cscript[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cscript.exe
Size

184KB
MD5

817b20f1e8787a88464dbaa925893a35
SHA1

8546c1871212b40e7cbad6ce8d7f1255fb72323a
SHA256

65b7bb45c66bb918b9e2f267a8a3d7ef5b46f7cac6df6f4dbea803334f411b1a
SHA512

aed7ac215c210688d6d5f0e38bbac17311fac43694126784092ebad684140124cd477ca25b02f79aea502015ad866b59f2d456fef1fd05a04c208650d037adea
SSDEEP

3072:UQT5ZbSY9/OdlJCHvIMHjGIeCoebqeRTApUTX5d7DTSJSEAp6h02EIXvdzgMvTe1:UQT3b1/mPCHvIMHaIeC7bqeRTApUTpdv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cscript.exe

Files

cscript.exe
.exe windows:10 windows x64 arch:x64

b9e6820a671e967d1a371a5bcabc76b9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

free
_callnewh
memcpy
memmove_s
memcmp
_wcsicmp
wcsncmp
wcscpy_s
memcpy_s
_vsnwprintf
memmove
malloc
swprintf_s
sprintf_s
__C_specific_handler
_vsnprintf
_swab
strcpy_s
wcsrchr
_itow
_itow_s
wcscat_s
_wcsnicmp
memset

oleaut32

CreateErrorInfo
SetErrorInfo
SysFreeString
SysStringLen
LoadRegTypeLi
SafeArrayCopy
SafeArrayGetLBound
SafeArrayDestroy
SafeArrayGetUBound
SafeArrayPutElement
SafeArrayCreate
VariantClear
LoadTypeLi
SafeArrayGetElement
SysAllocStringLen
VariantChangeType
VariantCopy
VariantInit
SysAllocString

kernel32

CreateSemaphoreExW
HeapFree
SetLastError
EnterCriticalSection
GetCommandLineW
ReleaseSemaphore
WriteConsoleW
LeaveCriticalSection
InitializeCriticalSectionEx
WaitForThreadpoolTimerCallbacks
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
GetModuleHandleA
GetCommandLineA
MultiByteToWideChar
FormatMessageW
ReleaseSRWLockExclusive
OutputDebugStringW
CloseThreadpoolTimer
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
SetThreadpoolTimer
ReleaseSRWLockShared
CreateThreadpoolTimer
HeapAlloc
GetProcAddress
CreateMutexExW
AcquireSRWLockShared
DeleteCriticalSection
ExitProcess
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
IsDebuggerPresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
GetLastError
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetPrivateProfileStringW
LocalAlloc
GetConsoleMode
WriteFile
LocalFree
GetPrivateProfileIntW
FormatMessageA
LoadLibraryExW
FindFirstFileW
FindFirstFileA
FindClose
GetFileAttributesW
GetACP
GetFileAttributesA
GetStdHandle
GetCPInfo
GetModuleFileNameA
GetPrivateProfileIntA
GetModuleFileNameW
HeapReAlloc
GetPrivateProfileStringA
InitializeCriticalSection
LoadLibraryW
CreateFileW
GetLocaleInfoA
GetLocaleInfoW
GetFullPathNameA
UnmapViewOfFile
FreeLibrary
GetFullPathNameW
CreateFileMappingA
GetFileSize
GetSystemDefaultUILanguage
MapViewOfFile
GetLocaleInfoEx
CreateFileMappingW
WideCharToMultiByte
GetUserDefaultUILanguage
GetVersionExW
LCIDToLocaleName
FlushFileBuffers
LoadResource
GetTempFileNameA
GetVersionExA
SearchPathW
GetSystemDirectoryA
CreateFileA
GetTempPath2A
RtlLookupFunctionEntry
LoadLibraryExA
FindResourceExW
GetUserDefaultLCID
CreateEventA
CreateThread
SetEvent

ole32

CLSIDFromProgID
CoGetClassObject
CLSIDFromString
CoCreateInstance
CoRegisterMessageFilter
MkParseDisplayName
CoGetTreatAsClass
CreateFileMoniker
CreateBindCtx
CoUninitialize
CoInitialize
CoInitializeSecurity

advapi32

ReportEventW
IsTextUnicode
DeregisterEventSource
GetUserNameW
RegisterEventSourceW
LookupAccountNameW
RegCreateKeyA
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueExW
RegEnumKeyExA
RegCloseKey
RegOpenKeyExW
RegSetValueExW
ImpersonateLoggedOnUser
RegCreateKeyExW
RegCreateKeyExA

version

GetFileVersionInfoA
GetFileVersionInfoW
VerQueryValueA
GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoSizeA

user32

PostQuitMessage
KillTimer
GetWindowLongPtrA
PeekMessageA
MsgWaitForMultipleObjectsEx
GetActiveWindow
EnumThreadWindows
GetMessageA
DispatchMessageA
SendMessageA
GetParent
PostMessageA
GetClassNameA
MsgWaitForMultipleObjects
LoadStringW
LoadStringA
GetClassInfoA
CreateWindowExA
SetTimer
CharNextA
TranslateMessage
IsWindowVisible
RegisterClassA
DefWindowProcA
SetWindowLongPtrA

Sections

.text
Size: 104KB - Virtual size: 103KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 36KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 828B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b9e6820a671e967d1a371a5bcabc76b9

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

oleaut32

kernel32

ole32

advapi32

version

user32

Sections

.text Size: 104KB - Virtual size: 103KB

.rdata Size: 24KB - Virtual size: 23KB

.data Size: 4KB - Virtual size: 2KB

.pdata Size: 8KB - Virtual size: 6KB

.rsrc Size: 36KB - Virtual size: 33KB

.reloc Size: 4KB - Virtual size: 828B

.text
Size: 104KB - Virtual size: 103KB

.rdata
Size: 24KB - Virtual size: 23KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 8KB - Virtual size: 6KB

.rsrc
Size: 36KB - Virtual size: 33KB

.reloc
Size: 4KB - Virtual size: 828B