General

  • Target

    631fea5b70f36d2e036a357f765d9cb0_NeikiAnalytics

  • Size

    3.2MB

  • Sample

    240512-dxs8fseb3s

  • MD5

    631fea5b70f36d2e036a357f765d9cb0

  • SHA1

    e923c65e5ce7a4a0935be6236221d01c08d09720

  • SHA256

    a74bf698fe22e6c1ca0b50814923f698a8a1dbd70ff7c482b3b28d02f91e22e8

  • SHA512

    fd3968be135f25307c0bac8be3ae5818fdd85fe2c6e9533b174140b493b0404c2204e387e3526f4886931840b70bcd5744f856f41cdcf32abcf35eb37402d1c9

  • SSDEEP

    98304:WsmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:WQNBY2S99xl

Malware Config

Targets

    • Target

      631fea5b70f36d2e036a357f765d9cb0_NeikiAnalytics

    • Size

      3.2MB

    • MD5

      631fea5b70f36d2e036a357f765d9cb0

    • SHA1

      e923c65e5ce7a4a0935be6236221d01c08d09720

    • SHA256

      a74bf698fe22e6c1ca0b50814923f698a8a1dbd70ff7c482b3b28d02f91e22e8

    • SHA512

      fd3968be135f25307c0bac8be3ae5818fdd85fe2c6e9533b174140b493b0404c2204e387e3526f4886931840b70bcd5744f856f41cdcf32abcf35eb37402d1c9

    • SSDEEP

      98304:WsmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:WQNBY2S99xl

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks