Notepad[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Notepad.exe
Size

936KB
MD5

7df1c8aa7a6e3dae449b25f8ef7b09ba
SHA1

867a33f328293063732a179df7ae95e897d8322f
SHA256

5430e6254023f0803ee1107108ee3f24153647967b00667d70a8e95389e685e2
SHA512

13ed5042da240c7c5149a963e3048edbef376aeaa5876cd2b9b3614b6653e4e9b28a9b120c5fd6dded0f35b7b08616e64b2dd4a8793891a3384c4d823ce41b4d
SSDEEP

24576:I1cTc23YlFzyF7iqsn2ch0lhSMXlP9alaZ:k6c23YnEM2hf

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Notepad.exe

Files

Notepad.exe
.exe windows:6 windows x64 arch:x64

abe17200a070b65ae570b3a2411584dd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\_work\1\b\Notepad\Notepad.pdb

Imports

shlwapi

SHStrDupW
PathFindExtensionW
PathIsNetworkPathW
PathIsFileSpecW
PathFileExistsW

kernel32

FindFirstFileW
DeleteFileW
GetFileAttributesW
GetFileInformationByHandle
WideCharToMultiByte
WriteFile
LocalLock
GetACP
SetEndOfFile
LocalUnlock
GetFileAttributesExW
FormatMessageA
MultiByteToWideChar
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
UnmapViewOfFile
FindClose
GetFullPathNameW
CreateEventExW
WaitForSingleObject
GetCurrentProcessId
GetProcessId
K32GetModuleFileNameExW
LocalAlloc
InitializeSListHead
GetCurrentProcess
DuplicateHandle
OpenProcess
GetWindowsDirectoryW
CreateFileMappingW
MapViewOfFile
WaitForSingleObjectEx
RaiseException
GetLocaleInfoEx
MulDiv
CreateEventW
InterlockedPushEntrySList
SetEvent
DebugBreak
GetProcessHeap
CreateMutexExW
GetProcAddress
HeapAlloc
OpenSemaphoreW
SetFileInformationByHandle
ReleaseMutex
GetModuleHandleExW
ReleaseSemaphore
HeapFree
CreateSemaphoreExW
ReadFile
GetModuleFileNameA
CompareStringOrdinal
GlobalUnlock
GlobalLock
AreFileApisANSI
GetModuleHandleW
GetCurrentPackageFullName
ParseApplicationUserModelId
GetCurrentApplicationUserModelId
VerSetConditionMask
VerifyVersionInfoW
GetSystemTimeAsFileTime
CloseHandle
CreateFileW
QueryPerformanceCounter
GetCurrentDirectoryW
RegisterApplicationRestart
FreeLibrary
GetDiskFreeSpaceExW
CreateDirectoryW
GetCommandLineW
SetLastError
ResetEvent
DeleteCriticalSection
SetCurrentDirectoryW
GlobalFree
GlobalAlloc
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
GetLocaleInfoW
GetUserDefaultUILanguage
GetLocalTime
GetDateFormatW
GetTimeFormatW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError
GetStartupInfoW
IsDebuggerPresent
FormatMessageW
GetCurrentThreadId
OutputDebugStringW
LocalFree
TerminateProcess
FindNLSString
InitializeCriticalSectionAndSpinCount
IsProcessorFeaturePresent
GetFileInformationByHandleEx

user32

GetKeyboardState
GetNextDlgTabItem
SetWindowsHookExW
CallNextHookEx
GetClassNameW
GetProcessDefaultLayout
CopyRect
DrawIconEx
PostThreadMessageW
GetSysColor
SystemParametersInfoW
SetScrollInfo
GetScrollInfo
TranslateAcceleratorW
SetParent
CreateWindowExW
ClientToScreen
GetGUIThreadInfo
SendDlgItemMessageW
GetDpiForSystem
DrawTextExW
CreateDialogParamW
GetWindowTextW
GetWindowTextLengthW
IsDialogMessageW
PeekMessageW
SetProcessDefaultLayout
LoadImageW
LoadIconW
GetMonitorInfoW
GetWindowPlacement
GetSystemMenu
CharUpperW
SetWindowPlacement
BringWindowToTop
GetParent
SetRect
GetWindow
TranslateMessage
SetWindowLongW
MoveWindow
GetSystemMetrics
GetDlgItemTextW
CharNextW
ScreenToClient
GetKeyboardLayout
GetWindowLongPtrW
CreateAcceleratorTableW
DispatchMessageW
GetMessageW
GetCursorPos
MapWindowPoints
IsZoomed
GetWindowThreadProcessId
DefWindowProcW
GetFocus
GetForegroundWindow
SetWindowPos
PostQuitMessage
RedrawWindow
EndPaint
BeginPaint
KillTimer
SetTimer
GetSysColorBrush
FillRect
DestroyWindow
GetWindowLongW
SetWindowRgn
GetSystemMetricsForDpi
GetKeyState
IsChild
CloseClipboard
IsClipboardFormatAvailable
OpenClipboard
GetSubMenu
EnableMenuItem
GetMenu
SendMessageW
MonitorFromWindow
RegisterClassExW
SetWindowLongPtrW
PtInRect
GetWindowRect
MonitorFromPoint
SetThreadDpiAwarenessContext
ReleaseDC
GetDC
UpdateWindow
InvalidateRect
SetScrollPos
SetCursor
LoadCursorW
AllowSetForegroundWindow
IsWindowEnabled
IsHungAppWindow
IsWindowVisible
EnableWindow
ShowWindow
SetActiveWindow
EnumWindows
SetForegroundWindow
IsIconic
PostMessageW
GetClientRect
DestroyAcceleratorTable
DialogBoxParamW
EndDialog
GetDlgItem
SetFocus
GetDlgCtrlID
SetDlgItemTextW
SetWindowTextW
GetDpiForWindow
GetDesktopWindow

ole32

RegisterDragDrop
RevokeDragDrop
PropVariantClear
CoWaitForMultipleHandles
CoTaskMemFree
CoInitializeEx
CoUninitialize
OleUninitialize
OleInitialize
CoCreateGuid
StringFromCLSID
CoCreateFreeThreadedMarshaler
CoTaskMemAlloc
CoCreateInstance

shell32

DragQueryFileW
SHCreateItemFromParsingName
DragFinish
SHAddToRecentDocs
ShellExecuteExW
DragAcceptFiles
SHGetKnownFolderPath
ShellExecuteW

urlmon

FindMimeFromData

propsys

PropVariantToStringVectorAlloc
PSGetPropertyDescriptionListFromString

comdlg32

CommDlgExtendedError
GetFileTitleW
PageSetupDlgW
PrintDlgExW

gdi32

DeleteDC
EndDoc
AbortDoc
CreateSolidBrush
StartDocW
CreateDCW
GetStockObject
CreateRectRgn
EndPage
GetTextMetricsW
SetBkMode
StartPage
CreateDIBSection
BitBlt
SelectObject
CreateFontIndirectW
LPtoDP
SetWindowExtEx
SetViewportExtEx
SetMapMode
GetDeviceCaps
EnumFontFamiliesExW
DeleteObject
TextOutW
GetTextExtentPoint32W
CreateCompatibleDC
SetAbortProc
EnumFontsW

advapi32

GetTokenInformation
EventUnregister
EventRegister
EventSetInformation
RegOpenKeyExW
RegDeleteKeyExW
RegCreateKeyW
RegCloseKey
IsTextUnicode
RegEnumValueW
RegQueryInfoKeyW
DecryptFileW
RegQueryValueExW
DuplicateEncryptionInfoFile
EventWriteTransfer

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor

comctl32

ord413
ord410
CreateStatusWindowW

oleaut32

SysStringLen
GetErrorInfo
SetErrorInfo
SysFreeString
SysAllocString
SysAllocStringLen

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateString
WindowsCreateStringReference

crypt32

CryptBinaryToStringW
CryptStringToBinaryW

winspool.drv

ClosePrinter
GetPrinterDriverW
OpenPrinterW

dwmapi

DwmExtendFrameIntoClientArea
DwmDefWindowProc
DwmSetWindowAttribute
DwmGetWindowAttribute

uxtheme

DrawThemeTextEx
CloseThemeData
OpenThemeData
GetThemeSysFont

msvcp140

_Cnd_do_broadcast_at_thread_exit
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?fail@ios_base@std@@QEBA_NXZ
?_Throw_Cpp_error@std@@YAXH@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
_Mbrtowc
?is@?$ctype@_W@std@@QEBA_NF_W@Z
??1_Locinfo@std@@QEAA@XZ
??1_Lockit@std@@QEAA@XZ
_Thrd_detach
??0_Locinfo@std@@QEAA@PEBD@Z
??0_Lockit@std@@QEAA@H@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?id@?$ctype@_W@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?id@?$collate@_W@std@@2V0locale@2@A
_Wcscoll
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Xbad_alloc@std@@YAXXZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ
?id@?$numpunct@_W@std@@2V0locale@2@A
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?exceptions@ios_base@std@@QEAAXH@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?id@?$numpunct@D@std@@2V0locale@2@A
_Mtx_unlock
?_Throw_C_error@std@@YAXH@Z
_Mtx_lock
?_Xbad_function_call@std@@YAXXZ
?uncaught_exceptions@std@@YAHXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
_Query_perf_frequency
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
_Query_perf_counter
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
_Mtx_init_in_situ
_Mtx_destroy_in_situ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z
?_Xlength_error@std@@YAXPEBD@Z
?tellp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
_Wcsxfrm
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
_CxxThrowException
strchr
__C_specific_handler
__current_exception_context
__std_exception_destroy
__std_exception_copy
__std_terminate
__current_exception
memmove
memcpy
_purecall
wcschr

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
exit
_exit
terminate
_c_exit
_register_thread_local_exe_atexit_callback
_set_app_type
_seh_filter_exe
_invalid_parameter_noinfo_noreturn
_errno
abort
_invalid_parameter_noinfo
_cexit
_get_narrow_winmain_command_line
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_beginthreadex

api-ms-win-crt-string-l1-1-0

_wcsicmp
wcscpy_s
toupper
iswspace
wcsnlen
iswdigit

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__stdio_common_vswprintf
__p__commode
__stdio_common_vsnprintf_s
fclose
_get_stream_buffer_pointers
fputc
ungetc
fgetc
fread
fwrite
fgetpos
_fseeki64
fsetpos
setvbuf
fflush

api-ms-win-crt-heap-l1-1-0

free
calloc
_set_new_mode
realloc
malloc
_callnewh

api-ms-win-crt-math-l1-1-0

_ldclass
_dsign
ceilf
_fdclass
_fdsign
_dclass
_ldsign
__setusermatherr

api-ms-win-crt-convert-l1-1-0

wcstol

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale

Sections

.text
Size: 513KB - Virtual size: 512KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 279KB - Virtual size: 279KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 61KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

abe17200a070b65ae570b3a2411584dd

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shlwapi

kernel32

user32

ole32

shell32

urlmon

propsys

comdlg32

gdi32

advapi32

api-ms-win-shcore-scaling-l1-1-1

comctl32

oleaut32

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

crypt32

winspool.drv

dwmapi

uxtheme

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 513KB - Virtual size: 512KB

.rdata Size: 279KB - Virtual size: 279KB

.data Size: 61KB - Virtual size: 65KB

.pdata Size: 24KB - Virtual size: 23KB

.rsrc Size: 54KB - Virtual size: 54KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 513KB - Virtual size: 512KB

.rdata
Size: 279KB - Virtual size: 279KB

.data
Size: 61KB - Virtual size: 65KB

.pdata
Size: 24KB - Virtual size: 23KB

.rsrc
Size: 54KB - Virtual size: 54KB

.reloc
Size: 3KB - Virtual size: 3KB