General

  • Target

    5b6f02c5bb34856edef5cdc9221fd240_NeikiAnalytics.exe

  • Size

    1.1MB

  • Sample

    240522-3tlfwadf8s

  • MD5

    5b6f02c5bb34856edef5cdc9221fd240

  • SHA1

    79c9d4b9c9268791bc9b6d3d57abd1fbeffae70a

  • SHA256

    5c9d5959167f2a880e8ccca4b2922db8e59997a6d7ac86e37b94fe89bb14bcca

  • SHA512

    30690107120881f8aa12a6d0518f56cde74d1c44e9c726a0e66c6503263aa3f9f208bf59a51b2126ca8a23c0919b9dbef4cb1c9046a752e96d0805beaa70ee31

  • SSDEEP

    12288:sl+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btU:xyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

Malware Config

Targets

    • Target

      5b6f02c5bb34856edef5cdc9221fd240_NeikiAnalytics.exe

    • Size

      1.1MB

    • MD5

      5b6f02c5bb34856edef5cdc9221fd240

    • SHA1

      79c9d4b9c9268791bc9b6d3d57abd1fbeffae70a

    • SHA256

      5c9d5959167f2a880e8ccca4b2922db8e59997a6d7ac86e37b94fe89bb14bcca

    • SHA512

      30690107120881f8aa12a6d0518f56cde74d1c44e9c726a0e66c6503263aa3f9f208bf59a51b2126ca8a23c0919b9dbef4cb1c9046a752e96d0805beaa70ee31

    • SSDEEP

      12288:sl+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btU:xyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks