09fdd3dcea584980d0b5cab59340e4a0_NEIKI

Sharing

Copy URL Twitter E-mail

General

Target

09fdd3dcea584980d0b5cab59340e4a0_NEIKI
Size

568KB
MD5

09fdd3dcea584980d0b5cab59340e4a0
SHA1

64e12973b074f1e081dcff2e5c96047b6960f349
SHA256

099324962daafdc3fa48db10ad532d4fc9971edf3ca23f6d7d69ad18c24dac15
SHA512

563fea45499b1c8dba17e59f363c58137c6a4203891010c8b143f2de549d078bc5d3302126c2d1b24892a3a273fa740db09a3ddfd4850b9dcb89cd3842134846
SSDEEP

6144:h9rnho3kI3SXnnoQPlP3aROIRNxBcyFEI1+FcjeyUcApGzm:HhykI3XQPkOIRNxbFEI1MFcAM

Score

1^/10

Malware Config

Signatures

Files

09fdd3dcea584980d0b5cab59340e4a0_NEIKI
.exe windows:6 windows x64 arch:x64

1712a690a09702451a6dd60d7e1cfb10

Code Sign

33:00:00:04:25:35:21:6f:36:08:7c:eb:06:00:00:00:00:04:25
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e6:eb:9f:84:41:76:35:18:64:35:93:88:53:28:b5:ae:98:af:a4:34:2a:da:7b:46:f5:2e:91:b0:10:dd:00:19
Signer

Actual PE Digest

e6:eb:9f:84:41:76:35:18:64:35:93:88:53:28:b5:ae:98:af:a4:34:2a:da:7b:46:f5:2e:91:b0:10:dd:00:19

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\dbs\sh\odct\0417_205450_0\client\onedrive\Product\Nucleus\Win\Exe\obj\amd64\Microsoft.SharePoint.pdb

Imports

kernel32

ReadFile
RemoveDirectoryW
SetFileAttributesW
SetFileInformationByHandle
SetFilePointer
GetCompressedFileSizeW
FindFirstFileNameW
IsDebuggerPresent
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
DeviceIoControl
GetProcessTimes
GetExitCodeProcess
SetProcessShutdownParameters
GetSystemTimes
IsWow64Process
LoadLibraryExW
ReadDirectoryChangesW
CreateSymbolicLinkW
CompareStringOrdinal
GetFileType
CreateToolhelp32Snapshot
GetFileSize
Process32NextW
GetPrivateProfileStringW
WritePrivateProfileStringW
CopyFileW
MoveFileExW
ReplaceFileW
GetComputerNameW
RegisterApplicationRestart
GetFileInformationByHandleEx
OpenFileById
GetModuleHandleW
OutputDebugStringW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
RtlCaptureContext
GetFinalPathNameByHandleW
GetUserGeoID
GetFileSizeEx
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetFileInformationByHandle
GetFileAttributesExW
GetFileAttributesW
GetDiskFreeSpaceExW
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
CreateFileW
CreateDirectoryW
ExpandEnvironmentStringsW
GetEnvironmentVariableW
GetCommandLineW
WaitForMultipleObjects
Sleep
CreateEventW
ReleaseMutex
GetLongPathNameW
SetLastError
VerifyVersionInfoW
VerSetConditionMask
WideCharToMultiByte
MultiByteToWideChar
K32GetModuleFileNameExW
MoveFileW
LocalAlloc
GetModuleFileNameW
GetVersionExW
GetSystemTimeAsFileTime
GetSystemTime
OpenProcess
CreateProcessW
TerminateProcess
GetCurrentProcessId
GetCurrentProcess
CreateMutexW
WaitForSingleObject
GetProcessHeap
HeapFree
HeapAlloc
CloseHandle
FindFirstFileW
FindClose
DeleteFileW
FreeLibrary
GetProcAddress
LoadLibraryW
SetDllDirectoryW
LocalFree
DeleteCriticalSection
GetLastError
Process32FirstW
InitializeCriticalSectionEx
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
InitializeSListHead
InterlockedPushEntrySList

user32

ShowWindow
SendMessageTimeoutW
SystemParametersInfoW
GetWindowThreadProcessId
GetClassNameW
EnumWindows
PostMessageW
DestroyWindow
TranslateMessage
GetMessageW
CreateWindowExW
DispatchMessageW
RegisterClassW

advapi32

CreateProcessWithTokenW
GetUserNameW
SetFileSecurityW
ConvertSidToStringSidW
SetNamedSecurityInfoW
GetNamedSecurityInfoW
SetEntriesInAclW
StartServiceW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
QueryServiceStatusEx
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
ChangeServiceConfig2W
ChangeServiceConfigW
RegDeleteTreeW
RegUnLoadKeyW
RegLoadKeyW
RegEnumKeyW
RegDeleteKeyExW
RegCreateKeyTransactedW
GetAclInformation
FreeSid
DuplicateTokenEx
CreateWellKnownSid
AllocateAndInitializeSid
CreateProcessAsUserW
ConvertStringSecurityDescriptorToSecurityDescriptorW
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextW
RegGetValueW
RegSetKeyValueW
RegSetValueExW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumValueW
RegEnumKeyExW
RegDeleteValueW
RegCreateKeyExW
RegCloseKey
LookupPrivilegeValueW
GetTokenInformation
AdjustTokenPrivileges
OpenProcessToken

shell32

SHGetSpecialFolderPathW
SHFileOperationW
CommandLineToArgvW
SHChangeNotify
SHGetKnownFolderPath
ord526
SHSetKnownFolderPath
SHGetFolderPathAndSubDirW
SHGetFolderPathW
SHCreateDirectoryExW
SHCreateItemFromParsingName
ShellExecuteExW
SHParseDisplayName

ole32

GetRunningObjectTable
CreateItemMoniker
CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoCreateGuid
CreateBindCtx
CoTaskMemFree
CoCreateFreeThreadedMarshaler
StringFromGUID2
StringFromCLSID
CoInitializeEx

oleaut32

SetErrorInfo
SysStringLen
GetErrorInfo
LoadTypeLi
LoadRegTypeLi
GetRecordInfoFromTypeInfo
SysFreeString
SysAllocString
SysStringByteLen
SysAllocStringByteLen

crypt32

CryptStringToBinaryW
CryptBinaryToStringW

rpcrt4

RpcBindingFree
RpcBindingFromStringBindingW
RpcBindingVectorFree
RpcStringBindingComposeW
RpcStringFreeW
RpcServerInqBindings
RpcServerRegisterIfEx
RpcServerUnregisterIf
RpcServerUseProtseqW
RpcBindingSetAuthInfoExW
RpcServerInqCallAttributesW
RpcEpUnregister
RpcEpRegisterW

secur32

GetUserNameExW

shlwapi

PathFileExistsW
SHGetValueW
PathIsPrefixW
SHRegGetValueW
SHCreateStreamOnFileW
SHRegGetBoolUSValueW
StrStrIW
PathRemoveFileSpecW
PathStripPathW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

wininet

InternetCheckConnectionW

wtsapi32

WTSEnumerateSessionsW
WTSQuerySessionInformationW
WTSFreeMemory
WTSQueryUserToken

msvcp140

?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@G@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_N@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?clear@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?setf@ios_base@std@@QEAAHHH@Z
?setf@ios_base@std@@QEAAHH@Z
?toupper@?$ctype@_W@std@@QEBA_W_W@Z
?_Makeloc@_Locimp@locale@std@@CAPEAV123@AEBV_Locinfo@3@HPEAV123@PEBV23@@Z
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@_N@Z
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
?_Getname@_Locinfo@std@@QEBAPEBDXZ
??0_Locinfo@std@@QEAA@HPEBD@Z
?_Xruntime_error@std@@YAXPEBD@Z
?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
??Bios_base@std@@QEBA_NXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?uncaught_exception@std@@YA_NXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_function_call@std@@YAXXZ
??1_Locinfo@std@@QEAA@XZ
??Bid@locale@std@@QEAA_KXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z

userenv

GetDefaultUserProfileDirectoryW
CreateEnvironmentBlock

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
__current_exception
__std_exception_destroy
__C_specific_handler
__std_terminate
__std_exception_copy
wcsstr
wcschr
_CxxThrowException
memcpy
memmove
memset
_purecall
wcsrchr

api-ms-win-crt-heap-l1-1-0

free
malloc
_callnewh
_set_new_mode

api-ms-win-crt-runtime-l1-1-0

_c_exit
_exit
_errno
exit
_initterm_e
_initterm
_get_wide_winmain_command_line
_register_thread_local_exe_atexit_callback
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_invalid_parameter_noinfo_noreturn
_seh_filter_exe
_set_app_type
terminate
_configure_wide_argv
_initialize_wide_environment

api-ms-win-crt-convert-l1-1-0

wcstoll
wcstoul
_wtoi

api-ms-win-crt-string-l1-1-0

_wcsicmp
wcstok_s
_wcsnicmp
iswspace
_wcsdup
towlower
towupper
wcscmp

api-ms-win-crt-time-l1-1-0

strftime
_gmtime64_s
_localtime64_s
_time64

api-ms-win-crt-math-l1-1-0

ceilf
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-stdio-l1-1-0

_wfopen_s
__stdio_common_vswprintf
__p__commode
_set_fmode
fclose

Sections

.text
Size: 248KB - Virtual size: 247KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 105KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 177KB - Virtual size: 176KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1712a690a09702451a6dd60d7e1cfb10

Code Sign

33:00:00:04:25:35:21:6f:36:08:7c:eb:06:00:00:00:00:04:25Certificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

e6:eb:9f:84:41:76:35:18:64:35:93:88:53:28:b5:ae:98:af:a4:34:2a:da:7b:46:f5:2e:91:b0:10:dd:00:19Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

crypt32

rpcrt4

secur32

shlwapi

version

wininet

wtsapi32

msvcp140

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

Sections

.text Size: 248KB - Virtual size: 247KB

.rdata Size: 105KB - Virtual size: 104KB

.data Size: 12KB - Virtual size: 13KB

.pdata Size: 13KB - Virtual size: 12KB

.rsrc Size: 177KB - Virtual size: 176KB

.reloc Size: 3KB - Virtual size: 2KB

33:00:00:04:25:35:21:6f:36:08:7c:eb:06:00:00:00:00:04:25
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

e6:eb:9f:84:41:76:35:18:64:35:93:88:53:28:b5:ae:98:af:a4:34:2a:da:7b:46:f5:2e:91:b0:10:dd:00:19
Signer

.text
Size: 248KB - Virtual size: 247KB

.rdata
Size: 105KB - Virtual size: 104KB

.data
Size: 12KB - Virtual size: 13KB

.pdata
Size: 13KB - Virtual size: 12KB

.rsrc
Size: 177KB - Virtual size: 176KB

.reloc
Size: 3KB - Virtual size: 2KB