General

  • Target

    6ec473c3f722f7e420afa264c7f36dd0_NeikiAnalytics.exe

  • Size

    1.0MB

  • Sample

    240517-a722kahg3y

  • MD5

    6ec473c3f722f7e420afa264c7f36dd0

  • SHA1

    4ceef640edae4a39327ffbb8e99095dbd92d7f41

  • SHA256

    85401422cc1a1d60b56b070580c4a09e7bb5ea132f0cd4def90da2e3b1092441

  • SHA512

    ac02d3e5077f7f092c8afae170a779fabe61278c2cc4293feabc623fdca01075c897fc064a2c74e29c241c1cf78b9dfc15a06a88c09013fc05226ec279207bc5

  • SSDEEP

    12288:/ubxAa9sUFxZ8oq7URPvyKBozWeL+vSgmtjJcDVrCTZSXlVB0mGEB0aNN/cPUeWl:g9sUFxZq7URPt6RL6nBrEZUjGE/L8YZ

Malware Config

Targets

    • Target

      6ec473c3f722f7e420afa264c7f36dd0_NeikiAnalytics.exe

    • Size

      1.0MB

    • MD5

      6ec473c3f722f7e420afa264c7f36dd0

    • SHA1

      4ceef640edae4a39327ffbb8e99095dbd92d7f41

    • SHA256

      85401422cc1a1d60b56b070580c4a09e7bb5ea132f0cd4def90da2e3b1092441

    • SHA512

      ac02d3e5077f7f092c8afae170a779fabe61278c2cc4293feabc623fdca01075c897fc064a2c74e29c241c1cf78b9dfc15a06a88c09013fc05226ec279207bc5

    • SSDEEP

      12288:/ubxAa9sUFxZ8oq7URPvyKBozWeL+vSgmtjJcDVrCTZSXlVB0mGEB0aNN/cPUeWl:g9sUFxZq7URPt6RL6nBrEZUjGE/L8YZ

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks