cscsvc[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cscsvc.dll
Size

536KB
MD5

4f2422bb17af7c330cee40ebb79f53ee
SHA1

785740b79b7c12bff129f2ed9681313e521fe2cf
SHA256

93a65d32f1f302be6e2deafe32d723e04af3879a87a9b7272614e6c4193aa766
SHA512

03af367b529726e8152a8c7a44b3cce0e4f2c2dc76b5054dac1555394b595f029cac528f106bf1056cdf4a8714058c3de67efe316b14c80f015aa399151869e7
SSDEEP

12288:QgXRyM3EMhQoPJ4hV89jnzu0AjDvOYzXiDZzLkHnJoXmUp:7XRyM3zhHJQ89jnz5IzXiDZzLkHJoL

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cscsvc.dll

Files

cscsvc.dll
.dll windows:6 windows x86 arch:x86

e7863c1428defdd2d15d6f195b527b18

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

cscsvc.pdb

Imports

msvcrt

memset
??3@YAXPAX@Z
??2@YAPAXI@Z
free
memcpy
wcsstr
_vsnwprintf
wcschr
memmove
bsearch
qsort
iswspace
swscanf_s
_XcptFilter
malloc
_initterm
_amsg_exit
_unlock
_purecall
_wcsnicmp
wcsncmp
_except_handler4_common
_onexit
_lock
__dllonexit
wcscpy_s
_vscwprintf
wprintf
vwprintf
wcsrchr
_wcsupr

ntdll

EtwTraceMessage
NtClose
RtlNtStatusToDosErrorNoTeb
NtQueryInformationToken
RtlInitializeResource
RtlDeleteResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlReleaseResource
EtwEventUnregister
RtlAppendUnicodeStringToString
RtlPrefixUnicodeString
NtCreateFile
NtQueryInformationFile
NtWaitForSingleObject
NtCreateEvent
RtlLengthSid
NtQueryDirectoryFile
RtlGetLastNtStatus
RtlDuplicateUnicodeString
RtlValidSid
NtSetInformationFile
NtWriteFile
NtDeviceIoControlFile
RtlFreeHeap
RtlDosPathNameToNtPathName_U
RtlCompareUnicodeString
NtQueryVolumeInformationFile
RtlEqualUnicodeString
RtlNtStatusToDosError
RtlInitUnicodeString
NtFsControlFile
DbgPrint
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
RtlFreeUnicodeString
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlpEnsureBufferSize
RtlAppendPathElement
RtlpApplyLengthFunction
RtlGetLengthWithoutTrailingPathSeperators
RtlAssert
EtwEventRegister
EtwEventEnabled
EtwEventWrite
NtReadFile

sspicli

LsaCallAuthenticationPackage
LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage
LsaConnectUntrusted
LsaFreeReturnBuffer

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-file-l1-1-0

FileTimeToSystemTime
CreateDirectoryW
GetFileAttributesW
FileTimeToLocalFileTime
CompareFileTime
FindNextFileW
FindFirstFileW
FindClose
GetDiskFreeSpaceExW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-interlocked-l1-1-0

InterlockedCompareExchange64
InterlockedDecrement
InterlockedIncrement
InterlockedCompareExchange
InterlockedExchange

api-ms-win-core-libraryloader-l1-1-0

FreeLibrary
LockResource
LoadResource
LoadStringW
SizeofResource
DisableThreadLibraryCalls
FreeLibraryAndExitThread
GetProcAddress
LoadLibraryExA

api-ms-win-core-localregistry-l1-1-0

RegOpenKeyExW
RegDeleteKeyExW
RegCreateKeyExW
RegSetValueExW
RegCloseKey
RegQueryValueExW
RegDeleteValueW
RegEnumValueW
RegQueryInfoKeyW
RegNotifyChangeKeyValue
RegOpenCurrentUser

api-ms-win-core-misc-l1-1-0

LocalFree
lstrlenW
lstrcmpiW
Sleep

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
GetThreadPriority
CreateThread
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess
OpenThreadToken
SetThreadToken
SetThreadPriority
OpenProcessToken

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-core-synch-l1-1-0

SetEvent
ResetEvent
InitializeCriticalSectionAndSpinCount
WaitForSingleObject
CreateEventW
CancelWaitableTimer
WaitForMultipleObjectsEx
ReleaseSemaphore
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetWaitableTimer

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemTime
SystemTimeToFileTime
GetTickCount

api-ms-win-core-threadpool-l1-1-0

SetThreadpoolWait
CloseThreadpool
WaitForThreadpoolWaitCallbacks
CreateThreadpool
CreateThreadpoolWait
CloseThreadpoolWait
CloseThreadpoolCleanupGroupMembers
CloseThreadpoolCleanupGroup
CreateThreadpoolCleanupGroup
SetThreadpoolThreadMaximum

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
DuplicateTokenEx
EqualSid
IsValidSid
GetLengthSid
CopySid
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
GetTokenInformation
RevertToSelf

api-ms-win-service-core-l1-1-0

RegisterServiceCtrlHandlerExW
SetServiceStatus

user32

MsgWaitForMultipleObjectsEx
CharLowerW
CharUpperW
PostThreadMessageW
PeekMessageW
DispatchMessageW
TranslateMessage

oleaut32

SafeArrayUnlock
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
SafeArrayPtrOfIndex
SafeArrayGetDim
SafeArrayLock
SafeArrayGetElement
SafeArrayCreateVector
SafeArrayDestroy
SafeArrayPutElement
VariantChangeType
VariantClear
VariantInit
SysAllocString
SysFreeString
SysStringLen
SysAllocStringLen
VarUI4FromStr
GetErrorInfo
VariantCopy

userenv

UnregisterGPNotification
LeaveCriticalPolicySection
RegisterGPNotification
EnterCriticalPolicySection
ExpandEnvironmentStringsForUserW

kernel32

GetDriveTypeW
ExpandEnvironmentStringsW
LocalAlloc
CallbackMayRunLong
TrySubmitThreadpoolCallback
InterlockedExchangeAdd
CreateIoCompletionPort
GetQueuedCompletionStatus
VirtualAlloc
VirtualFree
DuplicateHandle
TlsSetValue
TlsGetValue
TlsAlloc
SystemTimeToTzSpecificLocalTime
ReplaceFileW
QueryPerformanceFrequency
GetFileSizeEx
FormatMessageW
ReleaseMutex
CreateMutexW
FindResourceW
HeapFree
HeapReAlloc
CompareStringW
HeapAlloc
LoadLibraryW
QueueUserWorkItem
WaitForMultipleObjects
CreateWaitableTimerW
CreateSemaphoreW
DelayLoadFailureHook
TlsFree
GetProcessHeap

Exports

Exports

CscServiceMain
CscTestGetInterface

Sections

.text
Size: 479KB - Virtual size: 478KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e7863c1428defdd2d15d6f195b527b18

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

sspicli

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-libraryloader-l1-1-0

api-ms-win-core-localregistry-l1-1-0

api-ms-win-core-misc-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-threadpool-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-service-core-l1-1-0

user32

oleaut32

userenv

kernel32

Exports

Exports

Sections

.text Size: 479KB - Virtual size: 478KB

.data Size: 8KB - Virtual size: 8KB

.rsrc Size: 23KB - Virtual size: 22KB

.reloc Size: 25KB - Virtual size: 24KB

.text
Size: 479KB - Virtual size: 478KB

.data
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 23KB - Virtual size: 22KB

.reloc
Size: 25KB - Virtual size: 24KB