klist[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

klist.exe
Size

100KB
MD5

0944a82d2592263783eebc1f4b9a5299
SHA1

3050e81abe2090b7df41f71ef74950a1970d5628
SHA256

95f7d5646526db3fe9de8bc4d7a5a6180c5127ce8e24fe91d1a75a3240b97250
SHA512

a0f0f09a0f00c59e294826ee3067db8f25ea04bab19287189c3169c1c641e5e4376864e6fa153b78663ef43c4eb0ccea781b4c72ade26475c6ebfd0c750a06e7
SSDEEP

3072:mXp3ks7h4s+u0R6IVtxagnpFYbuSFGQJ:mXdkRttxaG+uSFGQ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
klist.exe

Files

klist.exe
.exe windows:10 windows x64 arch:x64

3ccab4f521d3f8a231bd1c7969c7e518

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

klist.pdb

Imports

msvcrt

__setusermatherr
?terminate@@YAXXZ
_exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
??1type_info@@UEAA@XZ
free
_callnewh
malloc
_purecall
wcstoul
wcstol
_wcsicmp
_fmode
_lock
_unlock
sprintf_s
_snwprintf_s
__dllonexit
exit
_commode
_CxxThrowException
memmove_s
??0exception@@QEAA@XZ
_onexit
_vsnprintf_s
memcpy_s
memcpy
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
_vsnwprintf
_initterm
fwprintf
__CxxFrameHandler4
__C_specific_handler
_cexit
memcmp
_wsetlocale
__iob_func
memset

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-security-base-l1-1-0

GetSidSubAuthorityCount
GetSidLengthRequired
IsValidSid
CreateWellKnownSid
CopySid
GetKernelObjectSecurity
GetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetKernelObjectSecurity
DuplicateTokenEx
GetLengthSid
EqualSid
GetTokenInformation

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
GetLastError
UnhandledExceptionFilter

api-ms-win-core-psapi-l1-1-0

K32EnumProcesses

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-localization-l1-2-0

FormatMessageW
SetThreadUILanguage

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThread
OpenProcessToken
GetCurrentProcessId
OpenThreadToken
GetCurrentThreadId
TerminateProcess

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleFileNameA
LoadStringW
GetProcAddress
FreeLibrary
GetModuleHandleExW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-synch-l1-1-0

CreateMutexExW
ReleaseSRWLockShared
WaitForSingleObjectEx
EnterCriticalSection
ReleaseMutex
DeleteCriticalSection
WaitForSingleObject
OpenSemaphoreW
AcquireSRWLockShared
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
ReleaseSemaphore
CreateSemaphoreExW
LeaveCriticalSection
AcquireSRWLockExclusive

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-file-l1-1-0

WriteFile
FileTimeToLocalFileTime

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

sspicli

LsaEnumerateLogonSessions

logoncli

DsGetDcNameW

netutils

NetApiBufferFree

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

ext-ms-win-advapi32-lsa-l1-1-2

LsaNtStatusToWinError

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

api-ms-win-security-trustee-l1-1-0

BuildTrusteeWithSidW

ntdll

RtlInitUnicodeString
RtlAdjustPrivilege
RtlInitString
RtlIpv4StringToAddressExW
NtQueryInformationToken
NtDuplicateToken
RtlInitUnicodeStringEx
NtClose
NtSetInformationThread
RtlIpv6StringToAddressExW
NtOpenThreadToken

Sections

.text
Size: 56KB - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 108B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3ccab4f521d3f8a231bd1c7969c7e518

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-heap-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

sspicli

logoncli

netutils

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

ext-ms-win-advapi32-lsa-l1-1-2

api-ms-win-security-provider-l1-1-0

api-ms-win-security-trustee-l1-1-0

ntdll

Sections

.text Size: 56KB - Virtual size: 53KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 4KB - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 2KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 108B

.text
Size: 56KB - Virtual size: 53KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 108B