klist[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

klist.exe
Size

36KB
MD5

d15c2108d9a0356cba6b850749f920f2
SHA1

aaabe874c1c196c88e38989f3722b0d34cb845a3
SHA256

6ac1bb76543c10b5294aaf286132152757f90825efecb3c0066f5f2acc7aa1d7
SHA512

51ea0f402d6e353d77b1a35d9328f6238607f299a05bb5a3955b70c18d4b2832b04e1d28e545f36e52739d963f2864b13ff6d015fc8aa21e028d435bbf706b89
SSDEEP

768:Jp6Xn8kHYsHq1vDUkp7b6vjn4HuyD/AgzfjErQ8Fci4n8D1cSGQeOdJo3Fotta:JcRHYQqJp6vjn4Hpt7EdGQewK3Fotk

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
klist.exe

Files

klist.exe
.exe windows x64

85207cdd890ace87bf7ef7906d90318b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
__set_app_type
__wgetmainargs
memcpy
?terminate@@YAXXZ
_vsnwprintf
_XcptFilter
free
_callnewh
malloc
wcstoul
wcstol
_wcsicmp
fwprintf
sprintf_s
_snwprintf_s
exit
_wsetlocale
_amsg_exit
__iob_func
memset

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-security-base-l1-1-0

EqualSid
GetLengthSid
SetKernelObjectSecurity
GetTokenInformation
IsValidSid
CreateWellKnownSid
SetSecurityDescriptorDacl
CopySid
InitializeSecurityDescriptor
GetSecurityDescriptorDacl
DuplicateTokenEx
GetKernelObjectSecurity
GetSidSubAuthorityCount
GetSidLengthRequired

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
GetLastError
UnhandledExceptionFilter

api-ms-win-core-psapi-l1-1-0

K32EnumProcesses

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-localization-l1-2-0

FormatMessageW
SetThreadUILanguage

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
FreeLibrary
LoadStringW
GetProcAddress

api-ms-win-core-file-l1-1-0

WriteFile
FileTimeToLocalFileTime

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

sspicli

LsaEnumerateLogonSessions

logoncli

DsGetDcNameW

netutils

NetApiBufferFree

api-ms-win-core-processthreads-l1-1-0

OpenProcessToken
OpenThreadToken
GetCurrentThreadId
GetCurrentThread
TerminateProcess
GetCurrentProcessId
GetCurrentProcess

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

ext-ms-win-advapi32-lsa-l1-1-2

LsaNtStatusToWinError

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

api-ms-win-security-trustee-l1-1-0

BuildTrusteeWithSidW

ntdll

RtlIpv6StringToAddressExW
RtlInitUnicodeString
RtlAdjustPrivilege
RtlInitString
RtlInitUnicodeStringEx
NtQueryInformationToken
NtDuplicateToken
NtOpenThreadToken
NtSetInformationThread
RtlIpv4StringToAddressExW
NtClose

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

85207cdd890ace87bf7ef7906d90318b

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-heap-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-localization-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

sspicli

logoncli

netutils

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

ext-ms-win-advapi32-lsa-l1-1-2

api-ms-win-security-provider-l1-1-0

api-ms-win-security-trustee-l1-1-0

ntdll

Sections

.text Size: 20KB - Virtual size: 19KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 1024B - Virtual size: 720B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 32B

.text
Size: 20KB - Virtual size: 19KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 720B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 32B