Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Notepaper.exe

windows7-x64

7

Notepaper.exe

windows10-2004-x64

7

新云软件.url

windows7-x64

1

新云软件.url

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Notepaper.exe

  • Size

    967KB

  • MD5

    6ee27fafbaaf510fd200d0078f440316

  • SHA1

    cb2d650e87437ab509809e1198df8aad4923a84d

  • SHA256

    bc3a4682c3cfe3668f7db9080d1bc9ccf760a960bdfa280ee6647f176b2f035c

  • SHA512

    67d72b8ef006de8aa2b9648f531ef5a871326d728f4e57e3b63d2a4beb40dce6a3c3753732b45197daf3d45bd07a1553543c5732ba74246b46a17b091de9dba0

  • SSDEEP

    24576:EpnicFEkzS6jm0dBFsDL0vSaTX0U5sa3kY2+mO8u:ai2Ek7jNBWDL4ScEU513O+mO9

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Notepaper.exe
    "C:\Users\Admin\AppData\Local\Temp\Notepaper.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Users\Admin\AppData\Local\Temp\is-PJLCK.tmp\is-BHTV0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PJLCK.tmp\is-BHTV0.tmp" /SL4 $70206 "C:\Users\Admin\AppData\Local\Temp\Notepaper.exe" 758566 52224
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-PJLCK.tmp\is-BHTV0.tmp
    Filesize

    634KB

    MD5

    d291acbf9866b8846fe0629e690feb1a

    SHA1

    293314b11340d798d3c74e2416e2a43f267a25d6

    SHA256

    ab3e1fa210171e5ed2decc615c9328379ee3d29b55ee0e5d7ef6bece43f583eb

    SHA512

    320e68a67fdcf13dc25640cf68468abd9e0dc51b647f95277eebbd06c7c5ee298b1f68d4a01deb886979e42cbc3eddf16ac4db18884a96b1535598ba11ba36ed

    Download Submit

  • memory/1040-9-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/1040-13-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/3148-0-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3148-2-0x0000000000401000-0x000000000040A000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3148-12-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download