General

  • Target

    a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

  • Size

    1.7MB

  • Sample

    240523-fq2x5aef7w

  • MD5

    a043d8deaf4cb618bcd1973d06c8c670

  • SHA1

    9f0644411da819485df9bc1f0e23eb6b65ea15af

  • SHA256

    e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d

  • SHA512

    2808f2914cc69f7d0ab994c17719c1df821bf8dc6883da4a8b728ee8e21796c5d26f4968dca08da44d344381fd725c5cfb363c77966a03e490b3e693eca37843

  • SSDEEP

    49152:397qdNJl6WBNgk7OM+l8eW7ILtQmgMvp:39QCkiM+KILGXa

Malware Config

Targets

    • Target

      a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

    • Size

      1.7MB

    • MD5

      a043d8deaf4cb618bcd1973d06c8c670

    • SHA1

      9f0644411da819485df9bc1f0e23eb6b65ea15af

    • SHA256

      e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d

    • SHA512

      2808f2914cc69f7d0ab994c17719c1df821bf8dc6883da4a8b728ee8e21796c5d26f4968dca08da44d344381fd725c5cfb363c77966a03e490b3e693eca37843

    • SSDEEP

      49152:397qdNJl6WBNgk7OM+l8eW7ILtQmgMvp:39QCkiM+KILGXa

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks