Notepad[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Notepad.exe
Size

1.2MB
MD5

774973e87183de11cc5531c7c279cba7
SHA1

8830e0f25e5a3c85e8ed94fa5fb8039638717ed8
SHA256

80ce6126afaf292c24d5dc1e7734d4f6a9c0e691d1bfd1967c77740349863c4b
SHA512

779cb74f03dfc7730d8ac143a14603605bf41600ce715d659eddf7ec9f60a610771201ba2fbf31b62a08e79d7b6334bdcb25f5b551f1b589512e0e58a3fcaff8
SSDEEP

24576:bgaz04oA419SH2E1qvdMEcUP8LLh0lhSMXloK+974CO5LcaLwc0y:8x4h4/SH2E1DL6t+974COJK

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Notepad.exe

Files

Notepad.exe
.exe windows:6 windows x64 arch:x64

dc344e076e5094401dd2ef20b7946f88

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\_work\1\b\Notepad\Notepad.pdb

Imports

shlwapi

PathFindExtensionW
UrlEscapeW
PathIsNetworkPathW
PathIsFileSpecW
PathFileExistsW

kernel32

GetFileAttributesW
GetFileInformationByHandle
WideCharToMultiByte
WriteFile
SetEndOfFile
LocalUnlock
GetFileAttributesExW
MultiByteToWideChar
LocalLock
AreFileApisANSI
DeviceIoControl
FindFirstFileW
LocalAlloc
CreateFileW
FindClose
GetFullPathNameW
CopyFileW
SetFileInformationByHandle
MoveFileExW
UnmapViewOfFile
CreateEventExW
GetFileInformationByHandleEx
CreateSymbolicLinkW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
WaitForSingleObject
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
LoadLibraryExW
WakeAllConditionVariable
RegisterApplicationRestart
InterlockedPushEntrySList
LoadLibraryW
GetCurrentProcessId
K32GetModuleFileNameExW
GetProcessId
FreeLibrary
GetCurrentProcess
RaiseException
DuplicateHandle
OpenProcess
CreateFileMappingW
MapViewOfFile
DebugBreak
GetProcessHeap
CreateMutexExW
GetProcAddress
HeapAlloc
OpenSemaphoreW
WaitForSingleObjectEx
ReleaseMutex
GetModuleHandleExW
ReleaseSemaphore
VerSetConditionMask
VerifyVersionInfoW
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
SetEvent
FindNextFileW
FindFirstFileExW
CreateDirectoryW
GlobalUnlock
GlobalLock
GetCommandLineW
GetLocaleInfoEx
GetACP
MulDiv
DeleteFileW
FormatMessageA
FindResourceW
SizeofResource
LockResource
LoadResource
GetCurrentPackageFullName
ParseApplicationUserModelId
GetLocaleInfoW
GetUserDefaultUILanguage
GetLocalTime
GetDateFormatW
GetTimeFormatW
GetCurrentApplicationUserModelId
CreateEventW
GetStartupInfoW
CreateThreadpoolTimer
CloseThreadpoolTimer
GetModuleHandleW
WaitForThreadpoolTimerCallbacks
CloseHandle
SetThreadpoolTimer
SetLastError
FindNLSString
SetCurrentDirectoryW
GlobalFree
GetWindowsDirectoryW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CompareStringOrdinal
GetLastError
IsDebuggerPresent
FormatMessageW
GetCurrentThreadId
OutputDebugStringW
LocalFree
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
GlobalAlloc
SleepConditionVariableSRW
UnhandledExceptionFilter

user32

GetWindowRect
EnableMenuItem
GetSystemMenu
MonitorFromPoint
IsChild
SetWindowTextW
SetDlgItemTextW
GetDlgCtrlID
SetFocus
GetDlgItem
EndDialog
GetDpiForWindow
DialogBoxParamW
DestroyAcceleratorTable
IsZoomed
GetKeyboardState
GetNextDlgTabItem
SetWindowsHookExW
CallNextHookEx
GetClassNameW
GetProcessDefaultLayout
CopyRect
DrawIconEx
PostThreadMessageW
GetSysColor
SystemParametersInfoW
GetClientRect
PostMessageW
SetScrollInfo
GetActiveWindow
GetMenu
GetScrollInfo
IsIconic
TranslateAcceleratorW
SetParent
SetForegroundWindow
CreateWindowExW
ClientToScreen
GetGUIThreadInfo
SetWindowRgn
GetSystemMetricsForDpi
SendDlgItemMessageW
GetDpiForSystem
GetDesktopWindow
DrawTextExW
CreateDialogParamW
GetWindowTextW
GetWindowTextLengthW
IsDialogMessageW
PeekMessageW
SetProcessDefaultLayout
LoadImageW
LoadIconW
GetMonitorInfoW
MonitorFromWindow
GetWindowPlacement
CharUpperW
SetWindowPlacement
GetParent
SetRect
GetWindow
TranslateMessage
SetWindowLongW
MoveWindow
EqualRect
GetDlgItemTextW
CharNextW
ScreenToClient
GetKeyboardLayout
GetWindowLongPtrW
CreateAcceleratorTableW
DispatchMessageW
GetMessageW
GetCursorPos
MapWindowPoints
GetWindowThreadProcessId
DefWindowProcW
GetFocus
GetForegroundWindow
SetWindowPos
PostQuitMessage
RemovePropW
RedrawWindow
EndPaint
BeginPaint
KillTimer
SetTimer
FillRect
GetSysColorBrush
GetWindowLongW
GetKeyState
TrackPopupMenuEx
CloseClipboard
IsClipboardFormatAvailable
OpenClipboard
RegisterClassExW
SetPropW
SetWindowLongPtrW
EnumWindows
SetActiveWindow
ShowWindow
EnableWindow
IsWindowVisible
IsHungAppWindow
IsWindowEnabled
AllowSetForegroundWindow
LoadCursorW
SetCursor
SetScrollPos
InvalidateRect
UpdateWindow
GetDC
ReleaseDC
SendMessageW
DestroyWindow
PtInRect
SetThreadDpiAwarenessContext

shell32

DragQueryFileW
ShellExecuteExW
CommandLineToArgvW
DragFinish
SHCreateItemFromParsingName
ShellExecuteW
DragAcceptFiles
SHAddToRecentDocs
SHGetKnownFolderPath

ole32

CoWaitForMultipleHandles
CoCreateFreeThreadedMarshaler
RevokeDragDrop
CoTaskMemFree
CoCreateInstance
CoUninitialize
CoInitializeEx
PropVariantClear
OleUninitialize
OleInitialize
CoTaskMemAlloc
RegisterDragDrop

advapi32

EventUnregister
DuplicateEncryptionInfoFile
EventRegister
GetTokenInformation
CreateProcessAsUserW
OpenProcessToken
EventSetInformation
RegCloseKey
RegGetValueW
DecryptFileW
EventWriteTransfer
RegDeleteKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegOpenKeyExW

crypt32

CryptBinaryToStringW
CryptStringToBinaryW

urlmon

FindMimeFromData

propsys

PropVariantToStringVectorAlloc
PSGetPropertyDescriptionListFromString

comdlg32

CommDlgExtendedError
GetFileTitleW
PrintDlgExW
PageSetupDlgW

gdi32

CreateDCW
SetViewportExtEx
SetWindowExtEx
SetAbortProc
DeleteObject
LPtoDP
CreateRectRgn
CreateFontIndirectW
SetMapMode
CreateSolidBrush
CreateCompatibleDC
GetStockObject
CreateDIBSection
BitBlt
GetDeviceCaps
SetBkMode
GetTextMetricsW
EndPage
SelectObject
AbortDoc
StartDocW
EnumFontsW
EnumFontFamiliesExW
EndDoc
DeleteDC
StartPage
GetTextExtentPoint32W
TextOutW

oleaut32

GetErrorInfo
SysFreeString
SysAllocString
SysAllocStringLen
SetErrorInfo
SysStringLen

comctl32

ord410
ord413

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsCreateString
WindowsCreateStringReference
WindowsDeleteString

icu

u_vformatMessage

winspool.drv

GetPrinterDriverW
OpenPrinterW
ClosePrinter

dwmapi

DwmDefWindowProc
DwmExtendFrameIntoClientArea
DwmGetWindowAttribute
DwmSetWindowAttribute

uxtheme

OpenThemeData
DrawThemeTextEx
CloseThemeData
GetThemeSysFont

msvcp140

?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?id@?$numpunct@_W@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
_Thrd_join
_Thrd_id
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
_Cnd_destroy_in_situ
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?_Xbad_alloc@std@@YAXXZ
?id@?$numpunct@D@std@@2V0locale@2@A
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
_Cnd_do_broadcast_at_thread_exit
_Mbrtowc
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?exceptions@ios_base@std@@QEAAXH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?swap@?$basic_iostream@DU?$char_traits@D@std@@@std@@IEAAXAEAV12@@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z
?tellp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z
_Cnd_init_in_situ
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
_Cnd_wait
_Cnd_signal
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?is@?$ctype@_W@std@@QEBA_NF_W@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
?id@?$collate@_W@std@@2V0locale@2@A
??1_Locinfo@std@@QEAA@XZ
?_Incref@facet@locale@std@@UEAAXXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
_Mtx_unlock
_Mtx_lock
?_Throw_Cpp_error@std@@YAXH@Z
?fail@ios_base@std@@QEBA_NXZ
_Wcsxfrm
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
_Wcscoll
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
??Bid@locale@std@@QEAA_KXZ
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?__ExceptionPtrRethrow@@YAXPEBX@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Xbad_function_call@std@@YAXXZ
?uncaught_exceptions@std@@YAHXZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
_Query_perf_frequency
_Query_perf_counter
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
_Mtx_init_in_situ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
_Mtx_destroy_in_situ
?_Xlength_error@std@@YAXPEBD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z

msvcp140_atomic_wait

__std_atomic_notify_one_direct
__std_atomic_wait_direct
__std_atomic_notify_all_direct

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate
memcmp
memmove
memset
_CxxThrowException
memcpy
__current_exception_context
__current_exception
strchr
__std_exception_copy
__std_exception_destroy
_purecall
__C_specific_handler
wcschr

api-ms-win-crt-runtime-l1-1-0

_beginthreadex
abort
_configure_narrow_argv
_register_thread_local_exe_atexit_callback
_invalid_parameter_noinfo
_c_exit
_errno
terminate
_invalid_parameter_noinfo_noreturn
_exit
exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment

api-ms-win-crt-string-l1-1-0

wcscpy_s
wcsncpy_s
_wcsicmp
wcsnlen
iswspace
iswdigit
toupper

api-ms-win-crt-stdio-l1-1-0

fflush
_get_stream_buffer_pointers
fclose
fwrite
__p__commode
__stdio_common_vswprintf
_set_fmode
setvbuf
fsetpos
fgetpos
__stdio_common_vsnprintf_s
fputc
_fseeki64
fread
ungetc
fgetc

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-heap-l1-1-0

calloc
_set_new_mode
free
realloc
malloc
_callnewh

api-ms-win-crt-math-l1-1-0

_dclass
_ldclass
_fdclass
_fdsign
ceilf
_dsign
_ldsign
__setusermatherr

api-ms-win-crt-convert-l1-1-0

wcstol

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale

api-ms-win-core-featurestaging-l1-1-0

GetFeatureEnabledState
RecordFeatureUsage
SubscribeFeatureStateChangeNotification
UnsubscribeFeatureStateChangeNotification

bcrypt

BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider

Sections

.text
Size: 693KB - Virtual size: 693KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 400KB - Virtual size: 399KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 69KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dc344e076e5094401dd2ef20b7946f88

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shlwapi

kernel32

user32

shell32

ole32

advapi32

crypt32

urlmon

propsys

comdlg32

gdi32

oleaut32

comctl32

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

icu

winspool.drv

dwmapi

uxtheme

msvcp140

msvcp140_atomic_wait

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-core-featurestaging-l1-1-0

bcrypt

Sections

.text Size: 693KB - Virtual size: 693KB

.rdata Size: 400KB - Virtual size: 399KB

.data Size: 69KB - Virtual size: 74KB

.pdata Size: 31KB - Virtual size: 31KB

.rsrc Size: 57KB - Virtual size: 57KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 693KB - Virtual size: 693KB

.rdata
Size: 400KB - Virtual size: 399KB

.data
Size: 69KB - Virtual size: 74KB

.pdata
Size: 31KB - Virtual size: 31KB

.rsrc
Size: 57KB - Virtual size: 57KB

.reloc
Size: 4KB - Virtual size: 3KB