General

  • Target

    b9df02adac0846621482835cb8367aa0_NeikiAnalytics

  • Size

    3.2MB

  • Sample

    240513-qlhc2aha47

  • MD5

    b9df02adac0846621482835cb8367aa0

  • SHA1

    3fdce171a8de3b8018c5779b27bd95cc837faffd

  • SHA256

    60f7d9f75d3f8cb8716ed9f1f9b77456c11d91e4f9f25c0f4eceaaf703dd12ac

  • SHA512

    eb7d8c5529e97210a2b47858c391ae1052335a67599da48b46391f89cd6a73248ecab8fbe92b83f97950af10cf4165ad4d66b66bfd5b746f266c1e0fb2cc5457

  • SSDEEP

    49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Targets

    • Target

      b9df02adac0846621482835cb8367aa0_NeikiAnalytics

    • Size

      3.2MB

    • MD5

      b9df02adac0846621482835cb8367aa0

    • SHA1

      3fdce171a8de3b8018c5779b27bd95cc837faffd

    • SHA256

      60f7d9f75d3f8cb8716ed9f1f9b77456c11d91e4f9f25c0f4eceaaf703dd12ac

    • SHA512

      eb7d8c5529e97210a2b47858c391ae1052335a67599da48b46391f89cd6a73248ecab8fbe92b83f97950af10cf4165ad4d66b66bfd5b746f266c1e0fb2cc5457

    • SSDEEP

      49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks