Jump to content

Recommended Posts

  • Most Valued Members
Posted
On 11/21/2019 at 10:18 AM, Marcos said:

 

This is interesting to be honest, wondering what is the message behind this.

Is it stupid because they can bypass easily?

Or is it stupid because they can't bypass easily?

Or they simply sending challenge messages to Malware Analyzers

  • Administrators
Posted

They wouldn't bother sending messages to lame analysts who would not be able to find the message at all :) Obviously it's because our detection and protection is hard or impossible to bypass.

  • Most Valued Members
Posted (edited)
9 minutes ago, Marcos said:

They wouldn't bother sending messages to lame analysts who would not be able to find the message at all :) Obviously it's because our detection and protection is hard or impossible to bypass.

This is great , but in the same time it will add more challenge to ESET , because they might try their best to break the defense/protection.

Edited by Rami
Posted

The malware code comment can be interpreted two ways.

The first is as commented upon in this thread. That is the malware author has issues with bypassing Eset's protections. The second interpretation is the opposite. The malware author has no issues bypassing Eset.

Without clarification from the malware author, it is impossible to determine what he meant by the code comment.

Posted (edited)
1 hour ago, BALTAGY said:

Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100

Interesting that Eset doesn't detect it.

Edited by itman
  • ESET Insiders
Posted
13 minutes ago, itman said:

Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100

Interesting that Eset doesn't detect it.

Ya, sadly i can't download it to see if it will run while ESET installed

Posted
2 minutes ago, BALTAGY said:

Ya, sadly i can't download it to see if it will run while ESET installed

It's definitely ransomware.

Posted

Note that to drop an .exe to C:\ in Win 10, you need full admin privileges.

So either a UAC bypass was deployed or user is tricked into manually elevating.

  • Most Valued Members
Posted
13 hours ago, itman said:

Note that to drop an .exe to C:\ in Win 10, you need full admin privileges.

So either a UAC bypass was deployed or user is tricked into manually elevating.

What about PowerShell scripts that elevate admin privileges without Windows/AV understanding what is happening behind the scene? , could that be used for the ransomware?

Posted
4 hours ago, Rami said:

What about PowerShell scripts that elevate admin privileges without Windows/AV understanding what is happening behind the scene? , could that be used for the ransomware?

Actually these use a Windows "living of the land" trusted executable to perform hidden privilege escalation.

This ransomware variant to date has been delivered via e-mail archived attachment. So macro use is a definite possibility. As far as I am concerned, anyone that has not by now permanently disabled Office macros deserves to get nailed by malware.

Posted (edited)

I gave up running MSOffice, primarily because of 'clicktorun'. It just rubbed me up the wrong way but have never enabled macros.

The small things...Outlook no longer marks emails as read if they are selected after a time.  That option has been removed.

I decided to stick with LibreOffice. I am just a bit miffed that most organisations with any web presence will only accept doc(x), xls(x), etc and not also .odf.

Edited by Hpoonis
  • Most Valued Members
Posted
23 hours ago, Hpoonis said:

I gave up running MSOffice, primarily because of 'clicktorun'. It just rubbed me up the wrong way but have never enabled macros.

The small things...Outlook no longer marks emails as read if they are selected after a time.  That option has been removed.

I decided to stick with LibreOffice. I am just a bit miffed that most organisations with any web presence will only accept doc(x), xls(x), etc and not also .odf.

I stick also with LibreOffice but the trouble is that when you have someone that only wants Microsoft Office , I have also disabled Macros in Office , so it would be a little bit more safer.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...