7dd9d9413fa11c75d160787fc3aeda50_NeikiAnalytics[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

7dd9d9413fa11c75d160787fc3aeda50_NeikiAnalytics.exe
Size

238KB
MD5

7dd9d9413fa11c75d160787fc3aeda50
SHA1

e1a6ed8f391b40d39ccbcf27fddc8908390d8d94
SHA256

61187a580325a181dfaf21bc7ac6e08a3eeb5f078a8b1fca5c5f2bcacf06b199
SHA512

3b55ab3e243693f06bca508ab79432251ce860ad97b58932ede404be7fa7ded0e4dc888dfd9cebf9995f88303115879c1a557bc034ef19194e448258c232a300
SSDEEP

6144:w0+HDgT6RCBdqZ0UchsqA7IHk3tL2CtkWKHQ9AZ:w0+HkT6CbqDhIHkdLXtklwA

Score

1^/10

Malware Config

Signatures

Files

7dd9d9413fa11c75d160787fc3aeda50_NeikiAnalytics.exe
.sys windows:10 windows x64 arch:x64

789b95eb8bf342175aee7ac61178b88a

Code Sign

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

20/05/2013, 00:00

Not After

20/05/2014, 23:59

Subject

CN=Shenzhen yundian Technology Co.\, Ltd,O=Shenzhen yundian Technology Co.\, Ltd,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:31

Not After

22/02/2021, 19:41

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1a:b4:30:a5:b0:15:7e:14:c7:46:f8:9c:46:37:bb:55:87:a7:40:22
Certificate

Issuer

CN=Taylor Swift Fan Group China,OU=Taylor Swift Fan Group China,O=Taylor Swift Fan Group China,L=Taylor Swift Fan Group China,ST=Taylor Swift Fan Group China,C=AU,1.2.840.113549.1.9.1=#131c5461796c6f722053776966742046616e2047726f7570204368696e61

Not Before

01/04/2001, 14:23

Not After

08/03/2101, 14:23

Subject

CN=Taylor Swift Fan Group China,OU=Taylor Swift Fan Group China,O=Taylor Swift Fan Group China,L=Taylor Swift Fan Group China,ST=Taylor Swift Fan Group China,C=AU,1.2.840.113549.1.9.1=#131c5461796c6f722053776966742046616e2047726f7570204368696e61

Extended Key Usages

ExtKeyUsageTimeStamping

80:50:ef:7e:6c:32:61:22:4d:be:dd:4c:55:e3:23:d6:dc:5c:fa:2b
Signer

Actual PE Digest

80:50:ef:7e:6c:32:61:22:4d:be:dd:4c:55:e3:23:d6:dc:5c:fa:2b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\Sandboxie\Sandboxie\Sandboxie\Bin\x64\SbieRelease\SbieDrv.pdb

Imports

ntoskrnl.exe

_itow
towlower
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
IoGetCurrentProcess
RtlConvertSidToUnicodeString
SeQueryInformationToken
PsReferencePrimaryToken
PsDereferencePrimaryToken
ZwCreateFile
ZwQueryInformationFile
ZwClose
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
wcsrchr
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlGetVersion
KeDelayExecutionThread
PsGetVersion
ZwOpenKey
ZwQueryValueKey
RtlCreateAcl
RtlAddAce
RtlAddAccessAllowedAceEx
RtlSetSaclSecurityDescriptor
DbgPrint
ZwSetInformationFile
ZwWriteFile
IoCreateFileSpecifyDeviceObjectHint
NtClose
ObOpenObjectByPointer
IoFileObjectType
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
PsGetProcessWin32WindowStation
ExWindowStationObjectType
MmProbeAndLockPages
MmProtectMdlSystemAddress
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoIs32bitProcess
ZwWaitForSingleObject
ZwUnloadKey
wcsncpy_s
_wcslwr
KeBugCheckEx
ExInitializeResourceLite
ExDeleteResourceLite
IoCreateFile
ZwReadFile
wcstoul
_wtoi
KeEnterCriticalRegion
KeLeaveCriticalRegion
ZwCreateDirectoryObject
SeSinglePrivilegeCheck
PsGetCurrentThreadId
PsGetProcessId
ZwDuplicateObject
ZwOpenDirectoryObject
ZwSetSecurityObject
ZwCreateSymbolicLinkObject
wcscmp
PsProcessType
PsLookupProcessByProcessId
ObReferenceObjectByName
ZwQueryDirectoryObject
LpcPortObjectType
CmUnRegisterCallback
MmGetSystemRoutineAddress
ZwCreateKey
ZwSetValueKey
ZwYieldExecution
ZwOpenProcessTokenEx
ZwSetInformationToken
ZwLoadKey
ObOpenObjectByName
IoAllocateErrorLogEntry
IoWriteErrorLogEntry
PsGetThreadProcessId
PsGetThreadProcess
PsThreadType
RtlInt64ToUnicodeString
PsSetCreateProcessNotifyRoutineEx
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetProcessCreateTimeQuadPart
PsSetThreadHardErrorsAreDisabled
_ultow_s
ZwTerminateProcess
SeQuerySessionIdToken
PsDereferenceImpersonationToken
PsReferenceImpersonationToken
PsGetProcessSessionId
SeTokenObjectType
KeStackAttachProcess
KeUnstackDetachProcess
PsGetProcessPeb
ZwOpenProcess
RtlLengthSid
ZwQueryInformationProcess
PsCreateSystemThread
PsTerminateSystemThread
PsGetProcessJob
SeTokenIsAdmin
ZwQueryInformationToken
MmIsAddressValid
NtDeviceIoControlFile
PsImpersonateClient
ZwQuerySystemInformation
strcmp
PsSetCreateThreadNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
PsGetThreadId
SeTokenType
ZwDuplicateToken
ZwOpenThreadToken
ZwOpenProcessToken
SeTokenImpersonationLevel
PsGetProcessExitProcessCalled
ZwDeviceIoControlFile
RtlEqualSid
RtlSubAuthoritySid
RtlAddAccessAllowedAce
ZwSetInformationProcess
_stricmp
RtlQueryRegistryValues
RtlWalkFrameChain
PsGetProcessImageFileName
PsIsProtectedProcess
strchr
RtlUnicodeToUTF8N
RtlTimeFieldsToTime
ExSystemTimeToLocalTime
SeLocateProcessImageName
_wtol
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
RtlUnicodeToMultiByteN
__C_specific_handler
LpcRequestPort
SeFilterToken
PsGetCurrentProcessId
ObfDereferenceObject
ObfReferenceObject
ObReferenceObjectByHandle
IoDeleteDevice
IoCreateDevice
ExAcquireResourceSharedLite
RtlUnicodeStringToInteger
_wcsnicmp
_wcsicmp
RtlFreeUnicodeString
RtlCompareUnicodeString
ObQueryNameString
wcschr
IofCompleteRequest
ExGetPreviousMode
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
ProbeForWrite
ExRaiseStatus
ProbeForRead
ExFreePoolWithTag
ExAllocatePoolWithTag
KeGetCurrentIrql
RtlInitUnicodeString
wcsncpy
wcsstr
wcsncmp
RtlAnsiCharToUnicodeChar

hal

KeQueryPerformanceCounter

fltmgr.sys

FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltSetCallbackDataDirty
FltGetFileNameInformation
FltReleaseFileNameInformation

ksecdd.sys

BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyHash

fwpkclnt.sys

FwpmBfeStateSubscribeChanges0
FwpmBfeStateUnsubscribeChanges0
FwpsCalloutUnregisterById0
FwpsCalloutRegister1
FwpmEngineOpen0
FwpmEngineClose0
FwpmTransactionBegin0
FwpmTransactionCommit0
FwpmTransactionAbort0
FwpmSubLayerAdd0
FwpmCalloutAdd0
FwpmBfeStateGet0
FwpmFilterAdd0

Sections

.text
Size: 176KB - Virtual size: 176KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INITDATA
Size: 512B - Virtual size: 352B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 304B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

789b95eb8bf342175aee7ac61178b88a

Code Sign

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99Certificate

Extended Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

61:1f:b0:a4:00:00:00:00:00:1dCertificate

Key Usages

1a:b4:30:a5:b0:15:7e:14:c7:46:f8:9c:46:37:bb:55:87:a7:40:22Certificate

Extended Key Usages

80:50:ef:7e:6c:32:61:22:4d:be:dd:4c:55:e3:23:d6:dc:5c:fa:2bSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

fltmgr.sys

ksecdd.sys

fwpkclnt.sys

Sections

.text Size: 176KB - Virtual size: 176KB

.rdata Size: 23KB - Virtual size: 22KB

.data Size: 1KB - Virtual size: 2KB

.pdata Size: 7KB - Virtual size: 6KB

INITDATA Size: 512B - Virtual size: 352B

INIT Size: 21KB - Virtual size: 21KB

.rsrc Size: 1024B - Virtual size: 1024B

.reloc Size: 512B - Virtual size: 304B

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

1a:b4:30:a5:b0:15:7e:14:c7:46:f8:9c:46:37:bb:55:87:a7:40:22
Certificate

80:50:ef:7e:6c:32:61:22:4d:be:dd:4c:55:e3:23:d6:dc:5c:fa:2b
Signer

.text
Size: 176KB - Virtual size: 176KB

.rdata
Size: 23KB - Virtual size: 22KB

.data
Size: 1KB - Virtual size: 2KB

.pdata
Size: 7KB - Virtual size: 6KB

INITDATA
Size: 512B - Virtual size: 352B

INIT
Size: 21KB - Virtual size: 21KB

.rsrc
Size: 1024B - Virtual size: 1024B

.reloc
Size: 512B - Virtual size: 304B