General

  • Target

    d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics

  • Size

    3.2MB

  • Sample

    240515-rwbtnsdh22

  • MD5

    d67c083b7f55c40deae2ac79549d0a70

  • SHA1

    c47be45497fe044d732a847a21b7b2be0172c8c5

  • SHA256

    ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357

  • SHA512

    2fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d

  • SSDEEP

    49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Targets

    • Target

      d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics

    • Size

      3.2MB

    • MD5

      d67c083b7f55c40deae2ac79549d0a70

    • SHA1

      c47be45497fe044d732a847a21b7b2be0172c8c5

    • SHA256

      ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357

    • SHA512

      2fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d

    • SSDEEP

      49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks