T1566.001 Phishing Attachment Malicious VBS delivered via phishing email
T1059.005 Command and Scripting Interpreter VBScript Execution of malicious VBScript
T1547.001 Boot or Logon Autostart Execution Registry Run Keys Persistence via registry Run key
T1547.009 Boot or Logon Autostart Execution Startup Folder Persistence via Startup folder
T1071.001 Application Layer Protocol Web Protocols Communication with command and control server
T1105 Ingress Tool Transfer Payload delivery via script
The alert SOC189 VBScript Suspicious Behavior Detected triggered after execution of Purchase_Order.xls.vbs on host David. The file is confirmed malicious (WSHRAT variant) via VirusTotal and sandbox analysis. Persistence was established via registry Run key and Startup folder, and the script initiated outbound communication to C2 IP 103.47.144.80.
Apr 20 2023 09:42 AM
Host David (172.16.17.31). Malicious script located at C:\Users\LetsDefend\Downloads\Purchase_Order\Purchase_Order.xls.vbs with persistence at HKU Run key and Startup folder. C2 communication observed to 103.47.144.80
The alert was triggered due to VBScript accessing sensitive system resources. Investigation confirms the script is a WSHRAT variant delivered via phishing email from support@gododdy.com. The malware established persistence through registry and Startup entries and communicated with external C2 infrastructure. Indicators of compromise were removed from the endpoint and the system was contained to prevent further spread or data exfiltration
🔬 Analysis Reports 🧪 Triage Sandbox → https://tria.ge/240924-t3whrstbjn/behavioral2 🔍 Threat.rip → https://www.threat.rip/file/1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196 🦠 VirusTotal → https://www.virustotal.com/gui/file/1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196/detection