General

  • Target

    1b1fd567e4973e0c36be88aaf8613c4ac4f4137b8e1c4413b26a252b061265d9_NeikiAnalytics.exe

  • Size

    6.2MB

  • Sample

    240623-23se4sxalg

  • MD5

    a38dd1578d19d14ea367565479df8a10

  • SHA1

    c6da3b5640e92cf1204621b681a8e373a6ee3d85

  • SHA256

    1b1fd567e4973e0c36be88aaf8613c4ac4f4137b8e1c4413b26a252b061265d9

  • SHA512

    224ef857bdff71610215a8bbd626ec67924c27202f678f5ae780ef21327c3bad98b0946a94cb7839040f3e5ab35b69d56512c002d8fca82858947ff3066a46ca

  • SSDEEP

    196608:FFmHVVbrzB5LrnScgbs/czr2wOc8vU1vACjSVo3LeuxM:FWfLrnScgbs/6r2wU4Y03Leux

Malware Config

Targets

    • Target

      1b1fd567e4973e0c36be88aaf8613c4ac4f4137b8e1c4413b26a252b061265d9_NeikiAnalytics.exe

    • Size

      6.2MB

    • MD5

      a38dd1578d19d14ea367565479df8a10

    • SHA1

      c6da3b5640e92cf1204621b681a8e373a6ee3d85

    • SHA256

      1b1fd567e4973e0c36be88aaf8613c4ac4f4137b8e1c4413b26a252b061265d9

    • SHA512

      224ef857bdff71610215a8bbd626ec67924c27202f678f5ae780ef21327c3bad98b0946a94cb7839040f3e5ab35b69d56512c002d8fca82858947ff3066a46ca

    • SSDEEP

      196608:FFmHVVbrzB5LrnScgbs/czr2wOc8vU1vACjSVo3LeuxM:FWfLrnScgbs/6r2wU4Y03Leux

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks