ScreenShot
| Created | 2023.06.11 21:42 | Machine | s1_win7_x6403 |
| Filename | cleanmgr.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 54 detected (AIDetectMalware, malicious, high confidence, RedLineNET, GenericKD, Zusy, Artemis, Save, Androm, Kryptik, Eldorado, Attribute, HighConfidence, HTTN, score, TrojanX, Obfuscated, LokiBot, aexex, R053C0DFA23, high, Static AI, Suspicious PE, ai score=89, Windigo, STOP, Vidar, 2KQA3C, Detected, Ransomware, StopCrypt, R585441, unsafe, GdSda, 3em0bm0IHpR, susgen, confidence, 100%) | ||
| md5 | 3315bdebdc17d6688165fd98c0c5209c | ||
| sha256 | 5fc4a212a633dfb96b0e8150b822599ce2e49d63f016a8af9ca76870e38f7513 | ||
| ssdeep | 3072:QnIMJUNJ1Nz/OExSRIlsxCK0wKtHk0fg8DpdfF6akV95XR0s27HmJt:1MJO1Nz/OUVsxtoE0fgyAaK95XmmJ | ||
| imphash | af40ca862bb560756a6239b041d2950a | ||
| impfuzzy | 48:DFftTyWi2dApbNbpyXqORYh/15OGtBcK9jtlcqSU5:neWi6YbNtyXq9h/7TBcQjtlcqSU5 | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40100c SetMailslotInfo
0x401010 GetLogicalDriveStringsW
0x401014 WritePrivateProfileSectionA
0x401018 FreeEnvironmentStringsA
0x40101c GetProcessPriorityBoost
0x401020 GetTickCount
0x401024 EnumCalendarInfoExW
0x401028 WaitNamedPipeW
0x40102c EnumTimeFormatsW
0x401030 GetVolumePathNameW
0x401034 GetPrivateProfileIntA
0x401038 GetSystemPowerStatus
0x40103c GetCalendarInfoA
0x401040 GetProcessHandleCount
0x401044 GetConsoleAliasExesLengthW
0x401048 LeaveCriticalSection
0x40104c GetFileAttributesW
0x401050 GetModuleFileNameW
0x401054 GetShortPathNameA
0x401058 DeleteFiber
0x40105c GetProcAddress
0x401060 MoveFileW
0x401064 SetComputerNameA
0x401068 SearchPathA
0x40106c GetDiskFreeSpaceW
0x401070 InterlockedIncrement
0x401074 LoadLibraryA
0x401078 InterlockedExchangeAdd
0x40107c LocalAlloc
0x401080 DeleteTimerQueue
0x401084 SetCalendarInfoW
0x401088 MoveFileA
0x40108c BuildCommDCBAndTimeoutsW
0x401090 FindFirstVolumeMountPointW
0x401094 IsSystemResumeAutomatic
0x401098 OpenJobObjectW
0x40109c GetPrivateProfileStructA
0x4010a0 FindFirstVolumeMountPointA
0x4010a4 EnumDateFormatsA
0x4010a8 GetModuleHandleA
0x4010ac CreateMutexA
0x4010b0 FindNextFileW
0x4010b4 GetConsoleTitleW
0x4010b8 EnumDateFormatsW
0x4010bc CompareStringA
0x4010c0 GetShortPathNameW
0x4010c4 SetThreadAffinityMask
0x4010c8 SetFileShortNameA
0x4010cc FindAtomW
0x4010d0 GetVolumeNameForVolumeMountPointW
0x4010d4 DeleteFileW
0x4010d8 EnumSystemLocalesW
0x4010dc AreFileApisANSI
0x4010e0 GetDriveTypeW
0x4010e4 OpenWaitableTimerA
0x4010e8 GetStringTypeA
0x4010ec GetLastError
0x4010f0 HeapFree
0x4010f4 DeleteFileA
0x4010f8 WideCharToMultiByte
0x4010fc HeapReAlloc
0x401100 GetCommandLineA
0x401104 HeapSetInformation
0x401108 GetStartupInfoW
0x40110c RaiseException
0x401110 HeapAlloc
0x401114 IsProcessorFeaturePresent
0x401118 HeapCreate
0x40111c EnterCriticalSection
0x401120 SetFilePointer
0x401124 SetHandleCount
0x401128 GetStdHandle
0x40112c InitializeCriticalSectionAndSpinCount
0x401130 GetFileType
0x401134 DeleteCriticalSection
0x401138 UnhandledExceptionFilter
0x40113c SetUnhandledExceptionFilter
0x401140 IsDebuggerPresent
0x401144 EncodePointer
0x401148 DecodePointer
0x40114c TerminateProcess
0x401150 GetCurrentProcess
0x401154 GetCPInfo
0x401158 InterlockedDecrement
0x40115c GetACP
0x401160 GetOEMCP
0x401164 IsValidCodePage
0x401168 TlsAlloc
0x40116c TlsGetValue
0x401170 TlsSetValue
0x401174 TlsFree
0x401178 GetModuleHandleW
0x40117c SetLastError
0x401180 GetCurrentThreadId
0x401184 ExitProcess
0x401188 WriteFile
0x40118c GetModuleFileNameA
0x401190 FreeEnvironmentStringsW
0x401194 GetEnvironmentStringsW
0x401198 QueryPerformanceCounter
0x40119c GetCurrentProcessId
0x4011a0 GetSystemTimeAsFileTime
0x4011a4 Sleep
0x4011a8 SetStdHandle
0x4011ac GetConsoleCP
0x4011b0 GetConsoleMode
0x4011b4 FlushFileBuffers
0x4011b8 RtlUnwind
0x4011bc LCMapStringW
0x4011c0 MultiByteToWideChar
0x4011c4 GetStringTypeW
0x4011c8 HeapSize
0x4011cc LoadLibraryW
0x4011d0 WriteConsoleW
0x4011d4 CloseHandle
0x4011d8 CreateFileW
GDI32.dll
0x401000 GetCharABCWidthsW
0x401004 SelectObject
EAT(Export Address Table) is none
KERNEL32.dll
0x40100c SetMailslotInfo
0x401010 GetLogicalDriveStringsW
0x401014 WritePrivateProfileSectionA
0x401018 FreeEnvironmentStringsA
0x40101c GetProcessPriorityBoost
0x401020 GetTickCount
0x401024 EnumCalendarInfoExW
0x401028 WaitNamedPipeW
0x40102c EnumTimeFormatsW
0x401030 GetVolumePathNameW
0x401034 GetPrivateProfileIntA
0x401038 GetSystemPowerStatus
0x40103c GetCalendarInfoA
0x401040 GetProcessHandleCount
0x401044 GetConsoleAliasExesLengthW
0x401048 LeaveCriticalSection
0x40104c GetFileAttributesW
0x401050 GetModuleFileNameW
0x401054 GetShortPathNameA
0x401058 DeleteFiber
0x40105c GetProcAddress
0x401060 MoveFileW
0x401064 SetComputerNameA
0x401068 SearchPathA
0x40106c GetDiskFreeSpaceW
0x401070 InterlockedIncrement
0x401074 LoadLibraryA
0x401078 InterlockedExchangeAdd
0x40107c LocalAlloc
0x401080 DeleteTimerQueue
0x401084 SetCalendarInfoW
0x401088 MoveFileA
0x40108c BuildCommDCBAndTimeoutsW
0x401090 FindFirstVolumeMountPointW
0x401094 IsSystemResumeAutomatic
0x401098 OpenJobObjectW
0x40109c GetPrivateProfileStructA
0x4010a0 FindFirstVolumeMountPointA
0x4010a4 EnumDateFormatsA
0x4010a8 GetModuleHandleA
0x4010ac CreateMutexA
0x4010b0 FindNextFileW
0x4010b4 GetConsoleTitleW
0x4010b8 EnumDateFormatsW
0x4010bc CompareStringA
0x4010c0 GetShortPathNameW
0x4010c4 SetThreadAffinityMask
0x4010c8 SetFileShortNameA
0x4010cc FindAtomW
0x4010d0 GetVolumeNameForVolumeMountPointW
0x4010d4 DeleteFileW
0x4010d8 EnumSystemLocalesW
0x4010dc AreFileApisANSI
0x4010e0 GetDriveTypeW
0x4010e4 OpenWaitableTimerA
0x4010e8 GetStringTypeA
0x4010ec GetLastError
0x4010f0 HeapFree
0x4010f4 DeleteFileA
0x4010f8 WideCharToMultiByte
0x4010fc HeapReAlloc
0x401100 GetCommandLineA
0x401104 HeapSetInformation
0x401108 GetStartupInfoW
0x40110c RaiseException
0x401110 HeapAlloc
0x401114 IsProcessorFeaturePresent
0x401118 HeapCreate
0x40111c EnterCriticalSection
0x401120 SetFilePointer
0x401124 SetHandleCount
0x401128 GetStdHandle
0x40112c InitializeCriticalSectionAndSpinCount
0x401130 GetFileType
0x401134 DeleteCriticalSection
0x401138 UnhandledExceptionFilter
0x40113c SetUnhandledExceptionFilter
0x401140 IsDebuggerPresent
0x401144 EncodePointer
0x401148 DecodePointer
0x40114c TerminateProcess
0x401150 GetCurrentProcess
0x401154 GetCPInfo
0x401158 InterlockedDecrement
0x40115c GetACP
0x401160 GetOEMCP
0x401164 IsValidCodePage
0x401168 TlsAlloc
0x40116c TlsGetValue
0x401170 TlsSetValue
0x401174 TlsFree
0x401178 GetModuleHandleW
0x40117c SetLastError
0x401180 GetCurrentThreadId
0x401184 ExitProcess
0x401188 WriteFile
0x40118c GetModuleFileNameA
0x401190 FreeEnvironmentStringsW
0x401194 GetEnvironmentStringsW
0x401198 QueryPerformanceCounter
0x40119c GetCurrentProcessId
0x4011a0 GetSystemTimeAsFileTime
0x4011a4 Sleep
0x4011a8 SetStdHandle
0x4011ac GetConsoleCP
0x4011b0 GetConsoleMode
0x4011b4 FlushFileBuffers
0x4011b8 RtlUnwind
0x4011bc LCMapStringW
0x4011c0 MultiByteToWideChar
0x4011c4 GetStringTypeW
0x4011c8 HeapSize
0x4011cc LoadLibraryW
0x4011d0 WriteConsoleW
0x4011d4 CloseHandle
0x4011d8 CreateFileW
GDI32.dll
0x401000 GetCharABCWidthsW
0x401004 SelectObject
EAT(Export Address Table) is none