csrss.exe

  • File Path: C:\WINDOWS\system32\csrss.exe
  • Description: Client Server Runtime Process

Hashes

Type Hash
MD5 01CDE2D68D2B5B8C5F8EB4E9829D28FC
SHA1 C0FD59FE9EA60D0D28B0CC6CFF1BAF2ABF809979
SHA256 2E4F398084F26185B89E9D0CD89F1F0FAF603A2F1C44DDCA3ADEF321A15AF621
SHA384 26326D4D858D22D5575DA94E9EA812829042BC298BBE355C9A6AA9BC0AF39E8728A5E7F17DA1CA52824EE76EDCBCB852
SHA512 3EEEF8BEC1EFDDC8DA2F1A7396A25A2EF304F8CDC0FBBE1ADB80ABC3223387E283816713A968E532B30E68564570E58362823A34212F897F746C449FB1680A64
SSDEEP 192:mhzgEPwLQjCMqmHW5TnW9mh8DDBQABJIWJxj21EhqnajKsKwPgTI:qSMnHW5TnW97DDBRJbxqslGsKCgs
IMP A96FA9912E09E361274AD77F1A4B252C
PESHA1 9FC266A95F6EFE8BD87C76C5BD465465CA35EB2C
PE256 814B34317268C8109B7B2808CE40B0457FD5E3F031CEAD88249793EBE4210EEB

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CSRSS.Exe.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/2e4f398084f26185b89e9d0cd89f1f0faf603a2f1c44ddca3adef321a15af621/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll 38
C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe 33

Possible Misuse

The following table contains possible examples of csrss.exe being misused. While csrss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\csrss.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\csrss.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\csrss.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\csrss.exe' DRL 1.0
malware-ioc glupteba.misp-event.json "value": "csrss.exe\|1645ad8468a2fb54763c0ebeb766dfd8c643f3db", © ESET 2014-2018
malware-ioc glupteba \|1645AD8468A2FB54763C0EBEB766DFD8C643F3DB\|csrss.exe \|Win32/Agent.SVE © ESET 2014-2018
malware-ioc nukesped_lazarus .csrss.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc rtm csrss.exe © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "C:\\Intel\\~csrss.exe", © ESET 2014-2018
malware-ioc turla * ++C:\Intel~csrss.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of csrss.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “name="Microsoft.Windows.CSRSS"” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “csrss.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.