General

  • Target

    990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics

  • Size

    2.9MB

  • Sample

    240514-hlwxeseb7z

  • MD5

    990d69ce8a7a58fa44a5071429041ff0

  • SHA1

    0f2603214e0b81c26a094b7e5fe76b7fa40be4b1

  • SHA256

    15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce

  • SHA512

    6197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc

  • SSDEEP

    49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Targets

    • Target

      990d69ce8a7a58fa44a5071429041ff0_NeikiAnalytics

    • Size

      2.9MB

    • MD5

      990d69ce8a7a58fa44a5071429041ff0

    • SHA1

      0f2603214e0b81c26a094b7e5fe76b7fa40be4b1

    • SHA256

      15da106135fb0203f99b4cea15f31623008d8d81faf4648b494b2b53a2ee85ce

    • SHA512

      6197dbd8e964fcc41df771b3defc6e0e2186c93d275bbd9fcc9745298cf3d3631fbfcd21058c2257a8d80f7fe258bcd33d5dbbe23d6b66702297aeeb2edb00dc

    • SSDEEP

      49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks