Windows
Analysis Report
NOTEPAD.EXE.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- NOTEPAD.EXE.exe (PID: 7012 cmdline:
"C:\Users\ user\Deskt op\NOTEPAD .EXE.exe" MD5: 45388B2204E71B3157D016E98FAEBE68)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0043839F |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 2 Software Packing | OS Credential Dumping | System Service Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | ReversingLabs | Win32.Trojan.Generic | ||
29% | Virustotal | Browse | ||
100% | Avira | TR/Patched.Gen | ||
100% | Joe Sandbox ML |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1433164 |
Start date and time: | 2024-04-29 10:18:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 34s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | NOTEPAD.EXE.exe |
Detection: | MAL |
Classification: | mal60.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target NOTEPAD.EXE.exe, PID 7012 because there are no executed function
File type: | |
Entropy (8bit): | 7.583937304270139 |
TrID: |
|
File name: | NOTEPAD.EXE.exe |
File size: | 155'136 bytes |
MD5: | 45388b2204e71b3157d016e98faebe68 |
SHA1: | 993aba7a0a4ed533756550f108742ca475dc5e0a |
SHA256: | 692ceb419276b70440c833672cb42c820e68adbd552a73f3ebb8176cb1a66162 |
SHA512: | e0288d44573fe3f14999c678b4e651527250ea61029ffdb78300902567160fac8f994d651d0615566ce863313a315b74207eaaf4596d343fd31f8cace9275761 |
SSDEEP: | 3072:0YO1yZKuY7NVyhKCL3LiLacOLQf7nDVF6PUp1YoFkCC40:0YOyODyhKCfZc8QfzDVl7LC4 |
TLSH: | 43E30281F5445C46EC5D19304A12E6EF0E84BCA6CA21DA6B73CCB27FDE3661A4E473C9 |
File Content Preview: | MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....DPT.................`...................p....@..........................0......%...................................................................................................... |
Icon Hash: | 0e7b795959494f3e |
Entrypoint: | 0x4382cc |
Entrypoint Section: | .MPRESS2 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
DLL Characteristics: | NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x545044DE [Wed Oct 29 01:37:34 2014 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 3 |
File Version Major: | 6 |
File Version Minor: | 3 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 3 |
Import Hash: | 608038557a7674ca37a7aac15f1d44dd |
Instruction |
---|
pushad |
call 00007F562CDE2055h |
pop eax |
add eax, 00000B5Ah |
mov esi, dword ptr [eax] |
add esi, eax |
sub eax, eax |
mov edi, esi |
lodsw |
shl eax, 0Ch |
mov ecx, eax |
push eax |
lodsd |
sub ecx, eax |
add esi, ecx |
mov ecx, eax |
push edi |
push ecx |
dec ecx |
mov al, byte ptr [ecx+edi+06h] |
mov byte ptr [ecx+esi], al |
jne 00007F562CDE2048h |
sub eax, eax |
lodsb |
mov ecx, eax |
and cl, FFFFFFF0h |
and al, 0Fh |
shl ecx, 0Ch |
mov ch, al |
lodsb |
or ecx, eax |
push ecx |
add cl, ch |
mov ebp, FFFFFD00h |
shl ebp, cl |
pop ecx |
pop eax |
mov ebx, esp |
lea esp, dword ptr [esp+ebp*2-00000E70h] |
push ecx |
sub ecx, ecx |
push ecx |
push ecx |
mov ecx, esp |
push ecx |
mov dx, word ptr [edi] |
shl edx, 0Ch |
push edx |
push edi |
add ecx, 04h |
push ecx |
push eax |
add ecx, 04h |
push esi |
push ecx |
call 00007F562CDE20B3h |
mov esp, ebx |
pop esi |
pop edx |
sub eax, eax |
mov dword ptr [edx+esi], eax |
mov ah, 10h |
sub edx, eax |
sub ecx, ecx |
cmp ecx, edx |
jnc 00007F562CDE2078h |
mov ebx, ecx |
lodsb |
inc ecx |
and al, FEh |
cmp al, E8h |
jne 00007F562CDE2044h |
inc ebx |
add ecx, 04h |
lodsd |
or eax, eax |
js 00007F562CDE2058h |
cmp eax, edx |
jnc 00007F562CDE2037h |
jmp 00007F562CDE2058h |
add eax, ebx |
js 00007F562CDE2031h |
add eax, edx |
sub eax, ebx |
mov dword ptr [esi-04h], eax |
jmp 00007F562CDE2028h |
call 00007F562CDE2055h |
pop edi |
add edi, FFFFFF4Dh |
mov al, E9h |
stosb |
mov eax, 00000B56h |
stosd |
call 00007F562CDE2055h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x38000 | 0x2cc | .MPRESS2 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x39000 | 0x19ae0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x38118 | 0x68 | .MPRESS2 |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.MPRESS1 | 0x1000 | 0x37000 | 0xb000 | 7f3b00f174a70064a73802377695b437 | False | 0.997802734375 | data | 7.995353805960629 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.MPRESS2 | 0x38000 | 0xe36 | 0x1000 | 92ee1348d3c0dfa7ca8a27a65b0b5622 | False | 0.5126953125 | data | 5.549510210661049 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x39000 | 0x19ae0 | 0x19c00 | 76adc57ed979bf0e580dacfff8b80e45 | False | 0.8515625 | data | 7.37143471123181 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
MUI | 0x39080 | 0xe8 | data | English | United States | 0.5258620689655172 |
RT_ICON | 0x39208 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.3670731707317073 |
RT_ICON | 0x39898 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.45698924731182794 |
RT_ICON | 0x39ba8 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 288 | English | United States | 0.5122950819672131 |
RT_ICON | 0x39db8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.5168918918918919 |
RT_ICON | 0x39f08 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.6010127931769723 |
RT_ICON | 0x3add8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.7373646209386282 |
RT_ICON | 0x3b6a8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | English | United States | 0.7523041474654378 |
RT_ICON | 0x3bd98 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.4270231213872832 |
RT_ICON | 0x3c328 | 0x11958 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9920720870820837 |
RT_ICON | 0x4dca8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5015560165975104 |
RT_ICON | 0x50278 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6085834896810507 |
RT_ICON | 0x51348 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6733606557377049 |
RT_ICON | 0x51cf8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.599290780141844 |
RT_GROUP_ICON | 0x521a0 | 0xbc | data | English | United States | 0.6223404255319149 |
RT_VERSION | 0x5229c | 0x370 | data | English | United States | 0.47954545454545455 |
RT_MANIFEST | 0x5264c | 0x492 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.43504273504273505 |
DLL | Import |
---|---|
KERNEL32.DLL | GetModuleHandleA, GetProcAddress |
ADVAPI32.dll | RegCloseKey |
GDI32.dll | EndDoc |
USER32.dll | GetDC |
msvcrt.dll | exit |
COMDLG32.dll | FindTextW |
SHELL32.dll | DragFinish |
WINSPOOL.DRV | ClosePrinter |
ole32.dll | CoTaskMemFree |
SHLWAPI.dll | SHStrDupW |
COMCTL32.dll | |
OLEAUT32.dll | SysFreeString |
ntdll.dll | WinSqmAddToStream |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 10:18:48 |
Start date: | 29/04/2024 |
Path: | C:\Users\user\Desktop\NOTEPAD.EXE.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 155'136 bytes |
MD5 hash: | 45388B2204E71B3157D016E98FAEBE68 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Function 0043839F Relevance: .8, Instructions: 751COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |