General

  • Target

    a76c3992f0ce41945386691b991de4f0_NeikiAnalytics

  • Size

    2.9MB

  • Sample

    240515-jnl1nsfg9x

  • MD5

    a76c3992f0ce41945386691b991de4f0

  • SHA1

    694416f5f2cc6579af87f08175b52f9039930972

  • SHA256

    92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023

  • SHA512

    6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870

  • SSDEEP

    49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Targets

    • Target

      a76c3992f0ce41945386691b991de4f0_NeikiAnalytics

    • Size

      2.9MB

    • MD5

      a76c3992f0ce41945386691b991de4f0

    • SHA1

      694416f5f2cc6579af87f08175b52f9039930972

    • SHA256

      92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023

    • SHA512

      6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870

    • SSDEEP

      49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks