wordpad[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

wordpad.exe
Size

2.8MB
MD5

7582f2957eede095a0268bcb8f554fdf
SHA1

1321f389e9ae0319c242a96811248dd322d46629
SHA256

ceeaea0096992ff5750703e3340340ebfc9bb43fbf814eb79ba77336084c8b29
SHA512

7c3f51a0557eaafce55aca8c2db9d88996ee289ac28a8584f6cd19adfab967d3147b17a1d0711fa16ebba3dbcbc2776feda66d347fbaf3f2f369bbb8795dec26
SSDEEP

49152:/prlWo64m1qQa6jGESyZiwbZRm5zsEYcxvWCXSZeP9PDkX2:dxvyeP9PDk

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
wordpad.exe

Files

wordpad.exe
.exe windows:10 windows x64 arch:x64

9ec42c3fe253b9dea774e1547bbf1f43

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

wordpad.pdb

Imports

advapi32

EventWriteTransfer
EventRegister
RegOpenKeyExW
RegCloseKey
EventUnregister
DuplicateEncryptionInfoFile
RegQueryValueExW
RegGetValueW
EventSetInformation
RegQueryInfoKeyW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegSetValueExW
RegEnumValueW

kernel32

GlobalSize
lstrcmpA
GetVersion
GlobalDeleteAtom
HeapSetInformation
AddAtomW
ResumeThread
SetCurrentDirectoryW
GlobalAddAtomW
DeleteAtom
WideCharToMultiByte
SetThreadPriority
Sleep
CreateFileW
ReadFile
GetShortPathNameW
GetModuleHandleA
GetTempPath2W
GetTempFileNameW
FindResourceExW
SizeofResource
LoadResource
LockResource
GetProcAddress
GlobalGetAtomNameW
GetNumberFormatEx
GetFileAttributesW
GetModuleFileNameW
GetTimeFormatW
GetDateFormatW
EnumTimeFormatsW
EnumDateFormatsExW
GetLocaleInfoEx
GetLocalTime
GetLocaleInfoW
FreeLibrary
GetLongPathNameW
lstrcmpiW
lstrcmpW
GlobalFree
GlobalUnlock
GlobalLock
CloseHandle
GlobalAlloc
GetACP
LoadLibraryW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
LocalAlloc
LocalFree
CompareStringOrdinal
DeleteFileW
MoveFileW
lstrlenW
MulDiv
IsDebuggerPresent
DebugBreak
FindResourceW
DecodePointer
EncodePointer
GetStringTypeW
OpenSemaphoreW
WaitForSingleObjectEx
OutputDebugStringW
GetLastError
FormatMessageW
ReleaseMutex
GetModuleFileNameA
CreateSemaphoreExW
HeapFree
SetLastError
ReleaseSemaphore
GetModuleHandleExW
HeapAlloc
WaitForSingleObject
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionEx
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
WakeAllConditionVariable
SleepConditionVariableSRW
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
CreateThread
RegisterApplicationRecoveryCallback
RegisterApplicationRestart
CompareFileTime
FileTimeToSystemTime
SystemTimeToFileTime
GetSystemTime
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
CreateMutexExW
VirtualQuery
GetSystemInfo
RaiseException
LoadLibraryExA
VirtualProtect
CopyFileW
MultiByteToWideChar
FileTimeToDosDateTime
WriteFile
SetFilePointer
CreateDirectoryW
InitializeCriticalSection

gdi32

SetWindowExtEx
CreateDIBSection
EnumFontFamiliesExW
CreateFontW
GetTextFaceW
Rectangle
GetViewportOrgEx
GetMetaFileBitsEx
DeleteMetaFile
CloseMetaFile
CreateCompatibleDC
SetWindowOrgEx
CreateMetaFileA
CombineRgn
CreateRectRgnIndirect
CreateRectRgn
CloseEnhMetaFile
DeleteDC
CreateEnhMetaFileW
GetTextMetricsW
CreateSolidBrush
BitBlt
GetObjectW
Polyline
DeleteObject
SelectObject
CreatePen
GdiGradientFill
PtVisible
RectVisible
ExtTextOutW
Escape
CreateICW
SetMetaFileBitsEx
ScaleWindowExtEx
TextOutW
GetTextExtentPoint32W
CreateFontIndirectW
DPtoLP
CreateDCW
DeleteEnhMetaFile
GetDeviceCaps

user32

GetWindowTextW
SetWindowTextW
IsWindow
LoadIconW
SetRectEmpty
DestroyMenu
GetClassInfoW
GrayStringW
DrawTextW
TabbedTextOutW
IsRectEmpty
GetSysColor
ScreenToClient
MonitorFromRect
GetKeyboardLayout
TrackMouseEvent
CallNextHookEx
UnhookWindowsHookEx
SetCapture
GetCapture
GetKeyState
GetSystemMetrics
SetRect
InvalidateRect
ShowCaret
SetWindowLongPtrW
GetWindowLongPtrW
LoadImageW
IntersectRect
CopyRect
PostMessageW
GetFocus
IsDlgButtonChecked
GetDlgItem
SetWindowLongW
GetWindowLongW
SetGestureConfig
GetGestureInfo
CloseGestureInfoHandle
PostQuitMessage
IsWindowVisible
GetWindow
OemToCharBuffA
CharToOemBuffA
GetPropW
SendDlgItemMessageW
ShowWindow
GetDlgCtrlID
LoadBitmapW
SystemParametersInfoW
LoadCursorW
FillRect
DrawEdge
FindWindowW
EnableWindow
SetActiveWindow
GetMonitorInfoW
MonitorFromWindow
OffsetRect
GetWindowRect
ClientToScreen
IsClipboardFormatAvailable
CountClipboardFormats
GetParent
GetClientRect
ReleaseCapture
EnumWindows
GetClassNameW
SendMessageTimeoutW
IsIconic
SetWindowsHookExW
DefWindowProcW
HideCaret
UpdateWindow
PtInRect
RegisterClipboardFormatW
RegisterWindowMessageW
ReleaseDC
GetDC
SendMessageW
SetCursor
DestroyCursor
ShowScrollBar
GetCursorPos
DeleteMenu
SetForegroundWindow
EndDialog
LoadStringW
DialogBoxParamW
KillTimer
SetTimer
SetFocus
SetWindowRgn
CreateMenu
CreatePopupMenu
IsMenu
GetMenuItemCount
GetMenuStringW
GetSubMenu
GetMenuItemInfoW
InsertMenuW
GetMenuItemID

mfc42u

ord1859
ord1945
ord4589
ord1726
ord1036
ord3639
ord6455
ord6379
ord2133
ord613
ord1931
ord4599
ord650
ord1055
ord3889
ord1029
ord2132
ord2900
ord2129
ord2138
ord1387
ord4609
ord5700
ord4860
ord6216
ord3920
ord904
ord2105
ord2087
ord6130
ord3099
ord1584
ord312
ord408
ord528
ord3879
ord1035
ord3894
ord3593
ord6886
ord6887
ord3007
ord626
ord1040
ord1126
ord620
ord1122
ord624
ord6050
ord6021
ord2187
ord6772
ord2409
ord4436
ord2846
ord1284
ord622
ord625
ord1264
ord2781
ord2975
ord5887
ord2925
ord4601
ord5980
ord1287
ord4521
ord2783
ord1425
ord2909
ord4375
ord1422
ord2393
ord3166
ord3830
ord328
ord1061
ord311
ord827
ord4556
ord336
ord851
ord354
ord865
ord5672
ord6851
ord4813
ord2565
ord4473
ord5090
ord6614
ord1463
ord1677
ord2408
ord2676
ord1574
ord286
ord2262
ord1646
ord3647
ord1838
ord6416
ord2827
ord6415
ord1559
ord6221
ord4296
ord3783
ord2427
ord3790
ord1647
ord1471
ord6880
ord6541
ord4273
ord4295
ord4294
ord451
ord946
ord3416
ord287
ord488
ord966
ord2525
ord3962
ord2199
ord1562
ord1566
ord2553
ord1498
ord2517
ord464
ord5880
ord1662
ord2270
ord1499
ord465
ord955
ord1712
ord3361
ord1653
ord2468
ord4859
ord495
ord852
ord494
ord972
ord1375
ord1344
ord2527
ord2906
ord3963
ord6705
ord1442
ord6773
ord2202
ord2186
ord3306
ord6374
ord6331
ord4328
ord4623
ord6632
ord2801
ord376
ord2098
ord3604
ord504
ord977
ord3282
ord3601
ord6464
ord6586
ord3994
ord3595
ord2417
ord4014
ord3586
ord1991
ord4843
ord4840
ord4678
ord4686
ord1428
ord1874
ord1410
ord1893
ord1810
ord3114
ord1073
ord1082
ord270
ord799
ord4780
ord4988
ord4371
ord3164
ord4077
ord4083
ord4082
ord3046
ord3052
ord3231
ord4815
ord3362
ord3243
ord3049
ord5699
ord2140
ord2457
ord1735
ord5484
ord3932
ord6814
ord2060
ord2670
ord4789
ord5229
ord4017
ord5712
ord4694
ord6812
ord5586
ord2399
ord5662
ord4752
ord1778
ord4365
ord6440
ord5367
ord5370
ord4879
ord4884
ord4881
ord4899
ord4901
ord4886
ord4690
ord4682
ord5496
ord4887
ord5288
ord4946
ord4777
ord4984
ord3386
ord3365
ord4732
ord5215
ord5252
ord5362
ord4769
ord5989
ord5894
ord1753
ord2513
ord6769
ord3147
ord3142
ord5064
ord1361
ord5956
ord5436
ord3556
ord3059
ord4467
ord6092
ord5021
ord4989
ord5871
ord5511
ord4762
ord5408
ord4964
ord3191
ord5432
ord4841
ord4844
ord5410
ord5317
ord5001
ord4870
ord5431
ord2195
ord2448
ord5354
ord3270
ord5216
ord5253
ord5363
ord6174
ord4770
ord4983
ord3484
ord3373
ord4319
ord5878
ord5007
ord4727
ord5018
ord5368
ord4864
ord4842
ord5433
ord5009
ord5034
ord5100
ord5411
ord5324
ord5527
ord5430
ord5987
ord2895
ord2812
ord1783
ord4833
ord3414
ord5821
ord6834
ord2014
ord3748
ord3366
ord5663
ord3933
ord1736
ord5683
ord3535
ord1067
ord995
ord337
ord338
ord4557
ord5077
ord3761
ord4771
ord5702
ord1777
ord6437
ord5406
ord5245
ord4721
ord5687
ord1774
ord6801
ord2425
ord2024
ord4543
ord2592
ord4746
ord3805
ord665
ord911
ord2329
ord2351
ord5694
ord2764
ord1443
ord2629
ord1436
ord371
ord877
ord5602
ord3997
ord1977
ord1803
ord2754
ord2757
ord2756
ord2647
ord3928
ord2325
ord4344
ord3177
ord2661
ord1781
ord2665
ord2586
ord4741
ord3743
ord822
ord2422
ord2023
ord4542
ord2589
ord4743
ord3751
ord832
ord331
ord6351
ord4424
ord4127
ord4565
ord5509
ord387
ord890
ord1441
ord5674
ord1536
ord3038
ord6099
ord6607
ord6096
ord6599
ord4668
ord6603
ord6407
ord6577
ord6238
ord6133
ord6138
ord6015
ord6076
ord5896
ord5886
ord6448
ord6228
ord3760
ord4806
ord2644
ord6612
ord6815
ord4862
ord5467
ord4124
ord6610
ord1316
ord5441
ord4703
ord4952
ord3234
ord1966
ord6102
ord2775
ord4774
ord3174
ord5091
ord2919
ord5615
ord5068
ord2405
ord524
ord3675
ord2530
ord6136
ord5306
ord4947
ord5839
ord4784
ord1674
ord2671
ord5704
ord5659
ord4364
ord4461
ord2920
ord3536
ord5420
ord3481
ord4633
ord4817
ord5524
ord5521
ord3141
ord2750
ord5807
ord3662
ord6823
ord3778
ord3258
ord3266
ord3262
ord2613
ord6114
ord6398
ord3440
ord4491
ord6739
ord1297
ord2829
ord2977
ord1489
ord4621
ord4442
ord660
ord6131
ord6511
ord4554
ord321
ord837
ord3862
ord3742
ord3939
ord3936
ord1537
ord6235
ord525
ord984
ord1719
ord1725
ord4612

msvcrt

__CxxFrameHandler4
__RTDynamicCast
??_V@YAXPEAX@Z
_vsnwprintf
memcpy_s
_purecall
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
_vsnprintf_s
wcstod
wcstok_s
_wtol
wcstoul
_wtoi
_errno
_itow_s
_itow
iswspace
free
_wcsdup
_wcsicmp
memcmp
??1type_info@@UEAA@XZ
_onexit
__dllonexit
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
___lc_handle_func
_wsetlocale
__crtLCMapStringW
_unlock
_lock
memmove
memcpy
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
wcstol
swprintf_s
??1bad_cast@@UEAA@XZ
??0bad_cast@@QEAA@PEBD@Z
??0bad_cast@@QEAA@AEBV0@@Z
wcscpy_s
malloc
setlocale
__uncaught_exception
__pctype_func
___lc_codepage_func
calloc
___mb_cur_max_func
_ismbblead
abort
memset
wcscmp

comdlg32

GetFileTitleW
CommDlgExtendedError

shell32

ShellAboutW
ord165
SHGetSpecialFolderPathW
SHAddToRecentDocs
SHCreateItemFromParsingName
SHCreateItemInKnownFolder
ShellExecuteW
DragFinish
DragQueryFileW

ole32

ReadClassStg
OleLoad
ReleaseStgMedium
StringFromCLSID
OleRegGetUserType
CoInitialize
CoUninitialize
OleInitialize
PropVariantCopy
CreateStreamOnHGlobal
StringFromGUID2
IIDFromString
OleUninitialize
CoTaskMemFree
StgCreateDocfileOnILockBytes
CoGetMalloc
OleSave
WriteClassStg
OleDuplicateData
PropVariantClear
CoTaskMemAlloc
StgOpenStorageEx
CLSIDFromString
CoCreateGuid
StgOpenStorage
ProgIDFromCLSID
CoRegisterActivationFilter
CoCreateInstance
CreateILockBytesOnHGlobal

shlwapi

ord12
StrCmpIW
PathIsFileSpecW
PathFindFileNameW
ord158
PathFindExtensionW
SHCreateStreamOnFileW
SHCreateStreamOnFileEx
StrCmpNIW
SHStrDupW
PathAddBackslashW

ntdll

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

comctl32

ord345
ImageList_GetImageCount
ImageList_ReplaceIcon
ImageList_Draw
ImageList_Remove
ord381

oleaut32

SysAllocString
SysStringLen
VarDecFromI4
SysStringByteLen
VarDecFromR8
SafeArrayCreateVector
SafeArrayPutElement
SafeArrayDestroy
SafeArrayCopy
VariantClear
VariantInit
SysFreeString
VarR8FromDec

propsys

PropVariantToUInt32WithDefault
PropVariantToUInt32
PropVariantToString

rpcrt4

RpcStringFreeW
UuidCreate
UuidToStringW

winmm

timeGetTime

urlmon

CreateUri

xmllite

CreateXmlWriter

api-ms-win-core-featurestaging-l1-1-0

RecordFeatureUsage
UnsubscribeFeatureStateChangeNotification
SubscribeFeatureStateChangeNotification

Sections

.text
Size: 540KB - Virtual size: 536KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 340KB - Virtual size: 337KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 232B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9ec42c3fe253b9dea774e1547bbf1f43

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

gdi32

user32

mfc42u

msvcrt

comdlg32

shell32

ole32

shlwapi

ntdll

comctl32

oleaut32

propsys

rpcrt4

winmm

urlmon

xmllite

api-ms-win-core-featurestaging-l1-1-0

Sections

.text Size: 540KB - Virtual size: 536KB

.rdata Size: 340KB - Virtual size: 337KB

.data Size: 24KB - Virtual size: 29KB

.pdata Size: 28KB - Virtual size: 25KB

.didat Size: 4KB - Virtual size: 232B

.rsrc Size: 1.9MB - Virtual size: 1.9MB

.reloc Size: 24KB - Virtual size: 20KB

.text
Size: 540KB - Virtual size: 536KB

.rdata
Size: 340KB - Virtual size: 337KB

.data
Size: 24KB - Virtual size: 29KB

.pdata
Size: 28KB - Virtual size: 25KB

.didat
Size: 4KB - Virtual size: 232B

.rsrc
Size: 1.9MB - Virtual size: 1.9MB

.reloc
Size: 24KB - Virtual size: 20KB