w32tm.exe
- File Path:
C:\windows\system32\w32tm.exe - Description: Windows Time Service Diagnostic Tool
Hashes
| Type | Hash |
|---|---|
| MD5 | 4E4062218CD5C40069E2130E3167C0D6 |
| SHA1 | 0D7A26BE585B23D841899A053F91008F69F816FC |
| SHA256 | 21FFF3ACF14AF70E22D23028DC26BEE58C8394707C61618AE1D35866DC9C4D51 |
| SHA384 | 2FE3A8CD50C77616820693F140C23C6B9E8B9680EAC0579402CDFD04A99E17EF7F92BA0B0385BEFE31A55649A88B724D |
| SHA512 | 0073D92F6B2B8B6BA2E8D8B657933972875E3B4379A7BBA59BCB3177FEB99E9F8B120E5554FB969576F34CA254CBAF05658A4349AE963D8FB8522FAA3E2C278F |
| SSDEEP | 1536:xYGoDYpHygP5FQwowTX3BwEdlk+HaEYkr/s+ZA7kCC+Kp9Ma4ZGVje:xboox9v3q+HaqrRCCZpWa4Z4a |
Signature
- Status: The file C:\windows\system32\w32tm.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: w32time.dll.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of w32tm.exe being misused. While w32tm.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_remote_time_discovery.yml | - Image\|endswith: '\w32tm.exe' |
DRL 1.0 |
| malware-ioc | misp_invisimole.json | "description": "The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nAn adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\\\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.", |
© ESET 2014-2018 |
| atomic-red-team | T1124.md | System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1124.md | w32tm /tz | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.