General

  • Target

    3514cc7af9d189a8a761a333f91e16f0_NeikiAnalytics

  • Size

    2.0MB

  • Sample

    240511-y58ckaad89

  • MD5

    3514cc7af9d189a8a761a333f91e16f0

  • SHA1

    6d819dd055371ec08009de85a050a70318cdce1c

  • SHA256

    9a9591b1e5b71f69487cbf05d772f9f007ee257a534e2e6952f93e8410bd540c

  • SHA512

    17d9b71e3ed6484dd3de451248027af8aa48e6224d62a0ca1a7cb5cb4520d8d2aa9c3704c7a8fc9d18083ebb6258465a8b3037575edb657e921c74fee23f19f9

  • SSDEEP

    24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc

Malware Config

Targets

    • Target

      3514cc7af9d189a8a761a333f91e16f0_NeikiAnalytics

    • Size

      2.0MB

    • MD5

      3514cc7af9d189a8a761a333f91e16f0

    • SHA1

      6d819dd055371ec08009de85a050a70318cdce1c

    • SHA256

      9a9591b1e5b71f69487cbf05d772f9f007ee257a534e2e6952f93e8410bd540c

    • SHA512

      17d9b71e3ed6484dd3de451248027af8aa48e6224d62a0ca1a7cb5cb4520d8d2aa9c3704c7a8fc9d18083ebb6258465a8b3037575edb657e921c74fee23f19f9

    • SSDEEP

      24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks