Posted 28 August 2024 • Updated Work in progress
By legit4n6
LetsDefend reached out and asked me to provide a walkthrough for the investigation related to SOC189 - VBScript Suspicious Behavior Detected in their platform based on my investigation. So here it goes, I hope this helps anyone who uses my write-up.
An alert has been raised by L1 due to a suspicious visual basic script (VBScript) being detected. The table below contains the details provided by the L1 analyst.
| Incident Details | |
|---|---|
| EventID | 139 |
| Event Time | Apr, 20, 2023, 09:42 AM |
| Rule | SOC189 - VBScript Suspicious Behavior Detected |
| Level | Incident Responder |
| Hostname | David |
| IP Address | 172.16.17.31 |
| Related Binary | Purchase_Order.xls.vbs |
| Binary Path | C:\Users\LetsDefend\Downloads\Purchase_Order\Purchase_Order.xls.vbs |
| Binary MD5 | 8FAF36EDFAE1EC0E8ECCD3C562C03903 |
| Trigger Reason | VBScript attempting to access sensitive system resources or files, such as the Windows Registry or system files, that are not related to its expected functionality. |
| Device Action | Allowed |
| L1 Note | When i searched the hash online the file seems it is some variant of wshrat. And it seems malicious. I'm assigning this alert for further investigations. |
Now we need to analyze this data and determine what to do with the alert.
Based on what we know so far, the user downloaded Purchase_Order.xls.vbs from somewhere. The file extension .xls.vbs gives us a clue that the file attempting to masquerade an excel file, .xls , as a visual basic script (VBScript), .vbs. This is a double-extension and often used to trick users into opening malicious files.
Additionally, the L1 note indicated that based on the file hash 8FAF36EDFAE1EC0E8ECCD3C562C03903 the file seems to be some variant of wshrat. This can be verified by checking the file hash on a tool such as VirusTotal.
In the LetsDefend platform, there is an option to open a case to assist with your investigation.
Work in progress