ScreenShot
| Created | 2023.03.22 10:16 | Machine | s1_win7_x6403 |
| Filename | csrss.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 25 detected (GenericKD, Vnvc, malicious, confidence, PEDW, Attribute, HighConfidence, high confidence, NSIS, Alien, GULOADER, YXDCUZ, Browser, ai score=86, Leonem, 6ZQNO1, Detected, Artemis, SSCE) | ||
| md5 | 6e73708e3d21f04b6f18aa31a68f582e | ||
| sha256 | c46e251d3f75d5171ef41c926444aa590b089eca868141b1abad8ec0930b506e | ||
| ssdeep | 12288:cqp+8Qve8l8AFe57GK1BoBXAPl0666xTzLSS0/K779NKKc06Kux:48Ue8l8HGK12wPl0666pF58h06Kux | ||
| imphash | e2a592076b17ef8bfb48b7e03965a3fc | ||
| impfuzzy | 48:Brdj692h5OyxYArOA8ltkz+eOxHALlla/35LFzn7+P9KQJ445EQl/KAEowSv0WbO:Brjh5txSH28dXJuKsI | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | One or more non-whitelisted processes were created |
| watch | The process powershell.exe wrote an executable file to disk |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | chm_file_format | chm file format | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x407070 SetCurrentDirectoryW
0x407074 GetFileAttributesW
0x407078 GetFullPathNameW
0x40707c Sleep
0x407080 GetTickCount
0x407084 GetFileSize
0x407088 GetModuleFileNameW
0x40708c MoveFileW
0x407090 SetFileAttributesW
0x407094 GetCurrentProcess
0x407098 ExitProcess
0x40709c SetEnvironmentVariableW
0x4070a0 GetWindowsDirectoryW
0x4070a4 GetTempPathW
0x4070a8 GetCommandLineW
0x4070ac GetVersion
0x4070b0 SetErrorMode
0x4070b4 lstrlenW
0x4070b8 WaitForSingleObject
0x4070bc CopyFileW
0x4070c0 CompareFileTime
0x4070c4 GlobalLock
0x4070c8 CreateThread
0x4070cc GetLastError
0x4070d0 CreateDirectoryW
0x4070d4 CreateProcessW
0x4070d8 RemoveDirectoryW
0x4070dc lstrcmpiA
0x4070e0 CreateFileW
0x4070e4 GetTempFileNameW
0x4070e8 WriteFile
0x4070ec lstrcpyA
0x4070f0 lstrcpyW
0x4070f4 MoveFileExW
0x4070f8 lstrcatW
0x4070fc GetSystemDirectoryW
0x407100 GetProcAddress
0x407104 GetModuleHandleA
0x407108 GlobalFree
0x40710c GlobalAlloc
0x407110 GetShortPathNameW
0x407114 SearchPathW
0x407118 lstrcmpiW
0x40711c SetFileTime
0x407120 CloseHandle
0x407124 ExpandEnvironmentStringsW
0x407128 lstrcmpW
0x40712c GlobalUnlock
0x407130 lstrcpynW
0x407134 GetDiskFreeSpaceW
0x407138 GetExitCodeProcess
0x40713c FindFirstFileW
0x407140 FindNextFileW
0x407144 DeleteFileW
0x407148 SetFilePointer
0x40714c ReadFile
0x407150 FindClose
0x407154 MulDiv
0x407158 MultiByteToWideChar
0x40715c lstrlenA
0x407160 WideCharToMultiByte
0x407164 GetPrivateProfileStringW
0x407168 WritePrivateProfileStringW
0x40716c FreeLibrary
0x407170 LoadLibraryExW
0x407174 GetModuleHandleW
USER32.dll
0x407198 GetSystemMenu
0x40719c SetClassLongW
0x4071a0 IsWindowEnabled
0x4071a4 EnableMenuItem
0x4071a8 SetWindowPos
0x4071ac GetSysColor
0x4071b0 GetWindowLongW
0x4071b4 SetCursor
0x4071b8 LoadCursorW
0x4071bc CheckDlgButton
0x4071c0 GetMessagePos
0x4071c4 LoadBitmapW
0x4071c8 CallWindowProcW
0x4071cc IsWindowVisible
0x4071d0 CloseClipboard
0x4071d4 SetClipboardData
0x4071d8 EmptyClipboard
0x4071dc OpenClipboard
0x4071e0 wsprintfW
0x4071e4 ScreenToClient
0x4071e8 GetWindowRect
0x4071ec GetSystemMetrics
0x4071f0 SetDlgItemTextW
0x4071f4 GetDlgItemTextW
0x4071f8 MessageBoxIndirectW
0x4071fc CharPrevW
0x407200 CharNextA
0x407204 wsprintfA
0x407208 DispatchMessageW
0x40720c PeekMessageW
0x407210 GetDC
0x407214 ReleaseDC
0x407218 EnableWindow
0x40721c InvalidateRect
0x407220 SendMessageW
0x407224 DefWindowProcW
0x407228 BeginPaint
0x40722c GetClientRect
0x407230 FillRect
0x407234 EndDialog
0x407238 RegisterClassW
0x40723c SystemParametersInfoW
0x407240 CreateWindowExW
0x407244 GetClassInfoW
0x407248 DialogBoxParamW
0x40724c CharNextW
0x407250 ExitWindowsEx
0x407254 DestroyWindow
0x407258 LoadImageW
0x40725c SetTimer
0x407260 SetWindowTextW
0x407264 PostQuitMessage
0x407268 ShowWindow
0x40726c GetDlgItem
0x407270 IsWindow
0x407274 SetWindowLongW
0x407278 FindWindowExW
0x40727c TrackPopupMenu
0x407280 AppendMenuW
0x407284 CreatePopupMenu
0x407288 DrawTextW
0x40728c EndPaint
0x407290 CreateDialogParamW
0x407294 SendMessageTimeoutW
0x407298 SetForegroundWindow
GDI32.dll
0x40704c SelectObject
0x407050 SetBkMode
0x407054 CreateFontIndirectW
0x407058 SetTextColor
0x40705c DeleteObject
0x407060 GetDeviceCaps
0x407064 CreateBrushIndirect
0x407068 SetBkColor
SHELL32.dll
0x40717c SHGetSpecialFolderLocation
0x407180 SHGetPathFromIDListW
0x407184 SHBrowseForFolderW
0x407188 SHGetFileInfoW
0x40718c ShellExecuteW
0x407190 SHFileOperationW
ADVAPI32.dll
0x407000 RegDeleteKeyW
0x407004 SetFileSecurityW
0x407008 OpenProcessToken
0x40700c LookupPrivilegeValueW
0x407010 AdjustTokenPrivileges
0x407014 RegOpenKeyExW
0x407018 RegEnumValueW
0x40701c RegDeleteValueW
0x407020 RegCloseKey
0x407024 RegCreateKeyExW
0x407028 RegSetValueExW
0x40702c RegQueryValueExW
0x407030 RegEnumKeyW
COMCTL32.dll
0x407038 ImageList_AddMasked
0x40703c None
0x407040 ImageList_Destroy
0x407044 ImageList_Create
ole32.dll
0x4072a0 OleUninitialize
0x4072a4 OleInitialize
0x4072a8 CoTaskMemFree
0x4072ac CoCreateInstance
EAT(Export Address Table) is none
KERNEL32.dll
0x407070 SetCurrentDirectoryW
0x407074 GetFileAttributesW
0x407078 GetFullPathNameW
0x40707c Sleep
0x407080 GetTickCount
0x407084 GetFileSize
0x407088 GetModuleFileNameW
0x40708c MoveFileW
0x407090 SetFileAttributesW
0x407094 GetCurrentProcess
0x407098 ExitProcess
0x40709c SetEnvironmentVariableW
0x4070a0 GetWindowsDirectoryW
0x4070a4 GetTempPathW
0x4070a8 GetCommandLineW
0x4070ac GetVersion
0x4070b0 SetErrorMode
0x4070b4 lstrlenW
0x4070b8 WaitForSingleObject
0x4070bc CopyFileW
0x4070c0 CompareFileTime
0x4070c4 GlobalLock
0x4070c8 CreateThread
0x4070cc GetLastError
0x4070d0 CreateDirectoryW
0x4070d4 CreateProcessW
0x4070d8 RemoveDirectoryW
0x4070dc lstrcmpiA
0x4070e0 CreateFileW
0x4070e4 GetTempFileNameW
0x4070e8 WriteFile
0x4070ec lstrcpyA
0x4070f0 lstrcpyW
0x4070f4 MoveFileExW
0x4070f8 lstrcatW
0x4070fc GetSystemDirectoryW
0x407100 GetProcAddress
0x407104 GetModuleHandleA
0x407108 GlobalFree
0x40710c GlobalAlloc
0x407110 GetShortPathNameW
0x407114 SearchPathW
0x407118 lstrcmpiW
0x40711c SetFileTime
0x407120 CloseHandle
0x407124 ExpandEnvironmentStringsW
0x407128 lstrcmpW
0x40712c GlobalUnlock
0x407130 lstrcpynW
0x407134 GetDiskFreeSpaceW
0x407138 GetExitCodeProcess
0x40713c FindFirstFileW
0x407140 FindNextFileW
0x407144 DeleteFileW
0x407148 SetFilePointer
0x40714c ReadFile
0x407150 FindClose
0x407154 MulDiv
0x407158 MultiByteToWideChar
0x40715c lstrlenA
0x407160 WideCharToMultiByte
0x407164 GetPrivateProfileStringW
0x407168 WritePrivateProfileStringW
0x40716c FreeLibrary
0x407170 LoadLibraryExW
0x407174 GetModuleHandleW
USER32.dll
0x407198 GetSystemMenu
0x40719c SetClassLongW
0x4071a0 IsWindowEnabled
0x4071a4 EnableMenuItem
0x4071a8 SetWindowPos
0x4071ac GetSysColor
0x4071b0 GetWindowLongW
0x4071b4 SetCursor
0x4071b8 LoadCursorW
0x4071bc CheckDlgButton
0x4071c0 GetMessagePos
0x4071c4 LoadBitmapW
0x4071c8 CallWindowProcW
0x4071cc IsWindowVisible
0x4071d0 CloseClipboard
0x4071d4 SetClipboardData
0x4071d8 EmptyClipboard
0x4071dc OpenClipboard
0x4071e0 wsprintfW
0x4071e4 ScreenToClient
0x4071e8 GetWindowRect
0x4071ec GetSystemMetrics
0x4071f0 SetDlgItemTextW
0x4071f4 GetDlgItemTextW
0x4071f8 MessageBoxIndirectW
0x4071fc CharPrevW
0x407200 CharNextA
0x407204 wsprintfA
0x407208 DispatchMessageW
0x40720c PeekMessageW
0x407210 GetDC
0x407214 ReleaseDC
0x407218 EnableWindow
0x40721c InvalidateRect
0x407220 SendMessageW
0x407224 DefWindowProcW
0x407228 BeginPaint
0x40722c GetClientRect
0x407230 FillRect
0x407234 EndDialog
0x407238 RegisterClassW
0x40723c SystemParametersInfoW
0x407240 CreateWindowExW
0x407244 GetClassInfoW
0x407248 DialogBoxParamW
0x40724c CharNextW
0x407250 ExitWindowsEx
0x407254 DestroyWindow
0x407258 LoadImageW
0x40725c SetTimer
0x407260 SetWindowTextW
0x407264 PostQuitMessage
0x407268 ShowWindow
0x40726c GetDlgItem
0x407270 IsWindow
0x407274 SetWindowLongW
0x407278 FindWindowExW
0x40727c TrackPopupMenu
0x407280 AppendMenuW
0x407284 CreatePopupMenu
0x407288 DrawTextW
0x40728c EndPaint
0x407290 CreateDialogParamW
0x407294 SendMessageTimeoutW
0x407298 SetForegroundWindow
GDI32.dll
0x40704c SelectObject
0x407050 SetBkMode
0x407054 CreateFontIndirectW
0x407058 SetTextColor
0x40705c DeleteObject
0x407060 GetDeviceCaps
0x407064 CreateBrushIndirect
0x407068 SetBkColor
SHELL32.dll
0x40717c SHGetSpecialFolderLocation
0x407180 SHGetPathFromIDListW
0x407184 SHBrowseForFolderW
0x407188 SHGetFileInfoW
0x40718c ShellExecuteW
0x407190 SHFileOperationW
ADVAPI32.dll
0x407000 RegDeleteKeyW
0x407004 SetFileSecurityW
0x407008 OpenProcessToken
0x40700c LookupPrivilegeValueW
0x407010 AdjustTokenPrivileges
0x407014 RegOpenKeyExW
0x407018 RegEnumValueW
0x40701c RegDeleteValueW
0x407020 RegCloseKey
0x407024 RegCreateKeyExW
0x407028 RegSetValueExW
0x40702c RegQueryValueExW
0x407030 RegEnumKeyW
COMCTL32.dll
0x407038 ImageList_AddMasked
0x40703c None
0x407040 ImageList_Destroy
0x407044 ImageList_Create
ole32.dll
0x4072a0 OleUninitialize
0x4072a4 OleInitialize
0x4072a8 CoTaskMemFree
0x4072ac CoCreateInstance
EAT(Export Address Table) is none