Possible Misuse

The following table contains possible examples of sethc.exe being misused. While sethc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\sethc.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe sethc.exe *' DRL 1.0
atomic-red-team T1546.008.md Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as “sticky keys”, and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit) MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md Replace sticky keys binary (sethc.exe) with cmd.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md takeown /F C:\Windows\System32\sethc.exe /A MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe MIT License. © 2018 Red Canary
signature-base cn_pentestset_scripts.yar $s1 = “success = obj.run("cmd /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| “ ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe” CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s2 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s1 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\dllcache\sethc.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “\sethc.exe /G everyone:F” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Sethc.exe has been replaced - Indicates Remote Access Hack RDP” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “SETHC.EXE” wide fullword CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sethc.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.