General

  • Target

    84b5741cb98803cb79053b9426563c20NeikiAnalytics.exe

  • Size

    2.7MB

  • Sample

    240531-3ppmqshh6t

  • MD5

    84b5741cb98803cb79053b9426563c20

  • SHA1

    e8b4b9ed72ced569176e41f3d1cb1cb1a83d9557

  • SHA256

    5033e015e49219f8872cc921cd6930cb199b698e8f53a210c706123bccdcc4d5

  • SHA512

    772ae5a34858032e95e51175e753895760d8a6af8e24966afc3ecfd5640efba91a032d145099bb0b1b544e056a0f9b27eefdb1299a5874f5395cb6fc2a57add2

  • SSDEEP

    49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc

Malware Config

Targets

    • Target

      84b5741cb98803cb79053b9426563c20NeikiAnalytics.exe

    • Size

      2.7MB

    • MD5

      84b5741cb98803cb79053b9426563c20

    • SHA1

      e8b4b9ed72ced569176e41f3d1cb1cb1a83d9557

    • SHA256

      5033e015e49219f8872cc921cd6930cb199b698e8f53a210c706123bccdcc4d5

    • SHA512

      772ae5a34858032e95e51175e753895760d8a6af8e24966afc3ecfd5640efba91a032d145099bb0b1b544e056a0f9b27eefdb1299a5874f5395cb6fc2a57add2

    • SSDEEP

      49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks