General
-
Target
6d9aa7474b63d3b5578e49ec446c7320_NeikiAnalytics.exe
-
Size
3.2MB
-
Sample
240523-bwr8nagf5v
-
MD5
6d9aa7474b63d3b5578e49ec446c7320
-
SHA1
7657faba319d0f3905fdc2867603be5fa6b28906
-
SHA256
da09906b20ba58d92542403a7bde2845b81acb278986474f70f4b8fef0a9b7f8
-
SHA512
d7e1f5cd8fa2cbf3fa5b6f01c941b442af0b8cc476877c8547bba63c12f9f08d561833d1a5be32974c4aa050f07884bdcf65fc3a4442dce8fc05e0cf6720448c
-
SSDEEP
98304:msmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:mQNBY2S99xl
Malware Config
Targets
-
-
Target
6d9aa7474b63d3b5578e49ec446c7320_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
6d9aa7474b63d3b5578e49ec446c7320
-
SHA1
7657faba319d0f3905fdc2867603be5fa6b28906
-
SHA256
da09906b20ba58d92542403a7bde2845b81acb278986474f70f4b8fef0a9b7f8
-
SHA512
d7e1f5cd8fa2cbf3fa5b6f01c941b442af0b8cc476877c8547bba63c12f9f08d561833d1a5be32974c4aa050f07884bdcf65fc3a4442dce8fc05e0cf6720448c
-
SSDEEP
98304:msmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:mQNBY2S99xl
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1