popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cleanmgrs.exe

NSIS UPX Malicious Library GIF Format PE64 .NET DLL PNG Format PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 8, 2023, 11:05 a.m. June 8, 2023, 11:07 a.m.
Size 770.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 5acd030fa8d6773c21b19a4468727d05
SHA256 8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7
CRC32 269D44FD
ssdeep 12288:dgQ44tKnoQYrBCa/00lz/GVQ5pYkEwe+58Ym503sHr:d0CKoQUMa/rl7DVms8YmuM
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10004000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10004000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 296
region_size: 19742720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x039f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000049c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsgC188.tmp\System.dll
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Vintertid.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Karyoschisis\Dragering\Perlingual\CLI_Wrapper_ScenarioProfile.dll
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Vintertid.lnk
file C:\Users\test22\AppData\Local\Temp\nsgC188.tmp\System.dll
Bkav W32.AIDetectMalware
Cynet Malicious (score: 100)
Elastic malicious (high confidence)
Kaspersky UDS:DangerousObject.Multi.Generic
FireEye Generic.mg.5acd030fa8d6773c
Ikarus Trojan.NSIS.Agent
ZoneAlarm UDS:DangerousObject.Multi.Generic
Google Detected
CrowdStrike win/malicious_confidence_70% (D)
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Crc32
base_handle: 0x80000001
key_handle: 0x0000001c
options: 0
access: 0x00020019
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Crc32
1 0 0