timeout.exe

  • File Path: C:\WINDOWS\system32\timeout.exe
  • Description: timeout - pauses command processing

Hashes

Type Hash
MD5 B8D9B2CCCCF0A5F1528C93BBEEF1FB43
SHA1 6D7B55636E8FF21DA8A4D5724262FC6AAC3612DA
SHA256 0EDE7A9EA4AB00C558364D7FFF59833FE9F3DBD805A23578A75B5FD5A6A06B05
SHA384 8236B4F593A12DEC4F8F4B1BAECDF22D4035A02585835DFC4A54F04959D960CDF3E7ED7138C424949C353234C4DCBBBC
SHA512 17EA27F86096AF211FD015471F23F1BED85172F14BB4CDECD5E759E34322918855F5EFCC003840E2ED2F43AD49250366E1B5E433F01F95503CCBBAC7929576BF
SSDEEP 1536:Ft0L0Cqi4nT9YJZ81OKPi4LHfl54CxCQLu:Tu0Cqi4nT9YE1RrxCQC
IMP 52D0839685A9987DD8CF02994B143429
PESHA1 402B62C959F4CB9568F13C3D96EE498DBF7AC8F7
PE256 B45B594FE51049407AC0D5F5FF93F9D57E41CBF02FFFA7ECFE3066CA2861815F

Runtime Data

Usage (stdout):


TIMEOUT [/T] timeout [/NOBREAK] 

Description:
    This utility accepts a timeout parameter to wait for the specified
    time period (in seconds) or until any key is pressed. It also 
    accepts a parameter to ignore the key press. 

Parameter List:
    /T        timeout       Specifies the number of seconds to wait.
                            Valid range is -1 to 99999 seconds.

    /NOBREAK                Ignore key presses and wait specified time.

    /?                      Displays this help message.

NOTE: A timeout value of -1 means to wait indefinitely for a key press.

Examples:
    TIMEOUT /?
    TIMEOUT /T 10
    TIMEOUT /T 300 /NOBREAK
    TIMEOUT /T -1

Usage (stderr):

ERROR: Invalid value for timeout (/T) specified. Valid range is -1 to 99999.

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\timeout.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: timeout.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/0ede7a9ea4ab00c558364d7fff59833fe9f3dbd805a23578a75b5fd5a6a06b05/detection

Possible Misuse

The following table contains possible examples of timeout.exe being misused. While timeout.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_del.yml #cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit DRL 1.0
malware-ioc nukesped_lazarus ==== :timeout © ESET 2014-2018
malware-ioc kessel_config.ksy - id: timeout © ESET 2014-2018
malware-ioc sshdoor.yar $usage = "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]" © ESET 2014-2018
atomic-red-team index.md - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session MIT License. © 2018 Red Canary
atomic-red-team T1040.md TIMEOUT /T 5 >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1105.md | timeout | Timeout period before ending process (seconds) | Integer | 1| MIT License. © 2018 Red Canary
atomic-red-team T1105.md timeout –preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} “#{query}” > #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1105.md ##### Description: The whois and timeout commands must be present MIT License. © 2018 Red Canary
atomic-red-team T1105.md which whois && which timeout MIT License. © 2018 Red Canary
atomic-red-team T1105.md echo “Please install timeout and the whois package” MIT License. © 2018 Red Canary
atomic-red-team T1113.md cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” MIT License. © 2018 Red Canary
atomic-red-team T1197.md timeout 5 MIT License. © 2018 Red Canary
atomic-red-team T1485.md This process is very slow and test execution may timeout. MIT License. © 2018 Red Canary
atomic-red-team T1529.md | timeout | Timeout period before shutdown (seconds) | Integer | 1| MIT License. © 2018 Red Canary
atomic-red-team T1529.md shutdown /s /t #{timeout} MIT License. © 2018 Red Canary
atomic-red-team T1529.md | timeout | Timeout period before restart (seconds) | Integer | 1| MIT License. © 2018 Red Canary
atomic-red-team T1529.md shutdown /r /t #{timeout} MIT License. © 2018 Red Canary
atomic-red-team T1529.md | timeout | Time to restart (can be minutes or specific time) | String | now| MIT License. © 2018 Red Canary
atomic-red-team T1529.md shutdown -r #{timeout} MIT License. © 2018 Red Canary
atomic-red-team T1529.md | timeout | Time to shutdown (can be minutes or specific time) | String | now| MIT License. © 2018 Red Canary
atomic-red-team T1529.md shutdown -h #{timeout} MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed MIT License. © 2018 Red Canary
atomic-red-team T1548.003.md Within Linux and MacOS systems, sudo (sometimes referred to as “superuser do”) allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command “allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.”(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again). MIT License. © 2018 Red Canary
atomic-red-team T1548.003.md - Atomic Test #2 - Unlimited sudo cache timeout MIT License. © 2018 Red Canary
atomic-red-team T1548.003.md ## Atomic Test #2 - Unlimited sudo cache timeout MIT License. © 2018 Red Canary
signature-base apt_apt15.yar $s6 = “Cmd timeout %d” fullword ascii CC BY-NC 4.0
signature-base apt_aus_parl_compromise.yar $x1 = “not a valid timeout format!” ascii wide fullword CC BY-NC 4.0
signature-base apt_emissary.yar $s2 = “execute cmd timeout.” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s1 = “Active connections will be maintained for this tunnel. Timeout:” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $x2 = “[-] timeout waiting for response - target may have crashed” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar $s5 = “WARNING: LP Timeout specified (%lu seconds) less than default (%u seconds). Setting default” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s4 = “Timeout waiting for daemon to die. Exploit probably failed.” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x1 = “Probe #2 usage: %s -i TargetIp -p TargetPort -r %d [-o TimeOut] -t Protocol -n IMailUserName -a IMailPassword” fullword ascii CC BY-NC 4.0
signature-base apt_lazarus_dec20.yar $g4 = “session.timeout=600” fullword ascii CC BY-NC 4.0
signature-base apt_triton_mal_sshdoor.yar $a_usage = “usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]” CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s1 = “Retransmission Timeout Algorithm = unknown (%1!u!)” fullword wide /* Goodware String - occured 2 times */ CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s4 = “Mutex object did not timeout, list not patched” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “Mutex object did not timeout, list not patched” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s1 = “Test-Port -h $h -p $Port -timeout $Timeout” fullword ascii CC BY-NC 4.0
signature-base gen_empire.yar $s2 = “1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }” fullword ascii CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar $s3 = “Timeout waiting for the "canInstallNow" event from the implant-specific EXE!” CC BY-NC 4.0
signature-base thor-hacktools.yar $s5 = “TIMEOUT while waiting for Ack block %d. file <%s>” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “usage: %s " fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “$sock = @ftp_connect($host,$port,$timeout);” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “function ftp_check($host,$user,$pass,$timeout){“ fullword CC BY-NC 4.0
stockpile 10fad81e-3f68-47be-83b6-fbee7711c6a9.yml timeout: 300 Apache-2.0
stockpile 1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml timeout: 80 Apache-2.0
stockpile 5f844ac9-5f24-4196-a70d-17f0bd44a934.yml Commandline = 'cmd.exe /c "timeout /nobreak /t 10 >nul 2>nul & del /f #{location}"'; Apache-2.0
stockpile 5a4cb2be-2684-4801-9355-3a90c91e0004.yml timeout: 180 Apache-2.0
stockpile 95727b87-175c-4a69-8c7a-a5d82746a753.yml timeout: 300 Apache-2.0
stockpile 3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml $req.TimeOut = 50000; Apache-2.0
stockpile 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml # Linux distros should include timeout making this easy. Apache-2.0
stockpile 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml # We expect timeout to return a 124, which needs to then return a 0 Apache-2.0
stockpile 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml timeout 60 ./xmrig-6.11.2/xmrig; Apache-2.0
stockpile 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml timeout: 120 Apache-2.0
stockpile 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml # MacOS does not include timeout, but can mimic the process with screen. Apache-2.0
stockpile 78524da1-f347-4fbb-9295-209f1f408330.yml timeout: 120 Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


timeout

Pauses the command processor for the specified number of seconds. This command is typically used in batch files.

Syntax

timeout /t <timeoutinseconds> [/nobreak]

Parameters

Parameter Description
/t <timeoutinseconds> Specifies the decimal number of seconds (between -1 and 99999) to wait before the command processor continues processing. The value -1 causes the computer to wait indefinitely for a keystroke.
/nobreak Specifies to ignore user key strokes.
/? Displays help at the command prompt.
Remarks
  • A user keystroke resumes the command processor execution immediately, even if the timeout period has not expired.

  • When used in conjunction with the resource kit’s Sleep tool, timeout is similar to the pause command.

Examples

To pause the command processor for ten seconds, type:

timeout /t 10

To pause the command processor for 100 seconds and ignore any keystroke, type:

timeout /t 100 /nobreak

To pause the command processor indefinitely until a key is pressed, type:

timeout /t -1

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.