General

  • Target

    734f4ee215cafb87214221d572d5c660_NeikiAnalytics

  • Size

    1.0MB

  • Sample

    240514-eq2fxsac3s

  • MD5

    734f4ee215cafb87214221d572d5c660

  • SHA1

    36b2b6ceae28a15c765dc28c19a6cebfe39866d5

  • SHA256

    6637617b15474b43846983ba5fec458473677fd52408d6f09eaf557a8daa9d5a

  • SHA512

    2070b0a7163280a48590955a8063869bbf521048163fe5e993283a06d92b25e7ca6b33782db1cd89f7631c21b646956cf42622e5945c6ba67f1f6ff962604a21

  • SSDEEP

    12288:zXDkXlsYZVs6NanExuLCEHFT5J90YJqNn4qiXY+ii94vX1lnXMquJTloyf5II2xO:zzysYZV+Ec1OZ4XY+iLNXuJxXb

Malware Config

Targets

    • Target

      734f4ee215cafb87214221d572d5c660_NeikiAnalytics

    • Size

      1.0MB

    • MD5

      734f4ee215cafb87214221d572d5c660

    • SHA1

      36b2b6ceae28a15c765dc28c19a6cebfe39866d5

    • SHA256

      6637617b15474b43846983ba5fec458473677fd52408d6f09eaf557a8daa9d5a

    • SHA512

      2070b0a7163280a48590955a8063869bbf521048163fe5e993283a06d92b25e7ca6b33782db1cd89f7631c21b646956cf42622e5945c6ba67f1f6ff962604a21

    • SSDEEP

      12288:zXDkXlsYZVs6NanExuLCEHFT5J90YJqNn4qiXY+ii94vX1lnXMquJTloyf5II2xO:zzysYZV+Ec1OZ4XY+iLNXuJxXb

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks