General

  • Target

    6d9aa7474b63d3b5578e49ec446c7320_NeikiAnalytics.exe

  • Size

    3.2MB

  • Sample

    240523-bwr8nagf5v

  • MD5

    6d9aa7474b63d3b5578e49ec446c7320

  • SHA1

    7657faba319d0f3905fdc2867603be5fa6b28906

  • SHA256

    da09906b20ba58d92542403a7bde2845b81acb278986474f70f4b8fef0a9b7f8

  • SHA512

    d7e1f5cd8fa2cbf3fa5b6f01c941b442af0b8cc476877c8547bba63c12f9f08d561833d1a5be32974c4aa050f07884bdcf65fc3a4442dce8fc05e0cf6720448c

  • SSDEEP

    98304:msmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:mQNBY2S99xl

Malware Config

Targets

    • Target

      6d9aa7474b63d3b5578e49ec446c7320_NeikiAnalytics.exe

    • Size

      3.2MB

    • MD5

      6d9aa7474b63d3b5578e49ec446c7320

    • SHA1

      7657faba319d0f3905fdc2867603be5fa6b28906

    • SHA256

      da09906b20ba58d92542403a7bde2845b81acb278986474f70f4b8fef0a9b7f8

    • SHA512

      d7e1f5cd8fa2cbf3fa5b6f01c941b442af0b8cc476877c8547bba63c12f9f08d561833d1a5be32974c4aa050f07884bdcf65fc3a4442dce8fc05e0cf6720448c

    • SSDEEP

      98304:msmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:mQNBY2S99xl

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks