37a5ba568a4e592572d6f707a9ee4b90_NeikiAnalytics[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

37a5ba568a4e592572d6f707a9ee4b90_NeikiAnalytics.exe
Size

393KB
MD5

37a5ba568a4e592572d6f707a9ee4b90
SHA1

8c80b1a5dba035c9aba91a63894772fb9d6089f2
SHA256

f04b137611fd48d25dea4d6f2b6aca9b73bcbc000f98c5b9bb440eb0b48e1557
SHA512

b8a7364073682e8d09d4fc57992899b4fc266362b66f1f7efe9ec4597aa02f20041e52ff6d16dfee80f9f9a33200bc617f56b3b0cc174bb3a0c7281bb737d58e
SSDEEP

6144:hxItkhSHbbB/s2e9OMG4w2brszT5hwxiY6nfjgd812OhRbVPgcmAQ/XK5/1UwJgk:hxIthHJCor4w8sv5qxQEAnrO0grnlClB

Score

1^/10

Malware Config

Signatures

Files

37a5ba568a4e592572d6f707a9ee4b90_NeikiAnalytics.exe
.sys windows:6 windows x64 arch:x64

a1c6f8f0a7a4e9bb6d79c430c76cd734

Code Sign

1b:f4:49:bb:b2:f0:f1:9a:c8:cd:f2:be:b3:9a:b9:c2
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

29/08/2012, 00:00

Not After

29/08/2015, 23:59

Subject

CN=IQ Technology Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=IQ Technology Inc.,L=Xizhi Dist.,ST=New Taipei City,C=TW

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

b9:b7:91:f9:97:f9:94:53:fe:fc:23:d1:78:a8:0f:75:d3:43:be:e7
Signer

Actual PE Digest

b9:b7:91:f9:97:f9:94:53:fe:fc:23:d1:78:a8:0f:75:d3:43:be:e7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

Imports

ntoskrnl.exe

KeBugCheckEx
ZwQueryKey
ZwEnumerateKey
ZwOpenFile
RtlAppendUnicodeStringToString
ExAllocatePoolWithTag
ZwOpenKey
RtlFreeAnsiString
ZwQueryValueKey
RtlUnicodeStringToAnsiString
RtlInitAnsiString
RtlQueryRegistryValues
_strlwr
ExFreePoolWithTag
DbgPrint
IoCreateDevice
MmIsAddressValid
RtlCopyUnicodeString
IoCreateSymbolicLink
IoGetCurrentProcess
ExAllocatePool
PsCreateSystemThread
IoDeleteDevice
PsSetLoadImageNotifyRoutine
IoRegisterShutdownNotification
ZwClose
ZwCreateFile
RtlInitUnicodeString
RtlAnsiStringToUnicodeString
ZwReadFile
KeInitializeEvent
KeDelayExecutionThread
RtlFreeUnicodeString
IofCompleteRequest
KeWaitForSingleObject
ZwDeleteFile
PsGetVersion
ZwWriteFile
ProbeForRead
IoDriverObjectType
PsTerminateSystemThread
ObfDereferenceObject
ObReferenceObjectByName
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
KeReleaseSpinLock
ExpInterlockedPopEntrySList
ExQueryDepthSList
KeAcquireSpinLockRaiseToDpc
PsGetProcessPeb
PsLookupProcessByProcessId
ZwMapViewOfSection
RtlInitString
RtlCompareString
PsGetCurrentProcessId
ZwCreateSection
ZwQueryInformationFile
ZwCreateKey
IoGetDeviceObjectPointer
ExSystemTimeToLocalTime
RtlTimeToTimeFields
RtlWriteRegistryValue
ZwDeleteKey
RtlDeleteRegistryValue
ZwSetInformationFile
KeSetEvent
IoBuildDeviceIoControlRequest
IoGetRelatedDeviceObject
IoFreeMdl
ObReferenceObjectByHandle
IoFreeIrp
MmProbeAndLockPages
IoAllocateIrp
IoAllocateMdl
IofCallDriver
SeCreateAccessState
IoGetFileObjectGenericMapping
ObCreateObject
MmGetSystemRoutineAddress
IoCreateFile
ZwOpenDirectoryObject
ObQueryNameString
IoFileObjectType
PsThreadType
RtlCompareUnicodeString
ZwQuerySymbolicLinkObject
RtlAppendUnicodeToString
PsSetCreateProcessNotifyRoutine
ZwOpenSymbolicLinkObject
ExInterlockedInsertTailList
PsSetCreateProcessNotifyRoutineEx
ExInterlockedRemoveHeadList
ZwOpenProcess
RtlCompareMemory
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
RtlMultiByteToUnicodeN
RtlUnicodeToMultiByteN
RtlAnsiCharToUnicodeChar
_wcslwr
IoStopTimer
IoUnregisterShutdownNotification
IoGetDeviceAttachmentBaseRef
PsRemoveLoadImageNotifyRoutine
_stricmp
ZwQueryObject
ZwDuplicateObject
NtOpenProcess
ZwOpenThread
KeUnstackDetachProcess
KeStackAttachProcess
ZwAllocateVirtualMemory
KeInitializeApc
KeInsertQueueApc
PsIsThreadTerminating
CmRegisterCallback
_wcsupr
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLock
KeClearEvent
KeRevertToUserAffinityThread
KeSetSystemAffinityThread
KeCancelTimer
KeNumberProcessors
__C_specific_handler
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation

ndis.sys

NdisAdvanceNetBufferDataStart
NdisRetreatNetBufferDataStart
NdisGetDataBuffer

fwpkclnt.sys

FwpsConstructIpHeaderForTransportPacket0
FwpsInjectTransportReceiveAsync0
FwpsDereferenceNetBufferList0
FwpsAllocateCloneNetBufferList0
FwpsReferenceNetBufferList0
FwpsAcquireClassifyHandle0
FwpsReleaseClassifyHandle0
FwpsInjectTransportSendAsync1
FwpsCalloutUnregisterById0
FwpsQueryPacketInjectionState0
FwpmTransactionCommit0
FwpmCalloutAdd0
FwpmTransactionAbort0
FwpmEngineOpen0
FwpmFilterAdd0
FwpsCalloutRegister1
FwpmTransactionBegin0
FwpmEngineClose0
FwpsInjectionHandleDestroy0
FwpsInjectionHandleCreate0
FwpmBfeStateSubscribeChanges0
FwpsFreeCloneNetBufferList0
FwpsApplyModifiedLayerData0
FwpsAcquireWritableLayerDataPointer0
FwpsFlowAssociateContext0
FwpmSubLayerAdd0

hal

HalMakeBeep

Sections

.text
Size: - Virtual size: 142KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.dtt0
Size: - Virtual size: 267KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.dtt1
Size: 387KB - Virtual size: 386KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a1c6f8f0a7a4e9bb6d79c430c76cd734

Code Sign

1b:f4:49:bb:b2:f0:f1:9a:c8:cd:f2:be:b3:9a:b9:c2Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

b9:b7:91:f9:97:f9:94:53:fe:fc:23:d1:78:a8:0f:75:d3:43:be:e7Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

ndis.sys

fwpkclnt.sys

hal

Sections

.text Size: - Virtual size: 142KB

.rdata Size: - Virtual size: 10KB

.data Size: - Virtual size: 34KB

.pdata Size: - Virtual size: 3KB

INIT Size: - Virtual size: 5KB

.dtt0 Size: - Virtual size: 267KB

.dtt1 Size: 387KB - Virtual size: 386KB

.reloc Size: 512B - Virtual size: 24B

1b:f4:49:bb:b2:f0:f1:9a:c8:cd:f2:be:b3:9a:b9:c2
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

b9:b7:91:f9:97:f9:94:53:fe:fc:23:d1:78:a8:0f:75:d3:43:be:e7
Signer

.text
Size: - Virtual size: 142KB

.rdata
Size: - Virtual size: 10KB

.data
Size: - Virtual size: 34KB

.pdata
Size: - Virtual size: 3KB

INIT
Size: - Virtual size: 5KB

.dtt0
Size: - Virtual size: 267KB

.dtt1
Size: 387KB - Virtual size: 386KB

.reloc
Size: 512B - Virtual size: 24B