4f56c624bbd19111178d9bba76a3d095fe30c5b5b0616545f4147a7af53fd0fc_NeikiAnalytics[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

4f56c624bbd19111178d9bba76a3d095fe30c5b5b0616545f4147a7af53fd0fc_NeikiAnalytics.exe
Size

1.4MB
MD5

d2515e3aa5b5332aa9f3660df9b4e3b0
SHA1

d2760adba41989e4a5de157307da66db1712d298
SHA256

4f56c624bbd19111178d9bba76a3d095fe30c5b5b0616545f4147a7af53fd0fc
SHA512

d0734f917f95cf1a1320d29781d17acb24225d9cab6af69590ef25b4448439118a6e2960f0868d0251aaacccd4f7f08fd848fdd3910b7084ab3a5459f08edb72
SSDEEP

24576:V+WTWFinlgO1DX8yykSvUe/iOarq+Ea62KLf:AWTWFilg4DX8DcNOei2u

Score

1^/10

Malware Config

Signatures

Files

4f56c624bbd19111178d9bba76a3d095fe30c5b5b0616545f4147a7af53fd0fc_NeikiAnalytics.exe
.sys windows:6 windows x64 arch:x64

7b41830f9cd60f47af60c7c34504eb13

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

23/08/2013, 00:00

Not After

23/09/2024, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G1,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

5c:01:10:72:f2:51:3d:a0:4f:46:47:46:30:43:2f:b5
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

25/04/2013, 00:00

Not After

24/06/2015, 23:59

Subject

CN=Bit9\, Inc,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Bit9\, Inc,L=Waltham,ST=Massachusetts,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f3:bf:23:43:56:d7:45:1b:73:94:0c:95:d8:32:53:b0:e4:4c:5c:c0
Signer

Actual PE Digest

f3:bf:23:43:56:d7:45:1b:73:94:0c:95:d8:32:53:b0:e4:4c:5c:c0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\newbuild\Das\Host\Kernel\objfre_win7_amd64\bin\Parity.pdb

Imports

fltmgr.sys

FltReleaseFileNameInformation
FltDeletePushLock
FltAcquirePushLockExclusive
FltAcquirePushLockShared
FltReleasePushLock
FltAllocateGenericWorkItem
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltInitializePushLock
FltGetVolumeName
FltGetDiskDeviceObject
FltGetVolumeProperties
FltIsVolumeSnapshot
FltGetVolumeGuidName
FltObjectReference
FltObjectDereference
FltDetachVolume
FltGetVolumeFromInstance
FltGetFilterFromInstance
FltGetVolumeFromFileObject
FltEnumerateVolumes
FltEnumerateInstances
FltDoCompletionProcessingWhenSafe
FltGetRequestorProcessId
FltAllocateContext
FltSetTransactionContext
FltGetTransactionContext
FltReleaseContext
FltCancellableWaitForSingleObject
FltEnlistInTransaction
FltCreateCommunicationPort
FltCloseCommunicationPort
FltCloseClientPort
FltSendMessage
FltBuildDefaultSecurityDescriptor
FltFreeSecurityDescriptor
FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltGetDeviceObject
FltGetFileNameInformation
FltParseFileNameInformation
FltGetTunneledName
FltGetDestinationFileNameInformation
FltIsDirectory
FltCreateFile
FltQueryInformationFile
FltClose
FltSupportsStreamContexts
FltSupportsStreamHandleContexts
FltSetStreamContext
FltSetStreamHandleContext
FltDeleteStreamContext
FltGetStreamContext
FltGetStreamHandleContext

ntoskrnl.exe

ExFreePoolWithTag
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
_stricmp
_strnicmp
MmGetSystemRoutineAddress
ZwQuerySystemInformation
__C_specific_handler
PsProcessType
_purecall
RtlInitUnicodeString
RtlQueryRegistryValues
RtlCreateRegistryKey
RtlCheckRegistryKey
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
RtlFreeUnicodeString
RtlStringFromGUID
RtlCompareMemory
KeBugCheckEx
IofCallDriver
IoWMIRegistrationControl
IoWMIWriteEvent
PsGetCurrentProcessId
_vsnprintf
InitSafeBootMode
_wcsicmp
KeInitializeEvent
KeSetEvent
KeAreApcsDisabled
KeWaitForSingleObject
IoGetStackLimits
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
ObfReferenceObject
ObfDereferenceObject
KeExpandKernelStackAndCallout
SeTokenType
SeCreateClientSecurity
SeImpersonateClientEx
PsDereferencePrimaryToken
PsDereferenceImpersonationToken
PsRevertToSelf
KeBugCheck
RtlUnicodeStringToInteger
RtlGetVersion
RtlPrefixUnicodeString
_vsnwprintf
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
IoBuildDeviceIoControlRequest
IoVolumeDeviceToDosName
_wcsnicmp
ExAllocatePoolWithTag
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
PsCreateSystemThread
PsTerminateSystemThread
ObReferenceObjectByHandle
PsThreadType
IoGetTopLevelIrp
PsGetCurrentThreadId
RtlCaptureStackBackTrace
NtCreateSection
FsRtlIsPagingFile
IoGetCurrentProcess
TmIsTransactionActive
PsGetProcessId
ExEventObjectType
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableAvl
ExAcquireFastMutex
ExReleaseFastMutex
MmProbeAndLockPages
MmUnlockPages
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoFreeMdl
IoIs32bitProcess
RtlInitializeBitMap
RtlClearBit
RtlSetBit
RtlTestBit
RtlClearAllBits
RtlAreBitsClear
InitializeSListHead
KeClearEvent
ObReferenceObjectByPointer
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwQueryFullAttributesFile
RtlIsNameLegalDOS8Dot3
IoGetDeviceAttachmentBaseRef
ObOpenObjectByPointer
ObQueryNameString
FsRtlDissectName
ZwQueryDirectoryFile
ZwFsControlFile
IoFileObjectType
MmUserProbeAddress
ExGetPreviousMode
ObRegisterCallbacks
ObUnRegisterCallbacks
IoThreadToProcess
PsGetProcessInheritedFromUniqueProcessId
ZwCreateEvent
ZwWaitForSingleObject
ZwSetEvent
ProbeForRead
ZwOpenProcess
RtlConvertSidToUnicodeString
KeStackAttachProcess
KeUnstackDetachProcess
SeTokenIsAdmin
PsReferencePrimaryToken
PsLookupProcessByProcessId
ZwOpenProcessTokenEx
ZwQueryInformationToken
ZwQueryInformationProcess
PsGetProcessSessionId
PsGetProcessWow64Process
PsGetProcessPeb
RtlEqualUnicodeString
PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetProcessCreateTimeQuadPart
ZwTerminateProcess
PsReferenceImpersonationToken
PsImpersonateClient
ZwSetInformationProcess
CmRegisterCallback
CmUnRegisterCallback
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
toupper
tolower
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlUpcaseUnicodeChar
RtlUpcaseUnicodeString
RtlDowncaseUnicodeString
KeInitializeDpc
KeFlushQueuedDpcs
KeDelayExecutionThread
KeInitializeTimer
KeCancelTimer
KeSetTimerEx
KeQueryTimeIncrement
PsGetVersion
ExAllocatePoolWithQuotaTag
RtlCompareUnicodeString
ZwClose

hal

KeQueryPerformanceCounter

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 34KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 178KB - Virtual size: 226KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.CRT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7b41830f9cd60f47af60c7c34504eb13

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45Certificate

Extended Key Usages

Key Usages

5c:01:10:72:f2:51:3d:a0:4f:46:47:46:30:43:2f:b5Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

f3:bf:23:43:56:d7:45:1b:73:94:0c:95:d8:32:53:b0:e4:4c:5c:c0Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

fltmgr.sys

ntoskrnl.exe

hal

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 34KB - Virtual size: 34KB

.data Size: 178KB - Virtual size: 226KB

.pdata Size: 35KB - Virtual size: 35KB

.CRT Size: 2KB - Virtual size: 2KB

PAGE Size: 4KB - Virtual size: 4KB

INIT Size: 7KB - Virtual size: 6KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 49KB - Virtual size: 48KB

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45
Certificate

5c:01:10:72:f2:51:3d:a0:4f:46:47:46:30:43:2f:b5
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

f3:bf:23:43:56:d7:45:1b:73:94:0c:95:d8:32:53:b0:e4:4c:5c:c0
Signer

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 34KB - Virtual size: 34KB

.data
Size: 178KB - Virtual size: 226KB

.pdata
Size: 35KB - Virtual size: 35KB

.CRT
Size: 2KB - Virtual size: 2KB

PAGE
Size: 4KB - Virtual size: 4KB

INIT
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 49KB - Virtual size: 48KB