c35eb942c95e69201d2658870c84ad50_NeikiAnalytics[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

c35eb942c95e69201d2658870c84ad50_NeikiAnalytics.exe
Size

1.2MB
MD5

c35eb942c95e69201d2658870c84ad50
SHA1

7d215d060c4b1a610311e7e82e49bd524be3f62f
SHA256

2afaa0f44b1d54176a342764015f1bf31aa32afd0be39dd6cb3f4bbfdd5bae86
SHA512

c1d949f0a694605c8bdd826c84e9639a27feeb3d2e7d63d11eba0779878d36e3bab0e8fc3a42d5cd75a7a14447d7205f5df67ac445d3c7aa6cf491d52754ce77
SSDEEP

24576:FV33wSLQExJFQfLS3x4aXMv981Zg8M9dOpfenI1z4gv10Xi6yBg:F9/FMLS3x5XMl8SbdOpygv1yyi

Score

1^/10

Malware Config

Signatures

Files

c35eb942c95e69201d2658870c84ad50_NeikiAnalytics.exe
.sys windows:6 windows x64 arch:x64

4859205cb010367bf6f38080900035fb

Code Sign

7f:67:15:0f:bb:0d:25:4e:47:42:84:c7:f7:81:9c:4f
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

09/04/2013, 00:00

Not After

09/04/2014, 23:59

Subject

CN=FEI XIAO,OU=Individual Developer,O=No Organization Affiliation,L=Jiaonan,ST=Shandong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:31

Not After

22/02/2021, 19:41

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d7:e4:a5:73:61:c7:fd:aa:e7:80:29:00:be:3a:83:c0:8a:99:c1:0a
Signer

Actual PE Digest

d7:e4:a5:73:61:c7:fd:aa:e7:80:29:00:be:3a:83:c0:8a:99:c1:0a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

Imports

ntoskrnl.exe

RtlInitUnicodeString
RtlGetVersion
ZwCreateFile
ZwClose
wcsncpy
RtlQueryRegistryValues
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
DbgPrint
KeInitializeEvent
ExAllocatePool
ExAllocatePoolWithTag
ExFreePoolWithTag
ExInitializeNPagedLookasideList
PsCreateSystemThread
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoGetCurrentProcess
IoRegisterShutdownNotification
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
MmIsAddressValid
PsSetLoadImageNotifyRoutine
ZwQueryDirectoryFile
_strlwr
RtlInitAnsiString
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
ZwQueryValueKey
strstr
_strupr
wcsncat
wcsncmp
wcsrchr
wcsstr
_wcslwr
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlTimeToTimeFields
KeSetEvent
KeDelayExecutionThread
KeWaitForSingleObject
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
KeQueryTimeIncrement
ExSystemTimeToLocalTime
MmProbeAndLockPages
MmUnlockPages
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
PsGetVersion
IoAllocateMdl
IofCompleteRequest
IoFreeIrp
IoFreeMdl
IoGetDeviceObjectPointer
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwDeleteFile
sprintf
swprintf
_snwprintf
rand
srand
ObReferenceObjectByName
__C_specific_handler
IoDriverObjectType
ProbeForRead
PsTerminateSystemThread
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExDeleteNPagedLookasideList
strncpy
_vsnprintf
RtlInitString
ZwOpenFile
ZwCreateSection
ZwMapViewOfSection
RtlCompareString
PsGetCurrentProcessId
PsLookupProcessByProcessId
RtlImageNtHeader
PsGetProcessPeb
strchr
_wcsupr
RtlWriteRegistryValue
RtlDeleteRegistryValue
ZwCreateKey
ZwDeleteKey
ZwEnumerateValueKey
atoi
mbstowcs
__chkstk
strncmp
_strnicmp
strrchr
ExAcquireFastMutex
ExReleaseFastMutex
_snprintf
ObfReferenceObject
IoAllocateIrp
IoBuildDeviceIoControlRequest
IofCallDriver
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
RtlCompareUnicodeString
MmGetSystemRoutineAddress
IoCreateFile
IoGetFileObjectGenericMapping
ObQueryNameString
ZwOpenDirectoryObject
ObCreateObject
SeCreateAccessState
wcscmp
IoFileObjectType
PsThreadType
RtlAppendUnicodeToString
RtlCompareMemory
IoUnregisterShutdownNotification
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
ZwOpenProcess
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
_wcsicmp
IoStopTimer
PsRemoveLoadImageNotifyRoutine
IoGetDeviceAttachmentBaseRef
_stricmp
NtOpenProcess
ZwQueryObject
ZwDuplicateObject
PsLookupThreadByThreadId
ZwOpenThread
ZwUnloadKey
ZwLoadKey
ZwUnmapViewOfSection
ZwSetValueKey
ObSetHandleAttributes
KeStackAttachProcess
KeUnstackDetachProcess
PsInitialSystemProcess
ZwAllocateVirtualMemory
PsIsThreadTerminating
KeInitializeApc
KeInsertQueueApc
ExInitializePagedLookasideList
ExDeletePagedLookasideList
CmRegisterCallback
CmUnRegisterCallback
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeClearEvent
KeBugCheckEx
RtlUnicodeStringToInteger
MmAllocatePagesForMdl
MmFreePagesFromMdl
MmAllocateContiguousMemory
MmFreeContiguousMemory
MmMapViewInSystemSpace
MmUnmapViewInSystemSpace
MmSectionObjectType
RtlCaptureContext
KeCapturePersistentThreadState
MmSystemRangeStart
IoDeviceObjectType
KeRevertToUserAffinityThread
KeSetSystemAffinityThread
KeCancelTimer
KeNumberProcessors
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation

hal

HalMakeBeep

Sections

.text
Size: - Virtual size: 218KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 176KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vvd0
Size: - Virtual size: 941KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vvd1
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4859205cb010367bf6f38080900035fb

Code Sign

7f:67:15:0f:bb:0d:25:4e:47:42:84:c7:f7:81:9c:4fCertificate

Extended Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

61:1f:b0:a4:00:00:00:00:00:1dCertificate

Key Usages

d7:e4:a5:73:61:c7:fd:aa:e7:80:29:00:be:3a:83:c0:8a:99:c1:0aSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 218KB

.rdata Size: - Virtual size: 17KB

.data Size: - Virtual size: 176KB

.pdata Size: - Virtual size: 6KB

INIT Size: - Virtual size: 5KB

.vvd0 Size: - Virtual size: 941KB

.vvd1 Size: 1.2MB - Virtual size: 1.2MB

.reloc Size: 512B - Virtual size: 48B

7f:67:15:0f:bb:0d:25:4e:47:42:84:c7:f7:81:9c:4f
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

d7:e4:a5:73:61:c7:fd:aa:e7:80:29:00:be:3a:83:c0:8a:99:c1:0a
Signer

.text
Size: - Virtual size: 218KB

.rdata
Size: - Virtual size: 17KB

.data
Size: - Virtual size: 176KB

.pdata
Size: - Virtual size: 6KB

INIT
Size: - Virtual size: 5KB

.vvd0
Size: - Virtual size: 941KB

.vvd1
Size: 1.2MB - Virtual size: 1.2MB

.reloc
Size: 512B - Virtual size: 48B