General

  • Target

    d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics

  • Size

    2.7MB

  • Sample

    240515-pq62hshg36

  • MD5

    d22711d7b799dc3db2c419f2fd5f9430

  • SHA1

    4ffaadc81a24afaad091adb758bc41361b9c6197

  • SHA256

    ac642f44dade714a85fb5d214db6250cab8e0934058dda42e9c369dabba97c71

  • SHA512

    331f3b6fc9155592062c06be8fabf595ea24dbc2af5af490e91b59dd6799b6c19badfa579867801c47502b9aea2cb0526e3b75fa4d063e64366e06c2e62ed1ee

  • SSDEEP

    49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc

Malware Config

Targets

    • Target

      d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics

    • Size

      2.7MB

    • MD5

      d22711d7b799dc3db2c419f2fd5f9430

    • SHA1

      4ffaadc81a24afaad091adb758bc41361b9c6197

    • SHA256

      ac642f44dade714a85fb5d214db6250cab8e0934058dda42e9c369dabba97c71

    • SHA512

      331f3b6fc9155592062c06be8fabf595ea24dbc2af5af490e91b59dd6799b6c19badfa579867801c47502b9aea2cb0526e3b75fa4d063e64366e06c2e62ed1ee

    • SSDEEP

      49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks