General

  • Target

    77177c57df58a82f289add0cf57ea320_NeikiAnalytics

  • Size

    2.9MB

  • Sample

    240515-ekwngsgb8y

  • MD5

    77177c57df58a82f289add0cf57ea320

  • SHA1

    38c0414cb96be176cdf3b965b870bdf5de04f4a4

  • SHA256

    6f250581eae818938c64c4afa3446c7c36dfadda1d8b8ba20870ad0e05c7fe50

  • SHA512

    67161531bc39774e219b77de3166c3216ff962ca81af0982a44a502bd25d333aa742f8fca8e5720d91b4e69ddd6c829a0e014b94f7af89d1ceb601691dd2c9b6

  • SSDEEP

    49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Targets

    • Target

      77177c57df58a82f289add0cf57ea320_NeikiAnalytics

    • Size

      2.9MB

    • MD5

      77177c57df58a82f289add0cf57ea320

    • SHA1

      38c0414cb96be176cdf3b965b870bdf5de04f4a4

    • SHA256

      6f250581eae818938c64c4afa3446c7c36dfadda1d8b8ba20870ad0e05c7fe50

    • SHA512

      67161531bc39774e219b77de3166c3216ff962ca81af0982a44a502bd25d333aa742f8fca8e5720d91b4e69ddd6c829a0e014b94f7af89d1ceb601691dd2c9b6

    • SSDEEP

      49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks