General

  • Target

    00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics

  • Size

    3.2MB

  • Sample

    240513-xga7gsac85

  • MD5

    00195dc23ea8cc5cb728c411f684ff40

  • SHA1

    604a8ca144781805d4ea73de01caee8ba98c176d

  • SHA256

    5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1

  • SHA512

    218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd

  • SSDEEP

    98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl

Malware Config

Targets

    • Target

      00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics

    • Size

      3.2MB

    • MD5

      00195dc23ea8cc5cb728c411f684ff40

    • SHA1

      604a8ca144781805d4ea73de01caee8ba98c176d

    • SHA256

      5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1

    • SHA512

      218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd

    • SSDEEP

      98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks