e479c6e8891cebe2b24f319de83a003d7be73e93bae5aabb5ba3d6b914ff8135

Author: Microsoft

Source: Wild

Threat: LOLBin

Summary

Wscript is a component of Windows Script Host (WSH), which provides an environment in which scripts can run either in GUI mode (wscript.exe) or command-line (cscript.exe). Wscript typically runs Windows script files (.wsf, .vbs, .js extensions).

EchoTrail Prevalence Score (EPS)

39.08

Rank Analysis

Host Prevalence

13.2%

Execution Rank

525th

Behavioral Analysis

Top Filenames

wscript.exe

100.00 %

Top Paths

C:\Windows\System32

99.95 %

Top Network Ports

443

47.22 %

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

Wscript is often seen as the process being spawned to call malicious script files, regardless if the attack is targeted in nature or opportunistic e-crime. Cmd.exe is often the parent process, legitimate or otherwise, but the core malicious process may be Powershell or a custom RAT. Oftentimes in targeted or more human-driven, sophisticated attacks the malicious scripts will be VBScript (.vbs) files. Heuristically tracking malicious wscript processes can be quite difficult given the unpredictable nature in which they are called. Across many different IT environments, wscript parent and sometimes grandparent processes are generally not consistent. Child processes of wscript tend not to be consistent as well. As such, the likely most efficient use of wscript anomalies is as one factor in a correlation rule. In a phishing scenario utilizing malicious macros in a Microsoft Office document as the lure, one might find cscript or wscript being spawned to launch the malicious activity via scripts.