csrsrv[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

csrsrv.dll
Size

58KB
MD5

aeaeeb61852909577008dcee785d047d
SHA1

ad8929f4891b4430f27e001ea73489aed7f1a577
SHA256

4f1edc4d8ac7dac4e8593bbdeee61830f397b31751fd11c6c7e5f89e7b84eef4
SHA512

830610e27f752f225a38fc4fba34a70110fbdd2de303b16e68b6c5060a54a3092a852c1d6359c1a6ce7b586d8c0886eb46dd84a07a3485e363b83b822ccdf5ed
SSDEEP

1536:7IergDmpKdAqf4/gpnqFVA/XX/P0bD4TjGl:7I4gCpKjf4/4nqnA//P0bsT

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
csrsrv.dll

Files

csrsrv.dll
.dll windows:6 windows x64 arch:x64

9f01f74464f03d2ef97b07efcdec9448

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

csrsrv.pdb

Imports

ntdll

RtlGetAce
_stricmp
swprintf_s
NtResumeThread
NtSetEvent
NtCreateSymbolicLinkObject
RtlAnsiStringToUnicodeString
NtOpenKey
NtSetInformationObject
_snprintf_s
RtlCreateAcl
NtQuerySystemInformation
RtlFreeSid
RtlFreeHeap
RtlSetDaclSecurityDescriptor
RtlInitUnicodeString
RtlWakeAddressAll
RtlInitString
RtlAddAccessAllowedAce
NtWaitForSingleObject
RtlCreateTagHeap
EtwEventRegister
NtClose
NtOpenEvent
RtlAllocateHeap
NtCreateDirectoryObject
RtlGetDaclSecurityDescriptor
RtlCharToInteger
NtCreateEvent
NtOpenProcessToken
NtQueryInformationToken
NtSetSecurityObject
NtQueryValueKey
NtAdjustPrivilegesToken
RtlAllocateAndInitializeSid
DbgPrint
RtlLengthSid
RtlCreateSecurityDescriptor
RtlCreateHeap
NtTerminateProcess
NtMapViewOfSection
LdrUnloadDll
RtlAppendUnicodeToString
RtlInitAnsiString
NtRaiseHardError
LdrGetProcedureAddress
RtlUnhandledExceptionFilter
RtlFreeUnicodeString
RtlAdjustPrivilege
RtlAppendUnicodeStringToString
NtDelayExecution
RtlSetUnhandledExceptionFilter
LdrLoadDll
RtlReportException
RtlCreateUserThread
NtCreateSection
strncpy_s
NtTerminateThread
NtCreatePort
NtCompleteConnectPort
NtReplyWaitReceivePort
NtAcceptConnectPort
RtlEnterCriticalSection
NtQueryInformationThread
NtSetInformationProcess
RtlLeaveCriticalSection
RtlSubAuthoritySid
RtlLengthRequiredSid
NtSetDefaultHardErrorPort
NtAlpcCreatePort
RtlSetSaclSecurityDescriptor
RtlInitializeSid
RtlAddProcessTrustLabelAce
RtlWaitOnAddress
AlpcGetMessageAttribute
NtAlpcOpenSenderThread
NtQueryInformationProcess
NtAlpcOpenSenderProcess
NtAlpcSendWaitReceivePort
NtAlpcAcceptConnectPort
NtAlpcDeleteSectionView
AlpcInitializeMessageAttribute
RtlInitializeCriticalSection
NtAlpcDisconnectPort
RtlCreateUserProcess
qsort
NtOpenThreadToken
EtwEventEnabled
NtSetInformationThread
NtOpenThread
RtlDestroyProcessParameters
_vsnwprintf
NtReadVirtualMemory
NtOpenDirectoryObject
RtlCheckSandboxedToken
NtImpersonateThread
RtlCreateProcessParametersEx
NtRegisterThreadTerminatePort
EtwEventWrite
NtDuplicateObject
LdrDisableThreadCalloutsForDll
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlConnectToSm
RtlSendMsgToSm
__C_specific_handler
memcpy
memset

Exports

Exports

CsrAddStaticServerThread
CsrCallServerFromServer
CsrConnectToUser
CsrCreateProcess
CsrCreateRemoteThread
CsrCreateThread
CsrDeferredCreateProcess
CsrDereferenceProcess
CsrDereferenceThread
CsrDestroyProcess
CsrDestroyThread
CsrExecServerThread
CsrGetProcessLuid
CsrImpersonateClient
CsrIsClientSandboxed
CsrLockProcessByClientId
CsrLockThreadByClientId
CsrLockedReferenceProcess
CsrQueryApiPort
CsrReferenceThread
CsrRegisterClientThreadSetup
CsrReplyToMessage
CsrRevertToSelf
CsrServerInitialization
CsrSetBackgroundPriority
CsrSetForegroundPriority
CsrShutdownProcesses
CsrUnhandledExceptionFilter
CsrUnlockProcess
CsrUnlockThread
CsrValidateMessageBuffer
CsrValidateMessageString

Sections

.text
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9f01f74464f03d2ef97b07efcdec9448

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

Exports

Exports

Sections

.text Size: 40KB - Virtual size: 40KB

.data Size: 512B - Virtual size: 17KB

.pdata Size: 3KB - Virtual size: 2KB

.idata Size: 4KB - Virtual size: 4KB

.rsrc Size: 8KB - Virtual size: 7KB

.reloc Size: 512B - Virtual size: 60B

.text
Size: 40KB - Virtual size: 40KB

.data
Size: 512B - Virtual size: 17KB

.pdata
Size: 3KB - Virtual size: 2KB

.idata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 8KB - Virtual size: 7KB

.reloc
Size: 512B - Virtual size: 60B