cleanmgr[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

cleanmgr.exe
Size

292KB
MD5

4273ed5ecee9a1e7baa0262ebf6334fa
SHA1

be9f9c9b02816796063924874e8dbabf4ff5c3e1
SHA256

bc22d1ac7a12ddb061f5cd25dd61decd10c0e4f422b5721ca6b85be2785daff7
SHA512

59cd8500b579b8adfa5e731db64f4573fdce139de4cedf8eb55d03d736bd43b22d7f23ec4cde7ec078b5e8a8ab2a6ef31576e05044945c0ebc12672318c64ffc
SSDEEP

6144:+aAX55UXr8c4ZmNTzE+ohSKq99UF5hvv/:+aAX5mrLBTzy4Qn

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cleanmgr.exe

Files

cleanmgr.exe
.exe windows:10 windows x64 arch:x64

ea41beff168cae33c5af261bc77e40b5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

gdi32

GetLayout
ExtTextOutW
SetBkMode
SetTextColor
SetBkColor
GetTextExtentPoint32W

user32

GetSysColor
SetFocus
EndDialog
DialogBoxParamW
DestroyWindow
CreateDialogParamW
IsDialogMessageW
DestroyIcon
LoadIconW
GetWindowLongPtrW
EnableWindow
GetWindowLongW
GetSystemMetrics
GetClientRect
SetDlgItemTextW
GetParent
SendDlgItemMessageW
SetWindowLongPtrW
GetDlgItem
SendMessageW
SetForegroundWindow
GetWindowTextW
MessageBoxW
LoadStringW
PostMessageW
EnumWindows
DrawFocusRect
GetMessageW
DrawIconEx
ShowWindow
TranslateMessage
DispatchMessageW

msvcrt

_i64toa_s
memcpy_s
_vsnwprintf
memset
sqrt
_wcsicmp
toupper
__C_specific_handler
?terminate@@YAXXZ
_onexit
__dllonexit
_unlock
_lock
_commode
_fmode
wcscmp
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter

comctl32

ImageList_Create
PropertySheetW
CreatePropertySheetPageW
ord345
ord17
ImageList_ReplaceIcon

shell32

ExtractIconExW
ShellExecuteExW
SHGetFileInfoW
ord680

shlwapi

SHDeleteKeyW
ord487
StrFormatByteSizeW
ord271
StrCmpNW
StrCmpW
StrToIntW
StrStrIW
PathStripToRootW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TerminateProcess
GetCurrentProcess
CreateThread
GetCurrentThreadId

api-ms-win-core-heap-l1-1-0

HeapFree
HeapSetInformation
HeapAlloc
GetProcessHeap

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
FreeLibrary
GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameA
GetProcAddress
GetModuleFileNameW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetLastError
GetLastError
SetUnhandledExceptionFilter
SetErrorMode

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
CreateMutexExW
ReleaseMutex
CreateSemaphoreExW
ReleaseSemaphore
WaitForSingleObject
OpenSemaphoreW
SetEvent
WaitForSingleObjectEx
AcquireSRWLockExclusive
CreateEventW

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventWriteTransfer
EventActivityIdControl
EventUnregister
EventRegister

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
CoUninitialize

api-ms-win-security-base-l1-1-0

CreateWellKnownSid
CheckTokenMembership

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetSystemTime
GetTickCount64
GetWindowsDirectoryW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-file-l1-1-0

GetDiskFreeSpaceW
GetDiskFreeSpaceExW
GetDriveTypeW
GetVolumeInformationW

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-file-l1-2-0

GetVolumeNameForVolumeMountPointW

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize
Sleep

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
RegSetValueExW
RegGetValueW

oleaut32

VariantInit
SysStringLen
VariantClear

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

kernel32

CheckElevationEnabled
GetStartupInfoA
MulDiv
lstrlenW

ntdll

RtlNtStatusToDosError
NtOpenProcessToken
NtQueryInformationToken
NtClose
NtOpenThreadToken

ole32

CoInitialize

vssapi

VssFreeSnapshotPropertiesInternal
CreateVssBackupComponentsInternal

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 72KB - Virtual size: 69KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 176KB - Virtual size: 175KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ea41beff168cae33c5af261bc77e40b5

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

msvcrt

comctl32

shell32

shlwapi

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-registry-l1-1-0

oleaut32

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

kernel32

ntdll

ole32

vssapi

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 72KB - Virtual size: 69KB

.rdata Size: 24KB - Virtual size: 23KB

.data Size: 4KB - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 2KB

.didat Size: 4KB - Virtual size: 32B

.rsrc Size: 176KB - Virtual size: 175KB

.reloc Size: 4KB - Virtual size: 156B

.text
Size: 72KB - Virtual size: 69KB

.rdata
Size: 24KB - Virtual size: 23KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 2KB

.didat
Size: 4KB - Virtual size: 32B

.rsrc
Size: 176KB - Virtual size: 175KB

.reloc
Size: 4KB - Virtual size: 156B