F-Secure DeepGuard alarm and wscript.exe

OGrelck · 2020-12-09T10:16:16+00:00

There was an error rendering this rich post.

Greetings,

we got a F-Secure DeepGuard alarm today.

The User told me he download a zip file with Google Chrome,

in which should be a word document.

He said he deleted the zip file an did not open

it. Attached some screenshots from F-Secure.

The question is, is it true that he did not open it?

Can F-Secure detect it without running something

or did the user run the file inside the zip? Was

the wscript.exe called by this or did F-Secure only

detect, that inside the zip there is something which wants

to call wscript.exe?

Is it possible that Chrome can run wscript.exe or a JavaScript JS file

that is calling wscript?

Best Regards

Ole

Find more posts tagged with

Hi Ole

Just to confirm - this is not a product nor detection issue, correct ?

Hi,

i could reconstruct the problem.

I used the Chrome DownloadMetadate file to find the downloaded zip.

I downloaded the file in a safe environement and decompressed it.

Inside there was a obfusicated js file, which calls wscript to load

a file from the internet and runs it.

The user has open the zip and clicked the js :-(

Ole

Hi Jamesch,

we don't have a sample, the download is already deleted

Is it possible to get informations from log files,

which file called wscript or wasn't it called only

a file was detected which.

Ole

Hi Ole

Regarding this case, I suggest to submit a case and sample to our detection team