General
-
Target
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics
-
Size
2.9MB
-
Sample
240516-k8hpeseb29
-
MD5
d22bc2c281eda0bd630673443da3d2f0
-
SHA1
31f11ef93b4a2d28a6445090128e37c32a58661c
-
SHA256
38f4b04c7fe1ce4d8ce9e43eb0df87bdb03c0f3b432daa8670be4750bab542b6
-
SHA512
76c82f89813b8e2e40a90b2347a971599a5afbf7a0484c99b74a3ddcb3cdeb330b94b9efbb111159603a17f64f8621ecbffa90c1c0c8c4fded469e0575044538
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Targets
-
-
Target
d22bc2c281eda0bd630673443da3d2f0_NeikiAnalytics
-
Size
2.9MB
-
MD5
d22bc2c281eda0bd630673443da3d2f0
-
SHA1
31f11ef93b4a2d28a6445090128e37c32a58661c
-
SHA256
38f4b04c7fe1ce4d8ce9e43eb0df87bdb03c0f3b432daa8670be4750bab542b6
-
SHA512
76c82f89813b8e2e40a90b2347a971599a5afbf7a0484c99b74a3ddcb3cdeb330b94b9efbb111159603a17f64f8621ecbffa90c1c0c8c4fded469e0575044538
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1