General

  • Target

    187f3a1d27a0f173765cbaaf08ae8770_NeikiAnalytics

  • Size

    3.2MB

  • Sample

    240512-q6xcpahc8s

  • MD5

    187f3a1d27a0f173765cbaaf08ae8770

  • SHA1

    192ec8c82c1a51a6ae48ec30d1e6c0876d450b2e

  • SHA256

    380df9424ebd676bf4774865133d691da1e50a00a38347c04767e4d3d9f451b4

  • SHA512

    5c579f1cc8d239b60464139c08066d41183734fdbbb2b1552c88e879e94fed47ac01ac3c200587439dc2bdc68b520632cb3fbefef9bd5e6f80d5e0be229749c0

  • SSDEEP

    49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Targets

    • Target

      187f3a1d27a0f173765cbaaf08ae8770_NeikiAnalytics

    • Size

      3.2MB

    • MD5

      187f3a1d27a0f173765cbaaf08ae8770

    • SHA1

      192ec8c82c1a51a6ae48ec30d1e6c0876d450b2e

    • SHA256

      380df9424ebd676bf4774865133d691da1e50a00a38347c04767e4d3d9f451b4

    • SHA512

      5c579f1cc8d239b60464139c08066d41183734fdbbb2b1552c88e879e94fed47ac01ac3c200587439dc2bdc68b520632cb3fbefef9bd5e6f80d5e0be229749c0

    • SSDEEP

      49152:nC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:nC0Fl8v/qXYrv5tG9uKJGAWl5N

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks