ntdsa.pdb
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6a6906fd4524bd55eefe171f29c8fc55f3f83a1d42e3243524481b56fcace51e_NeikiAnalytics.dll
Resource
win7-20231129-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
6a6906fd4524bd55eefe171f29c8fc55f3f83a1d42e3243524481b56fcace51e_NeikiAnalytics.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
6a6906fd4524bd55eefe171f29c8fc55f3f83a1d42e3243524481b56fcace51e_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
513606f90b2f4ec0311c53f842ef2b40
-
SHA1
6b89751f6c874de88f5483fe2916137de8b83e9b
-
SHA256
6a6906fd4524bd55eefe171f29c8fc55f3f83a1d42e3243524481b56fcace51e
-
SHA512
a0b45a11460f053bd071a91ad336682019064b9f2537b7cdeb83fb14766462b5a39226d6dafd84edea5ab71ec8c57c9cecfe9034c14d8d91dbb553e4e82da0ea
-
SSDEEP
24576:CG5lzy7GtoqbqHQTnwcZLxun4AksEH1bibLd8hpN61x3Q04x07DTCps05bWGo86m:lle7EMYweQjkbHFibLd8hpN61x3n7ap/
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 6a6906fd4524bd55eefe171f29c8fc55f3f83a1d42e3243524481b56fcace51e_NeikiAnalytics.exe
Files
-
6a6906fd4524bd55eefe171f29c8fc55f3f83a1d42e3243524481b56fcace51e_NeikiAnalytics.exe.dll windows:6 windows x86 arch:x86
a01b989ea5f2149a321e9007e42b9542
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
PDB Paths
Imports
kernel32
ReleaseMutex
GetExitCodeThread
GetSystemDefaultLangID
GetUserDefaultLangID
GetThreadPriority
GetModuleHandleW
DeleteCriticalSection
DeviceIoControl
GetFileAttributesA
GetProcAddress
GetVolumeNameForVolumeMountPointA
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
CreateFileA
WriteFile
CompareFileTime
MulDiv
RaiseException
ReleaseSemaphore
GetVersionExW
GetModuleFileNameA
lstrcpyA
ResetEvent
DnsHostnameToComputerNameW
SetProcessWorkingSetSize
TlsAlloc
CreateSemaphoreA
GlobalMemoryStatusEx
DebugBreak
CreateDirectoryA
GetWindowsDirectoryW
CreateFileMappingA
MapViewOfFile
GetSystemDirectoryW
GetSystemInfo
CreateMutexA
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
IsDebuggerPresent
CreateEventA
GetCurrentThread
SetThreadPriority
WaitForMultipleObjects
SetEvent
WaitForSingleObject
Sleep
InterlockedExchange
LocalAlloc
lstrlenW
GetComputerNameExW
GetComputerNameW
WideCharToMultiByte
CloseHandle
InterlockedDecrement
VirtualAlloc
VirtualFree
LoadLibraryW
FormatMessageW
InterlockedExchangeAdd
SystemTimeToFileTime
GetLastError
LCMapStringW
DelayLoadFailureHook
MultiByteToWideChar
TlsGetValue
CompareStringW
LocalFree
SetLastError
InterlockedIncrement
GetUserDefaultLCID
GetACP
LeaveCriticalSection
EnterCriticalSection
FindClose
FindNextFileA
DeleteFileA
CopyFileA
MoveFileA
FindFirstFileA
RemoveDirectoryA
IsValidLocale
CreateSemaphoreW
OutputDebugStringA
IsValidCodePage
lstrcatA
DuplicateHandle
GetVersionExA
FileTimeToLocalFileTime
GetSystemTime
TryEnterCriticalSection
LocalReAlloc
GetEnvironmentVariableW
GetEnvironmentVariableA
GetPrivateProfileSectionA
ResumeThread
GetLocalTime
ReadFile
SetErrorMode
SetFilePointer
MoveFileW
CreateFileW
FlushFileBuffers
ExpandEnvironmentStringsA
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
lstrlenA
LoadLibraryA
InterlockedCompareExchange
FreeLibrary
TlsSetValue
msvcrt
_wcsicmp
_except_handler3
_snwprintf
malloc
towlower
iswxdigit
wcstol
wcstoul
free
_purecall
_errno
_strdup
_strcmpi
mbtowc
wcstombs
_wtoi
isdigit
_adjust_fdiv
_initterm
mbstowcs
strncat
strtol
_endthreadex
__CxxFrameHandler
??2@YAPAXI@Z
??3@YAXPAX@Z
wcsncmp
isxdigit
_i64tow
iswcntrl
strncpy
_splitpath
_makepath
_resetstkoflw
_vsnwprintf
_vsnprintf
strstr
isspace
_strnicmp
iswdigit
time
tolower
isalpha
_ultow
wcsncpy
towupper
sscanf
strtoul
srand
strncmp
atoi
rand
_daylight
_timezone
_itow
_heapmin
exit
signal
strrchr
_stricmp
_getpid
_memicmp
atol
strchr
_beginthreadex
qsort
bsearch
_wcsnicmp
_local_unwind2
_snprintf
strerror
_wcsdup
calloc
realloc
_itoa
_ultoa
sprintf
memmove
swscanf
wcsncat
swprintf
wcschr
wcsrchr
_sleep
_strupr
strftime
ntdll
RtlLengthSid
RtlAllocateHeap
RtlReAllocateHeap
RtlFreeHeap
RtlSubAuthorityCountSid
RtlEqualSid
RtlDestroyHeap
RtlGetDaclSecurityDescriptor
RtlGetControlSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlRunDecodeUnicodeString
RtlInitString
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlRunEncodeUnicodeString
NtCreateFile
RtlCompareUnicodeString
RtlInitializeCriticalSection
RtlInsertElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlDeleteElementGenericTableAvl
RtlInitializeGenericTableAvl
NtConnectPort
NtRequestWaitReplyPort
RtlWalkHeap
RtlCreateHeap
RtlSubAuthoritySid
RtlCopySid
RtlLengthRequiredSid
RtlNtStatusToDosError
DbgPrint
RtlValidSid
NtClose
NtCreateEvent
NtOpenEvent
RtlInitUnicodeString
RtlLengthSecurityDescriptor
RtlValidRelativeSecurityDescriptor
RtlAllocateAndInitializeSid
RtlEqualDomainName
RtlInsertElementGenericTable
RtlInitializeGenericTable
RtlLookupElementGenericTable
RtlConvertSidToUnicodeString
DbgBreakPoint
NtQueryInformationToken
NtOpenThreadToken
RtlRandomEx
RtlUnicodeStringToAnsiString
RtlCompareMemory
RtlLargeIntegerToChar
NtShutdownSystem
RtlAdjustPrivilege
NtQuerySystemTime
RtlFreeSid
RtlMakeSelfRelativeSD
ntdsapi
DsCrackSpnW
DsCrackNamesW
DsMakeSpnW
DsFreeNameResultW
ntdsatq
_AtqContextSetInfo2@12
_AtqGetAddressFamilies@8
_AtqRegisterAddressChangeCallback@8
_AtqGetInfo@4
_AtqOpenSession@0
AtqTerminate
_AtqSetInfo2@8
_AtqSetInfo@8
AtqInitialize
_AtqSyncWsaSend@16
_AtqCreateEndpointEx@12
_AtqWriteSocket@16
_AtqWriteDatagramSocket@16
_AtqCloseSession@4
_AtqContextGetInfo@8
_AtqGetDatagramAddrs@24
_AtqGetAcceptExAddrsEx@32
_AtqFreeContext@8
_AtqCloseSocket@8
_AtqEndpointSetInfo2@12
_AtqContextSetInfo@12
_AtqStartEndpoint@4
_AtqStopEndpoint@4
_AtqReadSocket@16
_AtqCloseEndpoint@4
wldap32
ord122
ord97
ord79
ord54
ord309
ord301
ord310
ord304
ord118
ord311
ord300
ord308
ord16
ord14
ord203
ord18
ord13
ord224
ord41
ord140
ord26
ord307
ord306
ord77
ord211
ord142
ord73
ord145
samsrv
SampSetSerialNumberDomain2
SampGetSerialNumberDomain2
SamIQueryServerRole2
SamIMixedDomain2
SamrDeleteUser
SamrDeleteAlias
SamrDeleteGroup
SamIDsCreateObjectInDomain
SamIDsSetObjectInformation
SampCommitBufferedWrites
SamILoopbackConnect
SamrOpenUser
SampAccountControlToFlags
SampAcquireSamLockExclusive
SampReleaseSamLockExclusive
SamINotifyServerDelta
SampReleaseWriteLock
SampInvalidateDomainCache
SamIIsAttributeProtected
SampInvalidateRidRange
SamIFloatingSingleMasterOpEx
SamIHandleObjectUpdate
SampFlagsToAccountControl
SampIsAuditingEnabled
SampNetLogonNotificationRequired
SampNotifyAuditChange
SamINotifyRoleChange
SampNotifyReplicatedInChange
SampProcessSingleLoopbackTask
SampAbortSingleLoopbackTask
SamIImpersonateNullSession
SamIRevertNullSession
SamrCloseHandle
SampDsChangePasswordUser
SampAcquireWriteLock
SamrOpenGroup
SamrOpenAlias
SamrOpenDomain
esent
JetIntersectIndexes
JetGotoSecondaryIndexBookmark
JetGotoBookmark
JetSetCurrentIndex4
JetGetCurrentIndex
JetEnumerateColumns
JetUpdate2
JetSetIndexRange
JetRetrieveKey
JetDupCursor
JetGetSecondaryIndexBookmark
JetGetBookmark
JetGotoPosition
JetDelete
JetOpenTempTable2
JetIndexRecordCount
JetStopServiceInstance
JetCreateInstance
JetRestoreInstance
JetDeleteTable
JetCreateTable
JetGetSystemParameter
JetConvertDDL
JetAddColumn
JetDeleteColumn
JetSetCurrentIndex2
JetGetRecordPosition
JetCreateIndex2
JetDefragment
JetGetDatabaseInfo
JetGetTableInfo
JetOpenTempTable
JetSetTableSequential
JetBeginTransaction
JetGetLock
JetRollback
JetCommitTransaction
JetMakeKey
JetSeek
JetSetColumns
JetRetrieveColumn
JetEscrowUpdate
JetInit
JetEndSession
JetTerm
JetSetSystemParameter
JetAttachDatabase
JetCreateTableColumnIndex
JetGetTableColumnInfo
JetCloseDatabase
JetDetachDatabase
JetPrepareUpdate
JetSetColumn
JetUpdate
JetBeginSession
JetOpenDatabase
JetOpenTable
JetGetIndexInfo
JetDeleteIndex
JetSetCurrentIndex
JetGetTableIndexInfo
JetGetColumnInfo
JetMove
JetRetrieveColumns
JetCloseTable
JetBackupInstance
netapi32
NetUserModalsGet
NetLocalGroupDelMembers
NetLocalGroupAddMembers
NetApiBufferFree
DsValidateSubnetNameW
NetApiBufferAllocate
DsGetDcCloseW
DsGetDcNextW
DsGetDcOpenW
DsGetDcNameW
NetAlertRaiseEx
advapi32
MakeAbsoluteSD
AdjustTokenPrivileges
ConvertStringSDToSDRootDomainW
RegOpenKeyA
RegQueryValueExA
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
SetNamedSecurityInfoA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegOpenKeyExA
RegSetValueExA
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegConnectRegistryW
RegOpenKeyW
GetAclInformation
InitializeAcl
GetAce
AddAce
AddAccessAllowedAce
LogonUserW
CheckTokenMembership
RegQueryValueExW
RegDeleteValueW
RegCloseKey
GetSecurityDescriptorOwner
GetLengthSid
EqualSid
SystemFunction025
SystemFunction024
SystemFunction027
SystemFunction026
ImpersonateLoggedOnUser
RevertToSelf
ConvertStringSidToSidW
GetWindowsAccountDomainSid
LsaOpenPolicy
LsaLookupSids
LsaClose
ConvertSidToStringSidW
SystemFunction036
EqualPrefixSid
GetSecurityDescriptorRMControl
DestroyPrivateObjectSecurity
ConvertStringSDToSDDomainW
AddAccessAllowedObjectAce
DeleteAce
IsValidSid
GetTraceLoggerHandle
RegisterTraceGuidsA
TraceEvent
GetTokenInformation
OpenThreadToken
LsaFreeMemory
LsaQueryInformationPolicy
SetPrivateObjectSecurityEx
CreateWellKnownSid
MakeSelfRelativeSD
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
SetSecurityDescriptorRMControl
CreatePrivateObjectSecurityWithMultipleInheritance
MapGenericMask
SetSecurityDescriptorSacl
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CopySid
GetSecurityDescriptorGroup
RegDeleteValueA
CloseServiceHandle
ControlService
QueryServiceStatus
QueryServiceConfigA
OpenServiceA
OpenSCManagerA
IsValidSecurityDescriptor
MD5Final
MD5Update
MD5Init
RegNotifyChangeKeyValue
RegDeleteKeyA
RegCreateKeyA
DeregisterEventSource
ReportEventA
RegisterEventSourceA
ReportEventW
RegFlushKey
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptDuplicateHash
CryptHashData
CryptCreateHash
CryptAcquireContextA
CryptGenRandom
InitiateSystemShutdownExW
RegEnumValueA
RegQueryInfoKeyA
ConvertStringSDToSDRootDomainA
ConvertSidToStringSidA
ConvertStringSidToSidA
CryptDeriveKey
CryptDestroyKey
CryptSetHashParam
GetSidSubAuthority
GetSidSubAuthorityCount
FreeSid
LookupAccountSidA
AllocateAndInitializeSid
RegOpenKeyExW
OpenProcessToken
ws2_32
ntohl
htonl
inet_ntoa
inet_addr
htons
WSAAddressToStringA
setsockopt
WSALookupServiceEnd
WSAGetLastError
WSALookupServiceNextW
WSALookupServiceBeginW
user32
wsprintfA
wsprintfW
CharLowerBuffW
rpcrt4
NdrClientCall2
NdrMesTypeDecode2
NdrMesTypeEncode2
NdrMesTypeAlignSize2
RpcAsyncInitializeHandle
RpcAsyncCancelCall
RpcAsyncCompleteCall
I_RpcGetExtendedError
RpcCancelThreadEx
RpcStringBindingComposeW
NdrAsyncClientCall
I_RpcBindingHandleToAsyncHandle
I_RpcExceptionFilter
RpcBindingSetAuthInfoExA
RpcStringBindingComposeA
RpcErrorEndEnumeration
RpcErrorGetNextRecord
RpcErrorGetNumberOfRecords
RpcBindingFromStringBindingA
RpcBindingFromStringBindingW
RpcEpResolveBinding
RpcBindingSetAuthInfoExW
RpcMgmtInqServerPrincNameW
RpcBindingCopy
RpcSsDestroyClientContext
RpcSsGetContextBinding
RpcBindingSetOption
NdrServerCall2
MesDecodeBufferHandleCreate
MesBufferHandleReset
RpcTestCancel
UuidFromStringW
RpcStringFreeW
UuidToStringW
UuidCreate
RpcStringFreeA
UuidToStringA
RpcImpersonateClient
RpcRevertToSelf
RpcFreeAuthorizationContext
RpcGetAuthorizationContextForClient
RpcStringBindingParseA
RpcBindingToStringBindingA
RpcBindingInqAuthClientA
RpcServerListen
RpcBindingVectorFree
RpcEpRegisterA
RpcServerInqBindings
RpcEpUnregister
RpcProtseqVectorFreeA
RpcNetworkInqProtseqsA
RpcServerUseProtseqExA
RpcServerUseProtseqEpExA
RpcServerInqDefaultPrincNameA
RpcServerRegisterAuthInfoA
RpcServerRegisterIf2
RpcServerRegisterIfEx
RpcMgmtStopServerListening
UuidCompare
I_RpcBindingInqSecurityContext
I_RpcGetCurrentCallHandle
MesHandleFree
MesEncodeFixedBufferHandleCreate
RpcBindingFree
RpcBindingServerFromClient
RpcRaiseException
RpcSsContextLockExclusive
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcErrorStartEnumeration
cryptdll
CDGenerateRandomBits
CDLocateCheckSum
crypt32
CryptDecryptAndVerifyMessageSignature
CryptDecodeObject
CertFindExtension
CertEnumCertificatesInStore
CertGetNameStringW
CertFreeCertificateChain
CertDuplicateCertificateContext
CertGetCertificateChain
CertVerifyCertificateChainPolicy
CertGetSubjectCertificateFromStore
CertCloseStore
CryptSignMessage
CertOpenStore
CryptVerifyMessageSignature
CryptSignAndEncryptMessage
CertFreeCertificateContext
dnsapi
DnsValidateName_W
DnsValidateName_UTF8
DnsNameCompare_W
lsasrv
LsaIHealthCheck
LsaIForestTrustFindMatch
LsarClose
LsaIFree_LSAPR_POLICY_INFORMATION
LsarQueryInformationPolicy
LsaIOpenPolicyTrusted
LsaINotifyGCStatusChange
LsaIQueryInformationPolicyTrusted
LsaIAuditSamEvent
LsaIAdtAuditingEnabledByCategory
LsaIFree_LSAPR_UNICODE_STRING_BUFFER
authz
AuthzFreeAuditEvent
AuthzInitializeResourceManager
AuthzFreeResourceManager
AuthzFreeContext
AuthzInitializeContextFromToken
AuthzAccessCheck
AuthzOpenObjectAudit
AuthzInitializeObjectAccessAuditEvent2
AuthziModifyAuditEvent2
AuthzGetInformationFromContext
AuthzInitializeContextFromSid
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditEvent
AuthziLogAuditEvent
AuthziInitializeAuditEventType
samlib
SamConnectWithCreds
SamLookupNamesInDomain
SamOpenAlias
SamOpenUser
SamQueryInformationUser
SamOpenGroup
SamCloseHandle
SamLookupDomainInSamServer
SamOpenDomain
SamFreeMemory
Exports
Exports
AppendRDN
AttrTypeToKey
CountNameParts
CrackSingleName
DBDsReplBackupUpdate
DSNAMEToHashKeyExternal
DSNAMEToMappedStrExternal
DSReplaceDomainSid
DSStrToHashKeyExternal
DSStrToMappedStrExternal
DSUpdateAnchorAfterDomainSidChange
DbgPrintErrorInfo
DebPrint
DebugTest
DirAddEntry
DirBind
DirCompare
DirErrorToNtStatus
DirErrorToWinError
DirFindEntry
DirGetDomainHandle
DirModifyDN
DirModifyEntry
DirNotifyRegister
DirNotifyUnRegister
DirOperationControl
DirPrepareForImpersonate
DirProtectEntry
DirRead
DirRemoveEntry
DirReplicaAdd
DirReplicaDelete
DirReplicaDemote
DirReplicaGetDemoteTarget
DirReplicaModify
DirReplicaReferenceUpdate
DirReplicaSetCredentials
DirReplicaSynchronize
DirSearch
DirStopImpersonating
DirTransactControl
DoAssert
DoLogEvent
DoLogEventAndTrace
DoLogOverride
DoLogUnhandledError
DsChangeBootOptions
DsCheckConstraint
DsFreeServersAndSitesForNetLogon
DsGetBootOptions
DsGetDefaultObjCategory
DsGetEventConfig
DsGetServersAndSitesForNetLogon
DsInitialize
DsInitializeCritSecs
DsIsBeingBackSynced
DsPrepareUninitialize
DsTraceEvent
DsUninitialize
DsUpdateOnPDC
DsWaitUntilDelayedStartupIsDone
DsaDisableUpdates
DsaEnableUpdates
DsaExeStartRoutine
DsaSetInstallCallback
FindNetbiosDomainName
GCVerifyCacheLookup
GetConfigDsName
GetConfigParam
GetConfigParamAllocW
GetConfigParamW
GetConfigurationInfo
GetConfigurationName
GetConfigurationNamesList
GetDnsRootAlias
GetRDNInfoExternal
GuidBasedDNSNameFromDSName
ImpersonateAnyClient
InitCommarg
IsMangledRDNExternal
IsStringGuid
MapSpnServiceClass
MatchCrossRefByNetbiosName
MatchCrossRefBySid
MatchDomainDnByDnsName
MatchDomainDnByNetbiosName
MtxAddrFromTransportAddr
MtxSame
NameMatched
NameMatchedStringNameOnly
NamePrefix
QuoteRDNValue
SampAddLoopbackTask
SampAmIGC
SampComputeGroupType
SampDeriveMostBasicDsClass
SampDoesDomainExist
SampDsAttrFromSamAttr
SampDsClassFromSamObjectType
SampDsControl
SampExistsDsLoopback
SampExistsDsTransaction
SampGCLookupNames
SampGCLookupSids
SampGetAccountCounts
SampGetClassAttribute
SampGetDisplayEnumerationIndex
SampGetDsAttrIdByName
SampGetEnterpriseSidList
SampGetGroupsForToken
SampGetLoopbackObjectClassId
SampGetMemberships
SampGetQDIRestart
SampGetSamAttrIdByName
SampGetServerRoleFromFSMO
SampIsSecureLdapConnection
SampIsWriteLockHeldByDs
SampMaybeBeginDsTransaction
SampMaybeEndDsTransaction
SampNetlogonPing
SampSamAttrFromDsAttr
SampSamObjectTypeFromDsClass
SampSetDsa
SampSetIndexRanges
SampSetLsa
SampSetSam
SampSignalStart
SampVerifySids
THAlloc
THClearErrors
THCreate
THDestroy
THFree
THGetErrorString
THQuery
THReAlloc
THRestore
THSave
THVerifyCount
TransportAddrFromMtxAddr
TrimDSNameBy
UnImpersonateAnyClient
UpdateDSPerfStats
Sections
.text Size: 1.2MB - Virtual size: 1.2MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
PAGELK Size: 5KB - Virtual size: 5KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 20KB - Virtual size: 165KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 31KB - Virtual size: 30KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 45KB - Virtual size: 44KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ