Static task
static1
Behavioral task
behavioral1
Sample
klist.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
klist.exe
Resource
win10v2004-20230703-en
General
-
Target
klist.exe
-
Size
36KB
-
MD5
d15c2108d9a0356cba6b850749f920f2
-
SHA1
aaabe874c1c196c88e38989f3722b0d34cb845a3
-
SHA256
6ac1bb76543c10b5294aaf286132152757f90825efecb3c0066f5f2acc7aa1d7
-
SHA512
51ea0f402d6e353d77b1a35d9328f6238607f299a05bb5a3955b70c18d4b2832b04e1d28e545f36e52739d963f2864b13ff6d015fc8aa21e028d435bbf706b89
-
SSDEEP
768:Jp6Xn8kHYsHq1vDUkp7b6vjn4HuyD/AgzfjErQ8Fci4n8D1cSGQeOdJo3Fotta:JcRHYQqJp6vjn4Hpt7EdGQewK3Fotk
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource klist.exe
Files
-
klist.exe.exe windows x64
85207cdd890ace87bf7ef7906d90318b
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
msvcrt
_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
__set_app_type
__wgetmainargs
memcpy
?terminate@@YAXXZ
_vsnwprintf
_XcptFilter
free
_callnewh
malloc
wcstoul
wcstol
_wcsicmp
fwprintf
sprintf_s
_snwprintf_s
exit
_wsetlocale
_amsg_exit
__iob_func
memset
api-ms-win-core-heap-l2-1-0
LocalFree
LocalAlloc
api-ms-win-security-base-l1-1-0
EqualSid
GetLengthSid
SetKernelObjectSecurity
GetTokenInformation
IsValidSid
CreateWellKnownSid
SetSecurityDescriptorDacl
CopySid
InitializeSecurityDescriptor
GetSecurityDescriptorDacl
DuplicateTokenEx
GetKernelObjectSecurity
GetSidSubAuthorityCount
GetSidLengthRequired
api-ms-win-core-errorhandling-l1-1-0
SetUnhandledExceptionFilter
SetLastError
GetLastError
UnhandledExceptionFilter
api-ms-win-core-psapi-l1-1-0
K32EnumProcesses
api-ms-win-core-handle-l1-1-0
CloseHandle
api-ms-win-core-libraryloader-l1-2-1
LoadLibraryW
api-ms-win-core-localization-l1-2-0
FormatMessageW
SetThreadUILanguage
api-ms-win-core-libraryloader-l1-2-0
GetModuleHandleW
FreeLibrary
LoadStringW
GetProcAddress
api-ms-win-core-file-l1-1-0
WriteFile
FileTimeToLocalFileTime
api-ms-win-core-timezone-l1-1-0
FileTimeToSystemTime
sspicli
LsaEnumerateLogonSessions
logoncli
DsGetDcNameW
netutils
NetApiBufferFree
api-ms-win-core-processthreads-l1-1-0
OpenProcessToken
OpenThreadToken
GetCurrentThreadId
GetCurrentThread
TerminateProcess
GetCurrentProcessId
GetCurrentProcess
api-ms-win-core-processthreads-l1-1-1
OpenProcess
api-ms-win-core-synch-l1-2-0
Sleep
api-ms-win-core-rtlsupport-l1-1-0
RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind
api-ms-win-core-profile-l1-1-0
QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0
GetSystemTimeAsFileTime
GetTickCount
api-ms-win-core-heap-l1-1-0
HeapAlloc
GetProcessHeap
HeapFree
api-ms-win-core-console-l1-1-0
GetConsoleOutputCP
api-ms-win-core-processenvironment-l1-1-0
GetStdHandle
api-ms-win-core-string-l1-1-0
WideCharToMultiByte
ext-ms-win-advapi32-lsa-l1-1-2
LsaNtStatusToWinError
api-ms-win-security-provider-l1-1-0
SetEntriesInAclW
api-ms-win-security-trustee-l1-1-0
BuildTrusteeWithSidW
ntdll
RtlIpv6StringToAddressExW
RtlInitUnicodeString
RtlAdjustPrivilege
RtlInitString
RtlInitUnicodeStringEx
NtQueryInformationToken
NtDuplicateToken
NtOpenThreadToken
NtSetInformationThread
RtlIpv4StringToAddressExW
NtClose
Sections
.text Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 12KB - Virtual size: 11KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 1024B - Virtual size: 720B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 32B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ