Windows Analysis Report
KrMhCpCNtm.exe

Overview

General Information

Sample name: KrMhCpCNtm.exe
Analysis ID: 1545844
MD5: 18fb86e828354d879698e7fefdde11a0
SHA1: 3242e65c4c9a45a57aea38bd6bfdbe990a5c543f
SHA256: 0e053da640e325971896b97f0993fbb17dd010bdc9625ca6fa4ee64c4a5f018a
Tags: exeuser-lontze7
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: KrMhCpCNtm.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: KrMhCpCNtm.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 87.8% probability
Machine Learning detection for sample
Source: KrMhCpCNtm.exe Joe Sandbox ML: detected
Source: KrMhCpCNtm.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\userX\Desktop\kdmapper-master\x64\Release\kdmapper_Release.pdb source: KrMhCpCNtm.exe
Source: Binary string: C:\Users\userX\Desktop\kdmapper-master\x64\Release\kdmapper_Release.pdb11 source: KrMhCpCNtm.exe
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: KrMhCpCNtm.exe
Source: KrMhCpCNtm.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: KrMhCpCNtm.exe String found in binary or memory: http://ocsp.thawte.com0
Source: KrMhCpCNtm.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: KrMhCpCNtm.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: KrMhCpCNtm.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Contains functionality to call native functions
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF6673632E0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, 0_2_00007FF6673632E0
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF66736F220 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn, 0_2_00007FF66736F220
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF667362880: DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,DeviceIoControl,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, 0_2_00007FF667362880
Detected potential crypto function
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF667361CE0 0_2_00007FF667361CE0
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF667361760 0_2_00007FF667361760
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF66736B770 0_2_00007FF66736B770
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF6673632E0 0_2_00007FF6673632E0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: String function: 00007FF667366260 appears 105 times
Sample file is different than original file name gathered from version info
Source: KrMhCpCNtm.exe, 00000000.00000000.1671593345.00007FF667372000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiQVW64.SYSH vs KrMhCpCNtm.exe
Source: KrMhCpCNtm.exe, 00000000.00000002.1672823126.00007FF667372000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiQVW64.SYSH vs KrMhCpCNtm.exe
Source: KrMhCpCNtm.exe Binary or memory string: OriginalFilenameiQVW64.SYSH vs KrMhCpCNtm.exe
Source: KrMhCpCNtm.exe Binary string: Unknown exceptionbad array new lengthstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Can't exploit intel driver, is there any antivirus or anticheat running?[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[!] Failed to ClearWdFilterDriverListWdFilter.sys[+] WdFilter.sys not loaded, clear skippedxxx????xxH
Source: KrMhCpCNtm.exe Binary string: \Device\Nal
Source: classification engine Classification label: mal64.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF66736A700 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle, 0_2_00007FF66736A700
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: KrMhCpCNtm.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: KrMhCpCNtm.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\KrMhCpCNtm.exe "C:\Users\user\Desktop\KrMhCpCNtm.exe"
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: KrMhCpCNtm.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: KrMhCpCNtm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KrMhCpCNtm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KrMhCpCNtm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KrMhCpCNtm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KrMhCpCNtm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KrMhCpCNtm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: KrMhCpCNtm.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: KrMhCpCNtm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\userX\Desktop\kdmapper-master\x64\Release\kdmapper_Release.pdb source: KrMhCpCNtm.exe
Source: Binary string: C:\Users\userX\Desktop\kdmapper-master\x64\Release\kdmapper_Release.pdb11 source: KrMhCpCNtm.exe
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: KrMhCpCNtm.exe
Source: KrMhCpCNtm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KrMhCpCNtm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KrMhCpCNtm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KrMhCpCNtm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KrMhCpCNtm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF66736A700 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle, 0_2_00007FF66736A700
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe API coverage: 2.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF667370910 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF667370910
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF66736A700 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle, 0_2_00007FF66736A700
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF66736A870 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,memcpy,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memcpy,memcpy,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF66736A870
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF667370910 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF667370910
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF667370120 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF667370120
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF667370ABC SetUnhandledExceptionFilter, 0_2_00007FF667370ABC
Source: C:\Users\user\Desktop\KrMhCpCNtm.exe Code function: 0_2_00007FF667370B68 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF667370B68
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545844 Sample: KrMhCpCNtm.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 64 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 16 AI detected suspicious sample 2->16 6 KrMhCpCNtm.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos