Jump to content

QuickSilverST250

Members
  • Posts

    45
  • Joined

  • Last visited

About QuickSilverST250

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    South Africa

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hi, when doing testing there are no exclusions made for testing. We will be doing new test with latest samples so if anything, interesting happens i will let you guys know.
  2. I have asked for this as well. We use our main MDM for this, we manually update on eset but is a pain.
  3. Interesting, thank you for that. Yes, it does seem to spawn another child process. The account used is a local admin account with UAC enabled, i don't run the script with additional admin privileges but the account does have main permissions. Maybe this is a new version with different hash and maybe that the sig was useless and evaded the other layers of protection. As it was eventually blocked via signatures although it took long for this to be stopped. Do you think i should restore to older sig database and disconnected the machine, so it has no access to livegrid and test again?
  4. Yes, i always make sure, it's Win 11 23H2 that i use on all tests. Think i did not do the optional updates but the rest are done.
  5. Yes, sure noted. The Malwarebytes on the machine is the free version so no real time protection was on, but i understand that maybe the drivers running could cause issues. I will remove it with the test going forward.
  6. Wondering the same thing but it seems in auto mode HIPS is active as i did see some hips alerts with testing etc, also if you look on the endpoint an din HIPS logs you can see entries en there but would be nice to know if there are eset approve settings for additional protection
  7. As i mentioned there is no point in doing the test as eset is now detecting the sample and not getting infected anymore. I will do as suggested with our next test once we have infection i will provide feedback but for now there is no point with said sample. I will download new samples and test and if encryption problems i will let you know.
  8. Just before eset detected the sample, i have 2 vms that ran at the same time. The vm on the left eset advance and on the right eset advanced with inspect. I suspected the sample 007... at mentioned and then copied it to the first vm, ran it and almost immediately the files in eek folder got encrypted. I then started to setup the vm on the right for log collection, that maybe took about 3 min for me to do, once i copied the sample over and wanted to run it, it failed and got the eset notification of the malware being detected and stopped. I did also suspect maybe 005 but when i did the test on the vm on the left this confirmed it was the sample suspected, but it only encrypted the eek folder but did not spread as it did before so it seems in that brief period by doing the test again etc it was detected.
  9. This is very odd. YOu have the video so you can see. I can't do the test again with this sample as it's being detected now as mentioned above.
  10. Once the sample loaded the encryption started in the video
  11. Very odd as that sample infected the machine once i ran it as i remember in my recordings i saw that sample kept running in memory and made the connection. Once i ran it infected but shortly after stopped and didn't infect the outlook folder as previous videos
  12. Not sure, i will run the additional steps next time when running a new test. Will wait a bit for new samples and test
  13. Can't remember. I ran the test on a normal eset advanced vm, the sample that infected it was 00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47.exe. It infected this vm about 30 min ago as i wanted to find the sample responsible. Once i found it to be the one mentioned, i started the setup on the vm running inspect, when i extracted only 00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47.exe and tried to run, it was no blocked with he name phobos., seem being blocked now. The sample was from the date from 04/06. So this sample i run kept infected for over 13 days hence why i said infection again.
  14. Tested it again and seems it's being stopped now. I will follow the extra settings for the next test. Will provide feedback soonest. Will try and do a test shortly
  15. Hi, thank you for replying. The logs are in the folder of the 15th. The video shows i started the log collection before executing the malware script. Here is the link incase you are looking at the wrong files: https://drive.google.com/drive/folders/1v1SOiCK5E4GOBWwg_SB-CW-kBOtkUld3?usp=sharing There is only 1 rule created in HIPS by me:
×
×
  • Create New...