ScreenShot
| Created | 2021.03.31 10:37 | Machine | s1_win7_x6402 |
| Filename | csrss.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (FamVT, LozakaD, malicious, high confidence, Mint, Zard, GenericRXNE, Unsafe, CoinMiner, Miner, Remix, Attribute, HighConfidence, CoinminerX, BitCoinMiner, BitMiner, hlxrop, Syri, BEX@7pt9re, Siggen9, AutoG, Static AI, Malicious PE, Score, ATRAPS, Malpacked3, BScope, BtcMine, ai score=84, Nimnul, FileInfector, RDMK, cmRtazpo4rs4ehNUr5KT0luHYTo3, GenAsa, bNe2xAxJt+s, susgen, Genetic, QVM20) | ||
| md5 | c952383a9e62b399001ebbb03468d786 | ||
| sha256 | f45992d5769523b5380d45fe1a40f2c921eabf98b695d2c2b272bcde12cab75e | ||
| ssdeep | 49152:xA6ESVrsSkp1tRzRHON1ykC24GecSjPzUNSdnRG:xA6xRkt9RH8vLccSjPl | ||
| imphash | ded6c839e7f7258224ae021602258361 | ||
| impfuzzy | 24:KFbers2eDo2CpV1XyAgbRBSXiuJOYjrzePTGOjgbU5o58fY89/q9mTiuKIznKXm6:iers25nXF6BSXfJOomc6AUYlUK0K2m3 | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Created a service where a service was also not started |
| watch | Deletes executed files from disk |
| watch | Installs itself for autorun at Windows startup |
| watch | Network communications indicative of possible code injection originated from the process csrss.exe |
| watch | The process wscript.exe wrote an executable file to disk |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (upload) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | network_http | Communications over HTTP | binaries (upload) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (upload) |
Network (7cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
WININET.dll
0x40911c HttpSendRequestA
0x409120 HttpOpenRequestA
0x409124 InternetSetOptionA
0x409128 InternetReadFile
0x40912c InternetConnectA
0x409130 InternetCloseHandle
0x409134 InternetOpenA
0x409138 InternetCrackUrlA
0x40913c InternetQueryOptionA
KERNEL32.dll
0x409038 MultiByteToWideChar
0x40903c WideCharToMultiByte
0x409040 FreeLibrary
0x409044 GetProcAddress
0x409048 LoadLibraryA
0x40904c VirtualAlloc
0x409050 VirtualFree
0x409054 TerminateThread
0x409058 GetExitCodeThread
0x40905c Sleep
0x409060 LocalFree
0x409064 GetCurrentProcess
0x409068 ExitProcess
0x40906c CreateThread
0x409070 SetThreadExecutionState
0x409074 GetLastError
0x409078 SetErrorMode
0x40907c GetFileSizeEx
0x409080 GetSystemInfo
0x409084 GetTickCount
0x409088 CreateMutexA
0x40908c GetModuleFileNameW
0x409090 GetProcessHeap
0x409094 GetWindowsDirectoryW
0x409098 CreateDirectoryW
0x40909c TerminateProcess
0x4090a0 ExitThread
0x4090a4 ReadProcessMemory
0x4090a8 GetThreadContext
0x4090ac SetThreadContext
0x4090b0 HeapFree
0x4090b4 CreateProcessW
0x4090b8 GetCurrentProcessId
0x4090bc DeleteFileW
0x4090c0 MoveFileW
0x4090c4 GetLongPathNameW
0x4090c8 WaitForSingleObject
0x4090cc GetTempPathW
0x4090d0 OpenProcess
0x4090d4 GetExitCodeProcess
0x4090d8 ReadFile
0x4090dc GetModuleHandleA
0x4090e0 GetModuleHandleW
0x4090e4 CreateFileW
0x4090e8 GetFileAttributesW
0x4090ec CreateToolhelp32Snapshot
0x4090f0 Process32First
0x4090f4 Process32Next
0x4090f8 HeapReAlloc
0x4090fc HeapAlloc
0x409100 GetCommandLineW
0x409104 CloseHandle
USER32.dll
0x409114 GetLastInputInfo
ADVAPI32.dll
0x409000 RegOpenKeyExW
0x409004 ConvertSidToStringSidW
0x409008 CryptDestroyHash
0x40900c CryptHashData
0x409010 CryptCreateHash
0x409014 CryptGetHashParam
0x409018 CryptReleaseContext
0x40901c CryptAcquireContextW
0x409020 IsValidSid
0x409024 RegSetValueExW
0x409028 OpenProcessToken
0x40902c GetTokenInformation
0x409030 RegCloseKey
SHELL32.dll
0x40910c CommandLineToArgvW
ole32.dll
0x409144 CoTaskMemFree
EAT(Export Address Table) is none
WININET.dll
0x40911c HttpSendRequestA
0x409120 HttpOpenRequestA
0x409124 InternetSetOptionA
0x409128 InternetReadFile
0x40912c InternetConnectA
0x409130 InternetCloseHandle
0x409134 InternetOpenA
0x409138 InternetCrackUrlA
0x40913c InternetQueryOptionA
KERNEL32.dll
0x409038 MultiByteToWideChar
0x40903c WideCharToMultiByte
0x409040 FreeLibrary
0x409044 GetProcAddress
0x409048 LoadLibraryA
0x40904c VirtualAlloc
0x409050 VirtualFree
0x409054 TerminateThread
0x409058 GetExitCodeThread
0x40905c Sleep
0x409060 LocalFree
0x409064 GetCurrentProcess
0x409068 ExitProcess
0x40906c CreateThread
0x409070 SetThreadExecutionState
0x409074 GetLastError
0x409078 SetErrorMode
0x40907c GetFileSizeEx
0x409080 GetSystemInfo
0x409084 GetTickCount
0x409088 CreateMutexA
0x40908c GetModuleFileNameW
0x409090 GetProcessHeap
0x409094 GetWindowsDirectoryW
0x409098 CreateDirectoryW
0x40909c TerminateProcess
0x4090a0 ExitThread
0x4090a4 ReadProcessMemory
0x4090a8 GetThreadContext
0x4090ac SetThreadContext
0x4090b0 HeapFree
0x4090b4 CreateProcessW
0x4090b8 GetCurrentProcessId
0x4090bc DeleteFileW
0x4090c0 MoveFileW
0x4090c4 GetLongPathNameW
0x4090c8 WaitForSingleObject
0x4090cc GetTempPathW
0x4090d0 OpenProcess
0x4090d4 GetExitCodeProcess
0x4090d8 ReadFile
0x4090dc GetModuleHandleA
0x4090e0 GetModuleHandleW
0x4090e4 CreateFileW
0x4090e8 GetFileAttributesW
0x4090ec CreateToolhelp32Snapshot
0x4090f0 Process32First
0x4090f4 Process32Next
0x4090f8 HeapReAlloc
0x4090fc HeapAlloc
0x409100 GetCommandLineW
0x409104 CloseHandle
USER32.dll
0x409114 GetLastInputInfo
ADVAPI32.dll
0x409000 RegOpenKeyExW
0x409004 ConvertSidToStringSidW
0x409008 CryptDestroyHash
0x40900c CryptHashData
0x409010 CryptCreateHash
0x409014 CryptGetHashParam
0x409018 CryptReleaseContext
0x40901c CryptAcquireContextW
0x409020 IsValidSid
0x409024 RegSetValueExW
0x409028 OpenProcessToken
0x40902c GetTokenInformation
0x409030 RegCloseKey
SHELL32.dll
0x40910c CommandLineToArgvW
ole32.dll
0x409144 CoTaskMemFree
EAT(Export Address Table) is none