Notepad[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Notepad.exe
Size

1.5MB
MD5

e517e3748e8a5b4e603b4486cdff9dfd
SHA1

49b38bb31c4f5f221c2d4df6b1bc5bfedaeaabce
SHA256

3cb9cf0477bbd257ac2b55c55e5897210a869c06da24249172239f4537ca4205
SHA512

8067ac37a2ad1aea6f27748a6019238b50be6659b45afd8b6c1dbc25e8d4d695ec392c8cad6e9ee7fa1cfd88a2008fdea15f7c7b95b07fb088ca8686da7678ae
SSDEEP

24576:QMOU75R/iVNS2W/LnJ1EcvdMEcUPNL9/Th0lhSMXlz+974COxoD7/7Z7i7q787QE:+U75RuNS2W/7ZMj+974COxa7/7Z7i7qP

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Notepad.exe

Files

Notepad.exe
.exe windows:6 windows x64 arch:x64

2f798e61e9f49c9139e0ba2540ebeb68

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\_work\1\b\Notepad\Notepad.pdb

Imports

shlwapi

PathFindExtensionW
PathIsNetworkPathW
PathIsFileSpecW
PathFileExistsW
UrlEscapeW

kernel32

CreateFileW
LocalAlloc
FindFirstFileW
DeleteFileW
GetFileAttributesW
GetFileInformationByHandle
WideCharToMultiByte
WriteFile
SetEndOfFile
LocalUnlock
GetFileAttributesExW
FreeLibrary
MultiByteToWideChar
LocalLock
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
UnmapViewOfFile
FindClose
GetFullPathNameW
CreateEventExW
InterlockedPushEntrySList
WaitForSingleObject
SetUnhandledExceptionFilter
GetCurrentProcessId
TerminateProcess
GetProcessId
IsProcessorFeaturePresent
SetFileInformationByHandle
AreFileApisANSI
WakeAllConditionVariable
GetCurrentProcess
SleepConditionVariableSRW
QueryPerformanceCounter
RegisterApplicationRestart
GetSystemTimeAsFileTime
LoadLibraryW
DuplicateHandle
K32GetModuleFileNameExW
OpenProcess
InitializeSListHead
GetWindowsDirectoryW
CreateFileMappingW
MapViewOfFile
FindNextFileW
RaiseException
FindFirstFileExW
SetEvent
LoadLibraryExW
TrySubmitThreadpoolCallback
CreateDirectoryW
DebugBreak
GetProcessHeap
CreateMutexExW
GetProcAddress
HeapAlloc
OpenSemaphoreW
WaitForSingleObjectEx
ReleaseMutex
GetModuleHandleExW
ReleaseSemaphore
VerSetConditionMask
VerifyVersionInfoW
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
GetLocaleInfoEx
FormatMessageA
EncodePointer
GetCommandLineW
GlobalUnlock
GlobalLock
GetACP
CreateEventW
CreateSymbolicLinkW
FindResourceW
SizeofResource
LockResource
LoadResource
MulDiv
GetFileInformationByHandleEx
GetLocaleInfoW
GetUserDefaultUILanguage
GetLocalTime
GetDateFormatW
GetTimeFormatW
GetCurrentPackageFullName
GetStartupInfoW
ParseApplicationUserModelId
GetCurrentApplicationUserModelId
VirtualQuery
CreateThreadpoolTimer
GetModuleHandleW
CloseThreadpoolTimer
CloseHandle
FindNLSString
WaitForThreadpoolTimerCallbacks
SetLastError
SetThreadpoolTimer
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CompareStringOrdinal
GetLastError
IsDebuggerPresent
FormatMessageW
GetCurrentThreadId
OutputDebugStringW
LocalFree
MoveFileExW
CopyFileW
SetCurrentDirectoryW
GlobalFree
GlobalAlloc
DeviceIoControl

user32

SetWindowTextW
SetDlgItemTextW
GetDlgCtrlID
GetDpiForWindow
SetFocus
GetKeyboardState
GetNextDlgTabItem
SetWindowsHookExW
CallNextHookEx
GetClassNameW
GetProcessDefaultLayout
CopyRect
DrawIconEx
PostThreadMessageW
GetSysColor
SystemParametersInfoW
SetScrollInfo
GetScrollInfo
TranslateAcceleratorW
SetParent
CreateWindowExW
ClientToScreen
GetGUIThreadInfo
SetWindowRgn
GetSystemMetricsForDpi
SendDlgItemMessageW
GetDpiForSystem
GetDesktopWindow
DrawTextExW
CreateDialogParamW
GetWindowTextW
GetWindowTextLengthW
IsDialogMessageW
PeekMessageW
SetProcessDefaultLayout
LoadImageW
LoadIconW
GetMonitorInfoW
MonitorFromWindow
GetWindowPlacement
CharUpperW
SetWindowPlacement
GetParent
SetRect
GetWindow
SetWindowLongW
MoveWindow
EqualRect
GetDlgItemTextW
CharNextW
ScreenToClient
GetKeyboardLayout
GetWindowLongPtrW
CreateAcceleratorTableW
GetCursorPos
MapWindowPoints
GetWindowThreadProcessId
DefWindowProcW
GetFocus
GetForegroundWindow
SetWindowPos
PostQuitMessage
RemovePropW
RedrawWindow
EndPaint
BeginPaint
KillTimer
SetTimer
FillRect
GetSysColorBrush
GetWindowLongW
GetKeyState
IsChild
CloseClipboard
IsClipboardFormatAvailable
OpenClipboard
RegisterClassExW
SetPropW
SetWindowLongPtrW
SendMessageW
DestroyWindow
PtInRect
TrackPopupMenuEx
IsZoomed
GetSystemMenu
EnableMenuItem
GetWindowRect
MonitorFromPoint
SetThreadDpiAwarenessContext
ReleaseDC
GetDC
UpdateWindow
InvalidateRect
SetScrollPos
SetCursor
LoadCursorW
AllowSetForegroundWindow
IsWindowEnabled
IsHungAppWindow
DispatchMessageW
TranslateMessage
GetMessageW
IsWindowVisible
GetActiveWindow
EnableWindow
ShowWindow
SetActiveWindow
EnumWindows
SetForegroundWindow
IsIconic
PostMessageW
GetClientRect
DestroyAcceleratorTable
DialogBoxParamW
EndDialog
GetDlgItem

shell32

ShellExecuteExW
SHCreateItemFromParsingName
ShellExecuteW
SHAddToRecentDocs
SHGetKnownFolderPath
CommandLineToArgvW
DragFinish
DragQueryFileW
DragAcceptFiles

ole32

PropVariantClear
CoWaitForMultipleHandles
CoInitializeEx
OleInitialize
CoCreateFreeThreadedMarshaler
RegisterDragDrop
CoGetObjectContext
CoGetApartmentType
CoCreateInstance
CoTaskMemFree
CoUninitialize
RevokeDragDrop
OleUninitialize
CoTaskMemAlloc

advapi32

DuplicateEncryptionInfoFile
EventWriteTransfer
EventUnregister
CreateProcessAsUserW
OpenProcessToken
EventRegister
EventSetInformation
GetTokenInformation
RegGetValueW
RegCloseKey
RegDeleteKeyExW
DecryptFileW
RegOpenKeyExW
RegEnumValueW
RegQueryInfoKeyW

crypt32

CryptStringToBinaryW
CryptBinaryToStringW

urlmon

FindMimeFromData

propsys

PSGetPropertyDescriptionListFromString
PropVariantToStringVectorAlloc

comdlg32

CommDlgExtendedError
PrintDlgExW
GetFileTitleW
PageSetupDlgW

gdi32

GetDeviceCaps
SetViewportExtEx
DeleteObject
CreateRectRgn
SetWindowExtEx
CreateSolidBrush
LPtoDP
GetStockObject
CreateDCW
CreateFontIndirectW
CreateDIBSection
BitBlt
SelectObject
SetBkMode
GetTextMetricsW
GetTextExtentPoint32W
SetMapMode
EndPage
CreateCompatibleDC
AbortDoc
EndDoc
EnumFontsW
TextOutW
EnumFontFamiliesExW
DeleteDC
StartDocW
SetAbortProc
StartPage

oleaut32

SysAllocStringLen
SysAllocString
SysStringLen
SysFreeString
SetErrorInfo
GetErrorInfo

comctl32

ord410
ord413

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateStringReference

icu

u_vformatMessage

winspool.drv

GetPrinterDriverW
OpenPrinterW
ClosePrinter

dwmapi

DwmDefWindowProc
DwmSetWindowAttribute
DwmExtendFrameIntoClientArea
DwmGetWindowAttribute

uxtheme

OpenThemeData
DrawThemeTextEx
CloseThemeData
GetThemeSysFont

msvcp140

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Incref@facet@locale@std@@UEAAXXZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
_Mbrtowc
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Throw_Cpp_error@std@@YAXH@Z
?_Xbad_alloc@std@@YAXXZ
?fail@ios_base@std@@QEBA_NXZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?id@?$numpunct@_W@std@@2V0locale@2@A
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
_Thrd_join
_Thrd_id
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
_Cnd_destroy_in_situ
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?id@?$numpunct@D@std@@2V0locale@2@A
_Cnd_do_broadcast_at_thread_exit
?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?underflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?exceptions@ios_base@std@@QEAAXH@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
_Mtx_unlock
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?pbackfail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?swap@?$basic_iostream@DU?$char_traits@D@std@@@std@@IEAAXAEAV12@@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
?uncaught_exceptions@std@@YAHXZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z
?tellp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z
_Query_perf_frequency
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
_Cnd_init_in_situ
_Cnd_wait
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
_Thrd_yield
_Cnd_signal
?__ExceptionPtrDestroy@@YAXPEAX@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
_Query_perf_counter
?is@?$ctype@_W@std@@QEBA_NF_W@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?id@?$collate@_W@std@@2V0locale@2@A
_Wcsxfrm
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
_Wcscoll
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?_Winerror_map@std@@YAHH@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Xout_of_range@std@@YAXPEBD@Z
_Mtx_lock
?_Xlength_error@std@@YAXPEBD@Z
_Mtx_destroy_in_situ
_Mtx_init_in_situ
?_Syserror_map@std@@YAPEBDH@Z

msvcp140_atomic_wait

__std_atomic_wait_direct
__std_atomic_notify_one_direct
__std_atomic_notify_all_direct

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate
__std_exception_copy
__std_exception_destroy
_purecall
__C_specific_handler
memcmp
memset
wcschr
_CxxThrowException
__current_exception_context
memcpy
__current_exception
memmove
strchr

api-ms-win-crt-runtime-l1-1-0

_configure_narrow_argv
_beginthreadex
abort
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
terminate
_crt_atexit
_invalid_parameter_noinfo_noreturn
_register_thread_local_exe_atexit_callback
_c_exit
_exit
exit
_initterm_e
_initterm
_errno
_invalid_parameter_noinfo
_seh_filter_exe
_get_narrow_winmain_command_line
_set_app_type
_cexit

api-ms-win-crt-string-l1-1-0

wcscpy_s
iswdigit
wcsncpy_s
wcsnlen
iswspace
_wcsicmp

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__stdio_common_vswprintf
_get_stream_buffer_pointers
fclose
fwrite
__p__commode
fsetpos
setvbuf
fputc
__stdio_common_vsnprintf_s
__stdio_common_vsprintf
fgetc
ungetc
fread
_fseeki64
fflush
fgetpos

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func
localeconv

api-ms-win-crt-math-l1-1-0

_dsign
__setusermatherr
ceilf
_dclass
_fdclass
_ldclass
_ldsign
_fdsign

api-ms-win-crt-convert-l1-1-0

strtoll
wcstol
strtoull
strtod

api-ms-win-crt-heap-l1-1-0

_callnewh
free
calloc
realloc
malloc
_set_new_mode

api-ms-win-core-featurestaging-l1-1-0

UnsubscribeFeatureStateChangeNotification
GetFeatureEnabledState
SubscribeFeatureStateChangeNotification
RecordFeatureUsage

bcrypt

BCryptHashData
BCryptCreateHash
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
BCryptDestroyHash
BCryptFinishHash

Sections

.text
Size: 839KB - Virtual size: 839KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 469KB - Virtual size: 469KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 114KB - Virtual size: 119KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2f798e61e9f49c9139e0ba2540ebeb68

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shlwapi

kernel32

user32

shell32

ole32

advapi32

crypt32

urlmon

propsys

comdlg32

gdi32

oleaut32

comctl32

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

icu

winspool.drv

dwmapi

uxtheme

msvcp140

msvcp140_atomic_wait

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-core-featurestaging-l1-1-0

bcrypt

Sections

.text Size: 839KB - Virtual size: 839KB

.rdata Size: 469KB - Virtual size: 469KB

.data Size: 114KB - Virtual size: 119KB

.pdata Size: 39KB - Virtual size: 38KB

.rsrc Size: 57KB - Virtual size: 57KB

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 839KB - Virtual size: 839KB

.rdata
Size: 469KB - Virtual size: 469KB

.data
Size: 114KB - Virtual size: 119KB

.pdata
Size: 39KB - Virtual size: 38KB

.rsrc
Size: 57KB - Virtual size: 57KB

.reloc
Size: 5KB - Virtual size: 4KB