wordpad[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

wordpad.exe
Size

2.9MB
MD5

91f992550eaf33609b8c27c680402eba
SHA1

c918680174f05d7ca59a9e4767aa46ea8a778c96
SHA256

ac345cb597e9e4f096758aadb2348723a94097ede015a08643e3c76665e8d627
SHA512

59485f0a74afc71b315bfca535556ee0ec4d602bd77072647e62a475584e49aa9cdd64e6cc4d9d5f678d0ed089e4a08dfb0a7ae5137a7e8b18b475559fd594da
SSDEEP

24576:Lvkwi/7Vv0SMwmdLUVPxnHfaJPf2FxvNEYr8oSUGeP9PDkjjqXB:LW74LU5xn/aJwxvWCXSZeP9PDk3W

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
wordpad.exe

Files

wordpad.exe
.exe windows x64

Password: 23233

c39e5d6f53a750d16a1f75ba9c6a4004

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

EventWriteTransfer
EventRegister
RegOpenKeyExW
RegCloseKey
EventUnregister
DuplicateEncryptionInfoFile
EventSetInformation
RegQueryValueExW
RegGetValueW
RegQueryInfoKeyW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegSetValueExW
RegEnumValueW

kernel32

GlobalAddAtomW
DeleteAtom
WideCharToMultiByte
SetThreadPriority
Sleep
CreateFileW
ReadFile
GetShortPathNameW
GetModuleHandleA
GetTempPathW
GetTempFileNameW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
SetThreadpoolTimer
CreateThreadpoolTimer
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSectionEx
InitOnceBeginInitialize
InitOnceComplete
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
GetProcAddress
ResumeThread
AddAtomW
HeapSetInformation
GlobalDeleteAtom
GetVersion
lstrcmpA
GlobalSize
FindResourceW
GlobalGetAtomNameW
GetNumberFormatEx
GetFileAttributesW
GetModuleFileNameW
GetTimeFormatW
GetDateFormatW
EnumTimeFormatsW
EnumDateFormatsExW
GetLocaleInfoEx
CloseHandle
GetLocalTime
GetLocaleInfoW
FreeLibrary
GetLongPathNameW
lstrcmpiW
lstrcmpW
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
LoadLibraryW
LocalAlloc
LocalFree
CompareStringOrdinal
DeleteFileW
MoveFileW
lstrlenW
MulDiv
IsDebuggerPresent
DebugBreak
SetCurrentDirectoryW
OpenSemaphoreW
WaitForSingleObjectEx
OutputDebugStringW
GetLastError
FormatMessageW
ReleaseMutex
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
ReleaseSemaphore
GetModuleHandleExW
HeapAlloc
WaitForSingleObject
GetCurrentThreadId
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
OutputDebugStringA
WakeAllConditionVariable
SleepConditionVariableSRW
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
CreateThread
RegisterApplicationRecoveryCallback
RegisterApplicationRestart
CompareFileTime
FileTimeToSystemTime
SystemTimeToFileTime
GetSystemTime
InitializeCriticalSection
CreateDirectoryW
SetFilePointer
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
CreateMutexExW
VirtualQuery
GetSystemInfo
RaiseException
LoadLibraryExA
VirtualProtect
GetProcessMitigationPolicy
CopyFileW
MultiByteToWideChar
FileTimeToDosDateTime
WriteFile

gdi32

CombineRgn
CreateDIBSection
EnumFontFamiliesExW
CreateFontW
GetTextFaceW
Rectangle
GetViewportOrgEx
GetMetaFileBitsEx
DeleteMetaFile
CloseMetaFile
SetWindowExtEx
SetWindowOrgEx
CreateMetaFileA
DeleteObject
CreateRectRgnIndirect
CreateRectRgn
CloseEnhMetaFile
DeleteDC
CreateEnhMetaFileW
GetTextMetricsW
CreateSolidBrush
BitBlt
CreateCompatibleDC
GetObjectW
Polyline
SelectObject
CreatePen
GdiGradientFill
PtVisible
RectVisible
ExtTextOutW
Escape
CreateICW
SetMetaFileBitsEx
ScaleWindowExtEx
TextOutW
GetTextExtentPoint32W
CreateFontIndirectW
DPtoLP
CreateDCW
DeleteEnhMetaFile
GetDeviceCaps

user32

SetActiveWindow
EnableWindow
GetWindowLongPtrW
SetWindowLongPtrW
GetWindowTextW
SetWindowTextW
IsWindow
GetMenuItemInfoW
InsertMenuW
InvalidateRect
ShowCaret
HideCaret
UpdateWindow
PtInRect
GetMonitorInfoW
MonitorFromWindow
RegisterClipboardFormatW
OffsetRect
LoadIconW
SetRectEmpty
GetWindowRect
GetClassInfoW
GrayStringW
DrawTextW
TabbedTextOutW
IsRectEmpty
GetKeyboardLayout
TrackMouseEvent
GetDlgCtrlID
GetSysColor
ScreenToClient
MonitorFromRect
IntersectRect
CopyRect
PostMessageW
GetFocus
IsDlgButtonChecked
GetDlgItem
SetWindowLongW
GetWindowLongW
SetGestureConfig
GetGestureInfo
CloseGestureInfoHandle
PostQuitMessage
IsWindowVisible
ClientToScreen
IsClipboardFormatAvailable
CountClipboardFormats
GetParent
GetClientRect
ReleaseCapture
SetCapture
GetCapture
GetKeyState
GetSystemMetrics
DestroyMenu
SetRect
GetWindow
OemToCharBuffA
CharToOemBuffA
GetPropW
DeleteMenu
GetMenuItemID
RegisterWindowMessageW
ReleaseDC
GetDC
SendMessageW
DefWindowProcW
SetWindowsHookExW
UnhookWindowsHookEx
CallNextHookEx
SetCursor
DestroyCursor
ShowScrollBar
GetCursorPos
LoadImageW
LoadBitmapW
SystemParametersInfoW
SendDlgItemMessageW
ShowWindow
LoadCursorW
FillRect
GetSubMenu
GetMenuStringW
GetMenuItemCount
IsMenu
CreatePopupMenu
CreateMenu
SetWindowRgn
SetFocus
SetTimer
KillTimer
DialogBoxParamW
LoadStringW
EndDialog
SetForegroundWindow
IsIconic
SendMessageTimeoutW
GetClassNameW
EnumWindows
FindWindowW
DrawEdge

mfc42u

ord1859
ord1945
ord4589
ord1726
ord1036
ord3639
ord6455
ord6379
ord2133
ord613
ord1931
ord4599
ord650
ord1055
ord3889
ord1029
ord2132
ord2900
ord2129
ord2138
ord1387
ord4609
ord5700
ord4860
ord6216
ord3920
ord904
ord2105
ord2087
ord6130
ord3099
ord1584
ord312
ord408
ord528
ord3879
ord1035
ord3894
ord3593
ord3280
ord1972
ord5369
ord5366
ord6887
ord6886
ord3007
ord626
ord1040
ord1126
ord620
ord1122
ord624
ord6050
ord6021
ord2187
ord6772
ord2409
ord4436
ord2846
ord1284
ord622
ord625
ord1264
ord2781
ord2975
ord5887
ord2925
ord4601
ord5980
ord1287
ord4521
ord2783
ord1425
ord2909
ord4375
ord1422
ord2393
ord3166
ord3830
ord328
ord1061
ord311
ord827
ord4556
ord336
ord851
ord354
ord865
ord5672
ord6851
ord4813
ord2565
ord4473
ord5090
ord6614
ord1463
ord1677
ord2408
ord2676
ord1574
ord286
ord2262
ord1646
ord3647
ord1838
ord6416
ord2827
ord6415
ord1559
ord6221
ord4296
ord3783
ord2427
ord3790
ord1647
ord1471
ord6880
ord6541
ord4273
ord4295
ord4294
ord451
ord946
ord3416
ord287
ord488
ord966
ord2525
ord3962
ord2199
ord1562
ord1566
ord2553
ord1498
ord2517
ord464
ord5880
ord1662
ord2270
ord1499
ord465
ord955
ord1712
ord3361
ord1653
ord2468
ord4859
ord495
ord852
ord2212
ord494
ord972
ord1375
ord1344
ord2527
ord2906
ord3963
ord6705
ord1442
ord6773
ord2202
ord2186
ord3306
ord6374
ord6331
ord4328
ord4623
ord6632
ord2801
ord376
ord2098
ord3604
ord504
ord977
ord3282
ord3601
ord6464
ord6586
ord3994
ord3595
ord2417
ord4014
ord3586
ord1991
ord4843
ord4840
ord4678
ord4686
ord1428
ord1874
ord1410
ord1893
ord1810
ord3114
ord1073
ord1082
ord270
ord799
ord4780
ord4988
ord4371
ord3164
ord4077
ord4083
ord4082
ord3046
ord3052
ord3231
ord4815
ord3362
ord3243
ord3049
ord5699
ord2140
ord2457
ord1735
ord5484
ord3932
ord6814
ord2060
ord2670
ord4789
ord5229
ord4017
ord5712
ord4694
ord6812
ord5586
ord2399
ord5662
ord4752
ord1778
ord4365
ord6440
ord5367
ord5370
ord4879
ord4884
ord4881
ord4899
ord4901
ord4886
ord4690
ord4682
ord5496
ord4887
ord5288
ord4946
ord4777
ord4984
ord3386
ord3365
ord4732
ord5215
ord5252
ord5362
ord4769
ord5989
ord5894
ord1753
ord2513
ord6769
ord3147
ord3142
ord5064
ord1361
ord5956
ord5436
ord3556
ord3059
ord4467
ord6092
ord5021
ord4989
ord5871
ord5511
ord4762
ord5408
ord4964
ord3191
ord5432
ord4841
ord4844
ord5410
ord5317
ord5001
ord4870
ord5431
ord2195
ord2448
ord5354
ord3270
ord5216
ord5253
ord5363
ord6174
ord4770
ord4983
ord3484
ord3373
ord4319
ord5878
ord5007
ord4727
ord5018
ord5368
ord4864
ord4842
ord5433
ord5009
ord5034
ord5100
ord5411
ord5324
ord5527
ord5430
ord5987
ord2895
ord2812
ord1783
ord4833
ord3414
ord5821
ord6834
ord2014
ord3748
ord3366
ord5663
ord3933
ord1736
ord5683
ord3535
ord1067
ord995
ord337
ord338
ord4557
ord5077
ord3761
ord4771
ord5702
ord1777
ord6437
ord5406
ord5245
ord4721
ord5687
ord1774
ord6801
ord2425
ord2024
ord4543
ord2592
ord4746
ord3805
ord665
ord911
ord2329
ord2351
ord5694
ord2764
ord1443
ord2629
ord1436
ord371
ord877
ord5602
ord3997
ord1977
ord1803
ord2754
ord2757
ord2756
ord2647
ord3928
ord2325
ord4344
ord3177
ord2661
ord1781
ord2665
ord2586
ord4741
ord3743
ord822
ord2422
ord2023
ord4542
ord2589
ord4743
ord3751
ord832
ord331
ord6351
ord4424
ord4127
ord4565
ord5509
ord387
ord890
ord1441
ord5674
ord1536
ord3038
ord6099
ord6607
ord6096
ord6599
ord4668
ord6603
ord6407
ord6577
ord6238
ord6133
ord6138
ord6015
ord6076
ord5896
ord5886
ord6448
ord6228
ord3760
ord4806
ord2644
ord6612
ord6815
ord4862
ord5467
ord4124
ord6610
ord1316
ord5441
ord4703
ord4952
ord3234
ord1966
ord6102
ord2775
ord4774
ord3174
ord5091
ord2919
ord5615
ord5068
ord2405
ord524
ord3675
ord2530
ord6136
ord5306
ord4947
ord5839
ord4784
ord1674
ord2671
ord5704
ord5659
ord4364
ord4461
ord2920
ord3536
ord5420
ord3481
ord4633
ord4817
ord5524
ord5521
ord3141
ord2750
ord5807
ord3662
ord6823
ord3778
ord3258
ord3266
ord3262
ord2613
ord6114
ord6398
ord3440
ord4491
ord6739
ord1297
ord2829
ord2977
ord1489
ord4621
ord4442
ord660
ord6131
ord6511
ord4554
ord321
ord837
ord3862
ord3742
ord3939
ord3936
ord1537
ord6235

msvcrt

_CxxThrowException
memset
memmove
memcpy
memcmp
__RTDynamicCast
__CxxFrameHandler3
_vsnwprintf
memcpy_s
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
_vsnprintf_s
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBD@Z
memmove_s
wcstod
wcstok_s
_wtol
wcstoul
_wtoi
_errno
_purecall
_itow_s
_itow
iswspace
free
_wcsdup
abort
___mb_cur_max_func
__crtLCMapStringW
__crtGetStringTypeW
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
wcscmp
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
malloc
wcstol
_wcsicmp
swprintf_s
wcscpy_s
__pctype_func
___lc_handle_func
___lc_codepage_func
__mb_cur_max
setlocale

comdlg32

GetFileTitleW
CommDlgExtendedError

shell32

ShellAboutW
SHGetSpecialFolderPathW
SHAddToRecentDocs
ord165
SHCreateItemFromParsingName
SHCreateItemInKnownFolder
ShellExecuteW
DragFinish
DragQueryFileW

ole32

StgOpenStorage
ReadClassStg
OleLoad
PropVariantCopy
CreateStreamOnHGlobal
StringFromGUID2
ReleaseStgMedium
StringFromCLSID
OleRegGetUserType
CoInitialize
CoUninitialize
OleInitialize
ProgIDFromCLSID
OleUninitialize
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
CoGetMalloc
OleSave
WriteClassStg
OleDuplicateData
PropVariantClear
CoTaskMemAlloc
StgOpenStorageEx
CLSIDFromString
CoCreateGuid
IIDFromString
CoCreateInstance
CoTaskMemFree
CoRegisterActivationFilter

shlwapi

StrCmpIW
PathIsFileSpecW
PathFindFileNameW
ord158
PathFindExtensionW
SHCreateStreamOnFileW
SHCreateStreamOnFileEx
StrCmpNIW
SHStrDupW
ord628
PathAddBackslashW

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

comctl32

ord345
ImageList_GetImageCount
ImageList_ReplaceIcon
ImageList_Draw
ImageList_Remove
ord381

oleaut32

SysStringByteLen
SysAllocString
SysStringLen
SafeArrayCreateVector
SafeArrayPutElement
SafeArrayDestroy
SafeArrayCopy
VarDecFromI4
VariantClear
VarR8FromDec
SysFreeString
VariantInit
VarDecFromR8

propsys

PropVariantToUInt32WithDefault
PropVariantToUInt32
PropVariantToString

rpcrt4

RpcStringFreeW
UuidCreate
UuidToStringW

winmm

timeGetTime

urlmon

CreateUri

xmllite

CreateXmlWriter

Sections

.text
Size: 612KB - Virtual size: 612KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 383KB - Virtual size: 383KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 25KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 232B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 23233

c39e5d6f53a750d16a1f75ba9c6a4004

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

user32

mfc42u

msvcrt

comdlg32

shell32

ole32

shlwapi

ntdll

comctl32

oleaut32

propsys

rpcrt4

winmm

urlmon

xmllite

Sections

.text Size: 612KB - Virtual size: 612KB

.rdata Size: 383KB - Virtual size: 383KB

.data Size: 25KB - Virtual size: 30KB

.pdata Size: 23KB - Virtual size: 22KB

.didat Size: 512B - Virtual size: 232B

.rsrc Size: 1.9MB - Virtual size: 1.9MB

.reloc Size: 20KB - Virtual size: 20KB

.text
Size: 612KB - Virtual size: 612KB

.rdata
Size: 383KB - Virtual size: 383KB

.data
Size: 25KB - Virtual size: 30KB

.pdata
Size: 23KB - Virtual size: 22KB

.didat
Size: 512B - Virtual size: 232B

.rsrc
Size: 1.9MB - Virtual size: 1.9MB

.reloc
Size: 20KB - Virtual size: 20KB