Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NOTEPAD.EXE.exe

Overview

General Information

Sample name:NOTEPAD.EXE.exe
Analysis ID:1433164
MD5:45388b2204e71b3157d016e98faebe68
SHA1:993aba7a0a4ed533756550f108742ca475dc5e0a
SHA256:692ceb419276b70440c833672cb42c820e68adbd552a73f3ebb8176cb1a66162
Tags:exeHUN

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Detected potential crypto function
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • NOTEPAD.EXE.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\NOTEPAD.EXE.exe" MD5: 45388B2204E71B3157D016E98FAEBE68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: NOTEPAD.EXE.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: NOTEPAD.EXE.exeReversingLabs: Detection: 31%
Source: NOTEPAD.EXE.exeVirustotal: Detection: 28%Perma Link
Machine Learning detection for sample
Source: NOTEPAD.EXE.exeJoe Sandbox ML: detected
Source: NOTEPAD.EXE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\NOTEPAD.EXE.exeCode function: 0_2_0043839F0_2_0043839F
Source: NOTEPAD.EXE.exe, 00000000.00000000.2056624774.0000000000439000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNOTEPAD.EXEj% vs NOTEPAD.EXE.exe
Source: NOTEPAD.EXE.exeBinary or memory string: OriginalFilenameNOTEPAD.EXEj% vs NOTEPAD.EXE.exe
Source: NOTEPAD.EXE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: NOTEPAD.EXE.exeStatic PE information: Section: .MPRESS1 ZLIB complexity 0.997802734375
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
Source: NOTEPAD.EXE.exeReversingLabs: Detection: 31%
Source: NOTEPAD.EXE.exeVirustotal: Detection: 28%
Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
Source: NOTEPAD.EXE.exeStatic PE information: section name: .MPRESS1
Source: NOTEPAD.EXE.exeStatic PE information: section name: .MPRESS2
Source: NOTEPAD.EXE.exeStatic PE information: section name: .MPRESS1 entropy: 7.995353805960629
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception2
Software Packing		OS Credential DumpingSystem Service DiscoveryRemote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NOTEPAD.EXE.exe32%ReversingLabsWin32.Trojan.Generic
NOTEPAD.EXE.exe29%VirustotalBrowse
NOTEPAD.EXE.exe100%AviraTR/Patched.Gen
NOTEPAD.EXE.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1433164
Start date and time:2024-04-29 10:18:05 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:NOTEPAD.EXE.exe
Detection:MAL
Classification:mal60.winEXE@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 1
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target NOTEPAD.EXE.exe, PID 7012 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Entropy (8bit):7.583937304270139
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:NOTEPAD.EXE.exe
File size:155'136 bytes
MD5:45388b2204e71b3157d016e98faebe68
SHA1:993aba7a0a4ed533756550f108742ca475dc5e0a
SHA256:692ceb419276b70440c833672cb42c820e68adbd552a73f3ebb8176cb1a66162
SHA512:e0288d44573fe3f14999c678b4e651527250ea61029ffdb78300902567160fac8f994d651d0615566ce863313a315b74207eaaf4596d343fd31f8cace9275761
SSDEEP:3072:0YO1yZKuY7NVyhKCL3LiLacOLQf7nDVF6PUp1YoFkCC40:0YOyODyhKCfZc8QfzDVl7LC4
TLSH:43E30281F5445C46EC5D19304A12E6EF0E84BCA6CA21DA6B73CCB27FDE3661A4E473C9
File Content Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....DPT.................`...................p....@..........................0......%......................................................................................................

File Icon

Icon Hash:0e7b795959494f3e

Static PE Info

General

Entrypoint:0x4382cc
Entrypoint Section:.MPRESS2
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x545044DE [Wed Oct 29 01:37:34 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:3
File Version Major:6
File Version Minor:3
Subsystem Version Major:6
Subsystem Version Minor:3
Import Hash:608038557a7674ca37a7aac15f1d44dd

Entrypoint Preview

Instruction
pushad
call 00007F562CDE2055h
pop eax
add eax, 00000B5Ah
mov esi, dword ptr [eax]
add esi, eax
sub eax, eax
mov edi, esi
lodsw
shl eax, 0Ch
mov ecx, eax
push eax
lodsd
sub ecx, eax
add esi, ecx
mov ecx, eax
push edi
push ecx
dec ecx
mov al, byte ptr [ecx+edi+06h]
mov byte ptr [ecx+esi], al
jne 00007F562CDE2048h
sub eax, eax
lodsb
mov ecx, eax
and cl, FFFFFFF0h
and al, 0Fh
shl ecx, 0Ch
mov ch, al
lodsb
or ecx, eax
push ecx
add cl, ch
mov ebp, FFFFFD00h
shl ebp, cl
pop ecx
pop eax
mov ebx, esp
lea esp, dword ptr [esp+ebp*2-00000E70h]
push ecx
sub ecx, ecx
push ecx
push ecx
mov ecx, esp
push ecx
mov dx, word ptr [edi]
shl edx, 0Ch
push edx
push edi
add ecx, 04h
push ecx
push eax
add ecx, 04h
push esi
push ecx
call 00007F562CDE20B3h
mov esp, ebx
pop esi
pop edx
sub eax, eax
mov dword ptr [edx+esi], eax
mov ah, 10h
sub edx, eax
sub ecx, ecx
cmp ecx, edx
jnc 00007F562CDE2078h
mov ebx, ecx
lodsb
inc ecx
and al, FEh
cmp al, E8h
jne 00007F562CDE2044h
inc ebx
add ecx, 04h
lodsd
or eax, eax
js 00007F562CDE2058h
cmp eax, edx
jnc 00007F562CDE2037h
jmp 00007F562CDE2058h
add eax, ebx
js 00007F562CDE2031h
add eax, edx
sub eax, ebx
mov dword ptr [esi-04h], eax
jmp 00007F562CDE2028h
call 00007F562CDE2055h
pop edi
add edi, FFFFFF4Dh
mov al, E9h
stosb
mov eax, 00000B56h
stosd
call 00007F562CDE2055h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x380000x2cc.MPRESS2
IMAGE_DIRECTORY_ENTRY_RESOURCE0x390000x19ae0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x381180x68.MPRESS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.MPRESS10x10000x370000xb0007f3b00f174a70064a73802377695b437False0.997802734375data7.995353805960629IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.MPRESS20x380000xe360x100092ee1348d3c0dfa7ca8a27a65b0b5622False0.5126953125data5.549510210661049IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x390000x19ae00x19c0076adc57ed979bf0e580dacfff8b80e45False0.8515625data7.37143471123181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0x390800xe8dataEnglishUnited States0.5258620689655172
RT_ICON0x392080x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3670731707317073
RT_ICON0x398980x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.45698924731182794
RT_ICON0x39ba80x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.5122950819672131
RT_ICON0x39db80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5168918918918919
RT_ICON0x39f080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6010127931769723
RT_ICON0x3add80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7373646209386282
RT_ICON0x3b6a80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.7523041474654378
RT_ICON0x3bd980x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4270231213872832
RT_ICON0x3c3280x11958PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9920720870820837
RT_ICON0x4dca80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5015560165975104
RT_ICON0x502780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6085834896810507
RT_ICON0x513480x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6733606557377049
RT_ICON0x51cf80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.599290780141844
RT_GROUP_ICON0x521a00xbcdataEnglishUnited States0.6223404255319149
RT_VERSION0x5229c0x370dataEnglishUnited States0.47954545454545455
RT_MANIFEST0x5264c0x492XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.43504273504273505

Imports

DLLImport
KERNEL32.DLLGetModuleHandleA, GetProcAddress
ADVAPI32.dllRegCloseKey
GDI32.dllEndDoc
USER32.dllGetDC
msvcrt.dllexit
COMDLG32.dllFindTextW
SHELL32.dllDragFinish
WINSPOOL.DRVClosePrinter
ole32.dllCoTaskMemFree
SHLWAPI.dllSHStrDupW
COMCTL32.dll
OLEAUT32.dllSysFreeString
ntdll.dllWinSqmAddToStream

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:10:18:48
Start date:29/04/2024
Path:C:\Users\user\Desktop\NOTEPAD.EXE.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\NOTEPAD.EXE.exe"
Imagebase:0x400000
File size:155'136 bytes
MD5 hash:45388B2204E71B3157D016E98FAEBE68
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Non-executed Functions

    Function 0043839F Relevance: .8, Instructions: 751COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3319494627.0000000000438000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3319457453.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3319471712.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3319508985.0000000000439000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_NOTEPAD.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 661f8dc1abccfe97b5e643cefb8d9ec9f9f07c15d965e7528ef90cccb633838c
    • Instruction ID: ea3026683e71749b4f0ad07f0b5450e819abd0dbab1dd3a7431c8e92f58a3446
    • Opcode Fuzzy Hash: 661f8dc1abccfe97b5e643cefb8d9ec9f9f07c15d965e7528ef90cccb633838c
    • Instruction Fuzzy Hash: 9D629A312083558FD324DF28C48026AFBE1FF99384F155A2EF9A58B391EB35D949CB46
    Uniqueness

    Uniqueness Score: -1.00%