net1.exe

  • File Path: C:\WINDOWS\SysWOW64\net1.exe
  • Description: Net Command

Hashes

Type Hash
MD5 273E0728384712F7379BAEA05DB5939C
SHA1 55A7BAD09BFB7E63038BE117BE2CDEDBC449BE53
SHA256 517CFC40DDEB8A94FA6F0DB4F7B5CF5C25BC3B72D598198ADDD6B7ECA52997B0
SHA384 72211D7C074A31B5920D05E6F1DA1073BD4F63F09328FBE39617000E9A8AB2BE9ECB46B2824FDEE6C792F338FFC8EB81
SHA512 D2AFD130E331CFC5460394176B24522AC137A0E0E92079CE8525BC3E3703B6D495709157C7A665A396E3E0379FEC15C1F8723E2ECAC6C4E0A68C892E6B1ED152
SSDEEP 3072:NMbjeHZ7AkaTCNM6bP4QmIb7kZs1h5PMAOpA6DN0HXAsleK8HBCR0:qSxbPLX7Om2qXAssK8HBg0
IMP 859D6FC43DB1B2623B162E81C4A3567C
PESHA1 873FFE0FAC685286D6B8CB5CC8DFB01CED4DC92A
PE256 0CEBE10663288AB0B39E335FEE851A6FE19671E8E0477F45E35FBE198A55A695

Runtime Data

Usage (stdout):

The syntax of this command is:

NET HELP
command
     -or-
NET command /HELP

  Commands available are:

  NET ACCOUNTS             NET HELPMSG              NET STATISTICS
  NET COMPUTER             NET LOCALGROUP           NET STOP
  NET CONFIG               NET PAUSE                NET TIME
  NET CONTINUE             NET SESSION              NET USE
  NET FILE                 NET SHARE                NET USER
  NET GROUP                NET START                NET VIEW
  NET HELP

  NET HELP NAMES explains different types of names in NET HELP syntax lines.
  NET HELP SERVICES lists some of the services you can start.
  NET HELP SYNTAX explains how to read NET HELP syntax lines.
  NET HELP command | MORE displays Help one screen at a time.


Usage (stderr):

The syntax of this command is:

NET
    [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
      HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
      STATISTICS | STOP | TIME | USE | USER | VIEW ]

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\net1.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: net1.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/517cfc40ddeb8a94fa6f0db4f7b5cf5c25bc3b72d598198addd6b7eca52997b0/detection

Possible Misuse

The following table contains possible examples of net1.exe being misused. While net1.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_mal_ryuk.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_net_enum.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_net_user_add.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_net_use_admin_share.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_remote_time_discovery.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'net1.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_service_execution.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_service_stop.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_susp_mounted_share_deletion.yml Image\|endswith: '\net1.exe' DRL 1.0
sigma proc_creation_win_susp_net_execution.yml - '\net1.exe' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\net1.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.