General

  • Target

    86d014b6c68a6eb6e5920be0dd328930NeikiAnalytics.exe

  • Size

    952KB

  • Sample

    240601-a45naacd48

  • MD5

    86d014b6c68a6eb6e5920be0dd328930

  • SHA1

    33cc3802fc9f1f7ca800e1e69990c7e8b116bbf0

  • SHA256

    2cc23ed7e6c654cda7131a13da2f6f9c07fa29f3bcfb416769c204d29e5f17ee

  • SHA512

    6f7fa5960914aef3f85d203ea9312e81459bdedb21efa6eaf980ac44400dd6957629b4f5a7693bd06de5642507b176ac42717c7125ecdcdd00509ca5e9e8c3c0

  • SSDEEP

    24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:Z8/KfRTK

Malware Config

Targets

    • Target

      86d014b6c68a6eb6e5920be0dd328930NeikiAnalytics.exe

    • Size

      952KB

    • MD5

      86d014b6c68a6eb6e5920be0dd328930

    • SHA1

      33cc3802fc9f1f7ca800e1e69990c7e8b116bbf0

    • SHA256

      2cc23ed7e6c654cda7131a13da2f6f9c07fa29f3bcfb416769c204d29e5f17ee

    • SHA512

      6f7fa5960914aef3f85d203ea9312e81459bdedb21efa6eaf980ac44400dd6957629b4f5a7693bd06de5642507b176ac42717c7125ecdcdd00509ca5e9e8c3c0

    • SSDEEP

      24576:e+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:Z8/KfRTK

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks