KingdomCome[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

KingdomCome.exe
Size

1.3MB
MD5

bb4873718b2e74ad66d1635f35a9d040
SHA1

c161350afb9531ddc2564b9e609607176e74fde1
SHA256

5a6dafcd77be7e6e76de7e03913549a7298dc4c70e9ad6c11c40c8d1ed89532c
SHA512

f442501120dd4a9f6bff1a0fea727d14c1292814a1d4d90060fa245378bc4323639920bcc1afdde00f024208a47e20de34f88de7bd65e5555cd466762132a745
SSDEEP

12288:d7VsMwcIOiogQ7H8DyRPHfCujMqfG7MCyQFgLrztmq7Oit7Jbje0lFZ/a:dpNxIKqyjbe77hFgLrztmqlJbC0F8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
KingdomCome.exe

Files

KingdomCome.exe
.exe windows:6 windows x64 arch:x64

04b18429abc004650249a3264fa78b76

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

e:\buildagent\work\7391f8e90d60fe0d\bin\Win64MasterMasterGogPGO\KingdomCome.pdb

Imports

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

kernel32

GetSystemTimeAsFileTime
GetCurrentProcessId
GetCommandLineA
GetEnvironmentVariableW
SetEnvironmentVariableW
GetFullPathNameA
IsDebuggerPresent
GetLastError
CreateMutexA
Sleep
GetCurrentProcess
TerminateProcess
FreeLibrary
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
LocalFree
FormatMessageA
LoadLibraryA
SetCurrentDirectoryW
GetCurrentDirectoryW
GetFileAttributesW
CloseHandle
QueryPerformanceCounter
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
InitializeSListHead
GetCurrentThreadId
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
GetStartupInfoW
UnhandledExceptionFilter

user32

LoadIconA
GetDlgItem
GetDesktopWindow
MessageBoxA
GetClientRect
SetWindowTextA
CreateDialogParamA
MessageBoxW
SendMessageA
SetForegroundWindow
UnregisterClassA
ShowWindow
SetWindowPos

shell32

SHCreateDirectoryExA

ole32

CoInitializeEx

msvcp140

?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ

shlwapi

StrStrIA

vcruntime140

__CxxFrameHandler3
memcpy
memset
wcsrchr
__C_specific_handler
__vcrt_InitializeCriticalSectionEx
__std_exception_copy
__std_exception_destroy
_CxxThrowException
strstr
strrchr
_purecall
memmove

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
_register_thread_local_exe_atexit_callback
exit
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
terminate
_get_narrow_winmain_command_line
_initterm
_initterm_e
_exit
_c_exit

api-ms-win-crt-string-l1-1-0

strcpy_s

api-ms-win-crt-heap-l1-1-0

_callnewh
free
malloc
_set_new_mode

api-ms-win-crt-filesystem-l1-1-0

_wstat32
_findnext64
_findclose
_findfirst64

api-ms-win-crt-time-l1-1-0

_time64
_localtime64_s

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__acrt_iob_func
fopen_s
fclose
__p__commode
fflush
__stdio_common_vfprintf
__stdio_common_vsprintf

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Exports

Exports

AmdPowerXpressRequestHighPerformance
NvOptimusEnablement

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 21B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

04b18429abc004650249a3264fa78b76

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

kernel32

user32

shell32

ole32

msvcp140

shlwapi

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 25KB - Virtual size: 25KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 3KB - Virtual size: 4KB

.pdata Size: 2KB - Virtual size: 2KB

.tls Size: 512B - Virtual size: 21B

.gfids Size: 512B - Virtual size: 64B

.rsrc Size: 1.2MB - Virtual size: 1.2MB

.reloc Size: 512B - Virtual size: 156B

.text
Size: 25KB - Virtual size: 25KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 3KB - Virtual size: 4KB

.pdata
Size: 2KB - Virtual size: 2KB

.tls
Size: 512B - Virtual size: 21B

.gfids
Size: 512B - Virtual size: 64B

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

.reloc
Size: 512B - Virtual size: 156B