Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.07.17 16:39	Machine	s1_win7_x6403
Filename	csrssfs.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	7	Behavior Score	2.2
ZERO API	file : mailcious
VT API (file)	16 detected (AIDetectMalware, malicious, high confidence, Artemis, Save, confidence, Attribute, HighConfidence, score, Banload, Detected, Static AI, Suspicious PE, susgen, ModiLoader)
md5	4b26c5d77671cf27c5985bc4435f8c44
sha256	3afa4d43deae2aad0375c5a5075bf49f28a35aa85b811807419a38ad3e63d389
ssdeep	12288:exndS6phb/cci16UFHRT+fv8ASQYmnwxIRP0OHLaChB:e1pZ/e6U7q3yLmnwKB0OPh
imphash	2088f91fe222df3acca5910bde40b5f3
impfuzzy	192:f340d1QBbuuSrSUvK9RSooqE6pCPbOQvI:f3j1sSA9zkPbOQw

Network IP location

Signature (6cnts)

Level	Description
watch	File has been identified by 16 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The executable uses a known packer

Rules (5cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	mzp_file_format	MZP(Delphi) file format	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
0x49a1b8 DeleteCriticalSection
0x49a1bc LeaveCriticalSection
0x49a1c0 EnterCriticalSection
0x49a1c4 InitializeCriticalSection
0x49a1c8 VirtualFree
0x49a1cc VirtualAlloc
0x49a1d0 LocalFree
0x49a1d4 LocalAlloc
0x49a1d8 GetVersion
0x49a1dc GetCurrentThreadId
0x49a1e0 InterlockedDecrement
0x49a1e4 InterlockedIncrement
0x49a1e8 VirtualQuery
0x49a1ec WideCharToMultiByte
0x49a1f0 MultiByteToWideChar
0x49a1f4 lstrlenA
0x49a1f8 lstrcpynA
0x49a1fc LoadLibraryExA
0x49a200 GetThreadLocale
0x49a204 GetStartupInfoA
0x49a208 GetProcAddress
0x49a20c GetModuleHandleA
0x49a210 GetModuleFileNameA
0x49a214 GetLocaleInfoA
0x49a218 GetCommandLineA
0x49a21c FreeLibrary
0x49a220 FindFirstFileA
0x49a224 FindClose
0x49a228 ExitProcess
0x49a22c WriteFile
0x49a230 UnhandledExceptionFilter
0x49a234 RtlUnwind
0x49a238 RaiseException
0x49a23c GetStdHandle
user32.dll
0x49a244 GetKeyboardType
0x49a248 LoadStringA
0x49a24c MessageBoxA
0x49a250 CharNextA
advapi32.dll
0x49a258 RegQueryValueExA
0x49a25c RegOpenKeyExA
0x49a260 RegCloseKey
oleaut32.dll
0x49a268 SysFreeString
0x49a26c SysReAllocStringLen
0x49a270 SysAllocStringLen
kernel32.dll
0x49a278 TlsSetValue
0x49a27c TlsGetValue
0x49a280 LocalAlloc
0x49a284 GetModuleHandleA
advapi32.dll
0x49a28c RegQueryValueExA
0x49a290 RegOpenKeyExA
0x49a294 RegCloseKey
kernel32.dll
0x49a29c lstrcpyA
0x49a2a0 WriteFile
0x49a2a4 WaitForSingleObject
0x49a2a8 VirtualQuery
0x49a2ac VirtualProtect
0x49a2b0 VirtualAlloc
0x49a2b4 Sleep
0x49a2b8 SizeofResource
0x49a2bc SetThreadLocale
0x49a2c0 SetFilePointer
0x49a2c4 SetEvent
0x49a2c8 SetErrorMode
0x49a2cc SetEndOfFile
0x49a2d0 ResetEvent
0x49a2d4 ReadFile
0x49a2d8 MultiByteToWideChar
0x49a2dc MulDiv
0x49a2e0 LockResource
0x49a2e4 LoadResource
0x49a2e8 LoadLibraryExA
0x49a2ec LoadLibraryA
0x49a2f0 LeaveCriticalSection
0x49a2f4 InitializeCriticalSection
0x49a2f8 GlobalUnlock
0x49a2fc GlobalReAlloc
0x49a300 GlobalHandle
0x49a304 GlobalLock
0x49a308 GlobalFree
0x49a30c GlobalFindAtomA
0x49a310 GlobalDeleteAtom
0x49a314 GlobalAlloc
0x49a318 GlobalAddAtomA
0x49a31c GetVersionExA
0x49a320 GetVersion
0x49a324 GetTickCount
0x49a328 GetThreadLocale
0x49a32c GetSystemInfo
0x49a330 GetStringTypeExA
0x49a334 GetStdHandle
0x49a338 GetProcAddress
0x49a33c GetModuleHandleA
0x49a340 GetModuleFileNameA
0x49a344 GetLocaleInfoA
0x49a348 GetLocalTime
0x49a34c GetLastError
0x49a350 GetFullPathNameA
0x49a354 GetDiskFreeSpaceA
0x49a358 GetDateFormatA
0x49a35c GetCurrentThreadId
0x49a360 GetCurrentProcessId
0x49a364 GetCurrentProcess
0x49a368 GetComputerNameA
0x49a36c GetCPInfo
0x49a370 GetACP
0x49a374 FreeResource
0x49a378 InterlockedExchange
0x49a37c FreeLibrary
0x49a380 FormatMessageA
0x49a384 FindResourceA
0x49a388 EnumCalendarInfoA
0x49a38c EnterCriticalSection
0x49a390 DeleteCriticalSection
0x49a394 CreateThread
0x49a398 CreateFileA
0x49a39c CreateEventA
0x49a3a0 CompareStringA
0x49a3a4 CloseHandle
version.dll
0x49a3ac VerQueryValueA
0x49a3b0 GetFileVersionInfoSizeA
0x49a3b4 GetFileVersionInfoA
gdi32.dll
0x49a3bc UnrealizeObject
0x49a3c0 StretchBlt
0x49a3c4 SetWindowOrgEx
0x49a3c8 SetViewportOrgEx
0x49a3cc SetTextColor
0x49a3d0 SetStretchBltMode
0x49a3d4 SetROP2
0x49a3d8 SetPixel
0x49a3dc SetDIBColorTable
0x49a3e0 SetBrushOrgEx
0x49a3e4 SetBkMode
0x49a3e8 SetBkColor
0x49a3ec SelectPalette
0x49a3f0 SelectObject
0x49a3f4 SaveDC
0x49a3f8 RestoreDC
0x49a3fc RectVisible
0x49a400 RealizePalette
0x49a404 PatBlt
0x49a408 MoveToEx
0x49a40c MaskBlt
0x49a410 LineTo
0x49a414 IntersectClipRect
0x49a418 GetWindowOrgEx
0x49a41c GetTextMetricsA
0x49a420 GetTextExtentPoint32A
0x49a424 GetSystemPaletteEntries
0x49a428 GetStockObject
0x49a42c GetPixel
0x49a430 GetPaletteEntries
0x49a434 GetObjectA
0x49a438 GetDeviceCaps
0x49a43c GetDIBits
0x49a440 GetDIBColorTable
0x49a444 GetDCOrgEx
0x49a448 GetCurrentPositionEx
0x49a44c GetClipBox
0x49a450 GetBrushOrgEx
0x49a454 GetBitmapBits
0x49a458 ExcludeClipRect
0x49a45c DeleteObject
0x49a460 DeleteDC
0x49a464 CreateSolidBrush
0x49a468 CreatePenIndirect
0x49a46c CreatePalette
0x49a470 CreateHalftonePalette
0x49a474 CreateFontIndirectA
0x49a478 CreateDIBitmap
0x49a47c CreateDIBSection
0x49a480 CreateCompatibleDC
0x49a484 CreateCompatibleBitmap
0x49a488 CreateBrushIndirect
0x49a48c CreateBitmap
0x49a490 BitBlt
user32.dll
0x49a498 CreateWindowExA
0x49a49c WindowFromPoint
0x49a4a0 WinHelpA
0x49a4a4 WaitMessage
0x49a4a8 UpdateWindow
0x49a4ac UnregisterClassA
0x49a4b0 UnhookWindowsHookEx
0x49a4b4 TranslateMessage
0x49a4b8 TranslateMDISysAccel
0x49a4bc TrackPopupMenu
0x49a4c0 SystemParametersInfoA
0x49a4c4 ShowWindow
0x49a4c8 ShowScrollBar
0x49a4cc ShowOwnedPopups
0x49a4d0 ShowCursor
0x49a4d4 SetWindowsHookExA
0x49a4d8 SetWindowPos
0x49a4dc SetWindowPlacement
0x49a4e0 SetWindowLongA
0x49a4e4 SetTimer
0x49a4e8 SetScrollRange
0x49a4ec SetScrollPos
0x49a4f0 SetScrollInfo
0x49a4f4 SetRect
0x49a4f8 SetPropA
0x49a4fc SetParent
0x49a500 SetMenuItemInfoA
0x49a504 SetMenu
0x49a508 SetForegroundWindow
0x49a50c SetFocus
0x49a510 SetCursor
0x49a514 SetClassLongA
0x49a518 SetCapture
0x49a51c SetActiveWindow
0x49a520 SendMessageA
0x49a524 ScrollWindow
0x49a528 ScreenToClient
0x49a52c RemovePropA
0x49a530 RemoveMenu
0x49a534 ReleaseDC
0x49a538 ReleaseCapture
0x49a53c RegisterWindowMessageA
0x49a540 RegisterClipboardFormatA
0x49a544 RegisterClassA
0x49a548 RedrawWindow
0x49a54c PtInRect
0x49a550 PostQuitMessage
0x49a554 PostMessageA
0x49a558 PeekMessageA
0x49a55c OffsetRect
0x49a560 OemToCharA
0x49a564 MessageBoxA
0x49a568 MapWindowPoints
0x49a56c MapVirtualKeyA
0x49a570 LoadStringA
0x49a574 LoadKeyboardLayoutA
0x49a578 LoadIconA
0x49a57c LoadCursorA
0x49a580 LoadBitmapA
0x49a584 KillTimer
0x49a588 IsZoomed
0x49a58c IsWindowVisible
0x49a590 IsWindowEnabled
0x49a594 IsWindow
0x49a598 IsRectEmpty
0x49a59c IsIconic
0x49a5a0 IsDialogMessageA
0x49a5a4 IsChild
0x49a5a8 InvalidateRect
0x49a5ac IntersectRect
0x49a5b0 InsertMenuItemA
0x49a5b4 InsertMenuA
0x49a5b8 InflateRect
0x49a5bc GetWindowThreadProcessId
0x49a5c0 GetWindowTextA
0x49a5c4 GetWindowRect
0x49a5c8 GetWindowPlacement
0x49a5cc GetWindowLongA
0x49a5d0 GetWindowInfo
0x49a5d4 GetWindowDC
0x49a5d8 GetTopWindow
0x49a5dc GetSystemMetrics
0x49a5e0 GetSystemMenu
0x49a5e4 GetSysColorBrush
0x49a5e8 GetSysColor
0x49a5ec GetSubMenu
0x49a5f0 GetScrollRange
0x49a5f4 GetScrollPos
0x49a5f8 GetScrollInfo
0x49a5fc GetPropA
0x49a600 GetParent
0x49a604 GetWindow
0x49a608 GetMenuStringA
0x49a60c GetMenuState
0x49a610 GetMenuItemInfoA
0x49a614 GetMenuItemID
0x49a618 GetMenuItemCount
0x49a61c GetMenu
0x49a620 GetLastActivePopup
0x49a624 GetKeyboardState
0x49a628 GetKeyboardLayoutList
0x49a62c GetKeyboardLayout
0x49a630 GetKeyState
0x49a634 GetKeyNameTextA
0x49a638 GetIconInfo
0x49a63c GetForegroundWindow
0x49a640 GetFocus
0x49a644 GetDesktopWindow
0x49a648 GetDCEx
0x49a64c GetDC
0x49a650 GetCursorPos
0x49a654 GetCursor
0x49a658 GetClientRect
0x49a65c GetClassNameA
0x49a660 GetClassInfoA
0x49a664 GetCapture
0x49a668 GetActiveWindow
0x49a66c FrameRect
0x49a670 FindWindowA
0x49a674 FillRect
0x49a678 EqualRect
0x49a67c EnumWindows
0x49a680 EnumThreadWindows
0x49a684 EndPaint
0x49a688 EnableWindow
0x49a68c EnableScrollBar
0x49a690 EnableMenuItem
0x49a694 DrawTextA
0x49a698 DrawMenuBar
0x49a69c DrawIconEx
0x49a6a0 DrawIcon
0x49a6a4 DrawFrameControl
0x49a6a8 DrawEdge
0x49a6ac DispatchMessageA
0x49a6b0 DestroyWindow
0x49a6b4 DestroyMenu
0x49a6b8 DestroyIcon
0x49a6bc DestroyCursor
0x49a6c0 DeleteMenu
0x49a6c4 DefWindowProcA
0x49a6c8 DefMDIChildProcA
0x49a6cc DefFrameProcA
0x49a6d0 CreatePopupMenu
0x49a6d4 CreateMenu
0x49a6d8 CreateIcon
0x49a6dc ClientToScreen
0x49a6e0 CheckMenuItem
0x49a6e4 CallWindowProcA
0x49a6e8 CallNextHookEx
0x49a6ec BeginPaint
0x49a6f0 CharNextA
0x49a6f4 CharLowerA
0x49a6f8 CharUpperBuffA
0x49a6fc CharToOemA
0x49a700 AdjustWindowRectEx
0x49a704 ActivateKeyboardLayout
kernel32.dll
0x49a70c Sleep
oleaut32.dll
0x49a714 SafeArrayPtrOfIndex
0x49a718 SafeArrayPutElement
0x49a71c SafeArrayGetElement
0x49a720 SafeArrayUnaccessData
0x49a724 SafeArrayAccessData
0x49a728 SafeArrayGetUBound
0x49a72c SafeArrayGetLBound
0x49a730 SafeArrayCreate
0x49a734 VariantChangeType
0x49a738 VariantCopyInd
0x49a73c VariantCopy
0x49a740 VariantClear
0x49a744 VariantInit
ole32.dll
0x49a74c CoTaskMemFree
0x49a750 ProgIDFromCLSID
0x49a754 StringFromCLSID
0x49a758 CoCreateInstance
0x49a75c CoUninitialize
0x49a760 CoInitialize
0x49a764 IsEqualGUID
oleaut32.dll
0x49a76c GetErrorInfo
0x49a770 GetActiveObject
0x49a774 SysFreeString
comctl32.dll
0x49a77c ImageList_SetIconSize
0x49a780 ImageList_GetIconSize
0x49a784 ImageList_Write
0x49a788 ImageList_Read
0x49a78c ImageList_GetDragImage
0x49a790 ImageList_DragShowNolock
0x49a794 ImageList_SetDragCursorImage
0x49a798 ImageList_DragMove
0x49a79c ImageList_DragLeave
0x49a7a0 ImageList_DragEnter
0x49a7a4 ImageList_EndDrag
0x49a7a8 ImageList_BeginDrag
0x49a7ac ImageList_Remove
0x49a7b0 ImageList_DrawEx
0x49a7b4 ImageList_Draw
0x49a7b8 ImageList_GetBkColor
0x49a7bc ImageList_SetBkColor
0x49a7c0 ImageList_ReplaceIcon
0x49a7c4 ImageList_Add
0x49a7c8 ImageList_SetImageCount
0x49a7cc ImageList_GetImageCount
0x49a7d0 ImageList_Destroy
0x49a7d4 ImageList_Create
ntdll
0x49a7dc ZwWriteVirtualMemory
Kernel32
0x49a7e4 GetProcAddress
ntdll
0x49a7ec RtlMoveMemory
uRL
0x49a7f4 AutodialHookCallback
ntdll
0x49a7fc NtQueryInformationFile
0x49a800 NtOpenFile
0x49a804 NtClose
0x49a808 NtReadFile
ntdll
0x49a810 RtlDosPathNameToNtPathName_U

EAT(Export Address Table) is none

Report - csrssfs.exe

Signature (6cnts)

Rules (5cnts)

Network (0cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure