9ec4a09502632e344aa4954df102d7a47c1f9947829722301e9518bedfe7c006_NeikiAnalytics[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

9ec4a09502632e344aa4954df102d7a47c1f9947829722301e9518bedfe7c006_NeikiAnalytics.exe
Size

2.0MB
MD5

72702ec9d93eb06f4700e6f26bec4970
SHA1

0f0cdf600fcaf9609aecad470f592c6ca5e7ede1
SHA256

9ec4a09502632e344aa4954df102d7a47c1f9947829722301e9518bedfe7c006
SHA512

43d6ece47cd3817865e6648ca48d57821cc6c41ad71cbad6cf3c1698fce6e2338135980219655de3c10aa41e372500f119e4392c57b9b5b988fcecf6c44d9ca9
SSDEEP

12288:raLeigU54crBAEs/o70FaP5v9m/xk9QEXy9ossxliqYDW4:mLeS4wyty0aVVXfsPDW

Score

1^/10

Malware Config

Signatures

Files

9ec4a09502632e344aa4954df102d7a47c1f9947829722301e9518bedfe7c006_NeikiAnalytics.exe
.dll regsvr32 windows:6 windows x86 arch:x86

09c091f84ecea661a9e49ebf18a07fee

Code Sign

33:00:00:00:70:f4:18:bf:23:21:fc:50:9d:00:00:00:00:00:70
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

20/03/2015, 17:32

Not After

20/06/2016, 17:32

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:F528-3777-8A76,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:d5:ab:ba:9f:d4:f7:9e:5f:11:cd:a2:0c:34:e7:7b:e3:61:b2:0b
Signer

Actual PE Digest

0a:d5:ab:ba:9f:d4:f7:9e:5f:11:cd:a2:0c:34:e7:7b:e3:61:b2:0b

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

P:\Target\x86\ship\osfclient\x-none\osf.pdb

Imports

kernel32

OpenFileMappingW
MapViewOfFile
FormatMessageW
GetCurrentThreadId
LeaveCriticalSection
EnterCriticalSection
EncodePointer
DeleteCriticalSection
InitializeCriticalSectionEx
GetLastError
RaiseException
DecodePointer
VirtualQuery
GetSystemInfo
ResetEvent
UnhandledExceptionFilter
WerRegisterMemoryBlock
VirtualProtect
GetTickCount
GetCurrentProcessId
HeapSetInformation
QueryPerformanceCounter
LoadLibraryExA
IsProcessorFeaturePresent
InterlockedPushEntrySList
InitializeSListHead
OutputDebugStringW
IsDebuggerPresent
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
IsWow64Process
GetVersionExW
SetUnhandledExceptionFilter
CreateWaitableTimerW
CancelWaitableTimer
SetWaitableTimer
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
LocalFree
LocalAlloc
OpenProcess
GetCurrentThread
TerminateProcess
GetCurrentProcess
CreateEventW
SleepEx
WaitForSingleObject
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
MulDiv
ReleaseSRWLockShared
AcquireSRWLockShared
GetTickCount64
CreateDirectoryW
GetFileAttributesExW
HeapAlloc
HeapReAlloc
HeapFree
GetProcessHeap
CopyFileW
DeleteFileW
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CompareFileTime
GetSystemTimeAsFileTime
CloseHandle
ReleaseSemaphore
WaitForSingleObjectEx
CreateEventExW
CreateSemaphoreExW
LCIDToLocaleName
SystemTimeToFileTime
FindClose
FindFirstFileW
FindNextFileW
ReleaseMutex
OpenMutexW
CreateMutexExW
FindFirstFileExW
GetFileAttributesW
RemoveDirectoryW
SetFileAttributesW
GetModuleFileNameW
SetEvent
WaitForMultipleObjectsEx
CreateFileW
GetFileSizeEx
ReadFile
FindAtomW
UnmapViewOfFile
GetEnvironmentVariableW

advapi32

GetLengthSid
RegQueryValueExW
EventWrite
SetThreadToken
OpenProcessToken
DuplicateTokenEx
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
RegCloseKey
EventRegister
EventUnregister
SetTokenInformation
ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
DeregisterEventSource
RegisterEventSourceW
RegOpenKeyExA
RegOpenKeyExW
ReportEventW

ole32

GetRunningObjectTable
CoDisconnectObject
CoReleaseMarshalData
CoUnmarshalInterface
OleRegGetUserType
CreateItemMoniker
CoMarshalInterface
CoCreateInstance
CreateOleAdviseHolder
CoTaskMemFree
CreateStreamOnHGlobal
IIDFromString
CoCreateGuid
IsAccelerator
OleRegEnumVerbs
CoRegisterPSClsid
StringFromGUID2
OleRegGetMiscStatus

oleaut32

SafeArrayUnlock
SafeArrayLock
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayRedim
SafeArrayDestroy
SafeArrayCreate
SysAllocStringByteLen
SysStringByteLen
SysAllocStringLen
SysStringLen
SysAllocString
OleCreatePropertyFrame
VariantCopyInd
VariantInit
SysFreeString
VariantCopy
VarBstrCat
SafeArrayCreateVector
SafeArrayGetVartype
SafeArrayPtrOfIndex
SafeArrayCopy
VariantClear
SafeArrayPutElement
SafeArrayGetElement
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetDim
LoadTypeLi
LoadRegTypeLi

vcruntime140

memcmp
wcsrchr
wcsstr
wcschr
__RTDynamicCast
__std_exception_destroy
__std_exception_copy
__std_type_info_hash
memmove
memcpy
memset
__std_terminate
_CxxThrowException
__CxxFrameHandler3
__std_type_info_compare
__std_type_info_destroy_list
_except_handler4_common
__vcrt_InitializeCriticalSectionEx
__telemetry_main_return_trigger
__telemetry_main_invoke_trigger

msvcp140

?_Xbad_function_call@std@@YAXXZ
?_Xout_of_range@std@@YAXPBD@Z
?_Xlength_error@std@@YAXPBD@Z
_Query_perf_counter
_Query_perf_frequency
?_Xbad_alloc@std@@YAXXZ

api-ms-win-crt-heap-l1-1-0

malloc
free

api-ms-win-crt-runtime-l1-1-0

terminate
_invalid_parameter_noinfo
_errno
_seh_filter_dll
_initterm
_invalid_parameter_noinfo_noreturn
_cexit
_crt_atexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_initterm_e

api-ms-win-crt-string-l1-1-0

wcsncmp
isupper
wcscpy_s
wcscspn
tolower
_wcsicmp
iswdigit
wcscat_s
_wcsnicmp
wcsncpy_s

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-convert-l1-1-0

_itow_s
_ui64tow_s
_wtol

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsnwprintf_s
__stdio_common_vswprintf_s
__stdio_common_vswscanf
__stdio_common_vswprintf

api-ms-win-crt-math-l1-1-0

_except1

api-ms-win-crt-locale-l1-1-0

__initialize_lconv_for_unsigned_char

gdi32

CreateDIBSection
SelectObject
DeleteObject
CreateCompatibleDC
BitBlt
CreateRectRgnIndirect
SetWindowOrgEx
SetViewportOrgEx
CreateDCW
LPtoDP
SetMapMode
SaveDC
RestoreDC
GetDeviceCaps
DeleteDC
GetObjectW
CreatePolygonRgn
CreateSolidBrush
SetRectRgn
CombineRgn
CreateRectRgn

msimg32

AlphaBlend

ws2_32

WSACleanup
getaddrinfo
freeaddrinfo
WSAStartup

Exports

Exports

?CreateAppCommandSolutionRef@@YGJPB_WABUAppVersion@@W4OsfStoreType@@000PAUIOsfAppCommandReference@Osf@@PAPAUIOsfSolutionReference@@@Z
?CreateCacheForExtensionResource@@YGXPB_WPBUIWebAddInStringCollection@Osf@@I$$QAV?$function@$$A6GXHAAV?$map@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@std@@@Z@std@@@Z
?CreateCacheForPreinstalledApps@@YGXXZ
?CreateSolutionRef@@YGJPB_WABUAppVersion@@W4OsfStoreType@@000_NPAPAUIOsfSolutionReference@@@Z
?CreateSolutionRefFromMarketplaces@@YGJABUOsfMarketplace@@0_NPAPAUIOsfSolutionReference@@@Z
?CreateSolutionRefFromPersistence@@YGJPBUIOsfExtensionPersistence@@_NPAPAUIOsfSolutionReference@@@Z
?FillMarketplacesFromSolutionRef@@YGJPBUIOsfSolutionReference@@AAUOsfMarketplace@@1@Z
?GetOsfIntlDllInstance@@YGPAUHINSTANCE__@@XZ
?GetServiceManager@@YGPAVServiceManager@@XZ
?IsStorageCompatibleWithOsfSolutionReference@@YG_NPBUIOsfSolutionReference@@PBUIOsfExtensionPersistence@@@Z
?OSFInitialize@@YGJW4OsfHost@@PAUIOfficeSolutionFrameworkHost@@PAPAUIOfficeSolutionFramework@@@Z
?OSFLoadString@@YGHIPA_WH@Z
DllCanUnloadNow
DllGetClassObject
DllInstall
DllRegisterServer
DllUnregisterServer
_CreateOsfRibbonManager@12
_DoHostControlledWefGalleryWebDialog@32
_DoWefGalleryWebDialogInitTab@16

Sections

.text
Size: 589KB - Virtual size: 589KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 154KB - Virtual size: 154KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 207KB - Virtual size: 208KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

09c091f84ecea661a9e49ebf18a07fee

Code Sign

33:00:00:00:70:f4:18:bf:23:21:fc:50:9d:00:00:00:00:00:70Certificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

0a:d5:ab:ba:9f:d4:f7:9e:5f:11:cd:a2:0c:34:e7:7b:e3:61:b2:0bSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

ole32

oleaut32

vcruntime140

msvcp140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

gdi32

msimg32

ws2_32

Exports

Exports

Sections

.text Size: 589KB - Virtual size: 589KB

.rdata Size: 154KB - Virtual size: 154KB

.data Size: 207KB - Virtual size: 208KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 38KB - Virtual size: 38KB

.reloc Size: 45KB - Virtual size: 45KB

33:00:00:00:70:f4:18:bf:23:21:fc:50:9d:00:00:00:00:00:70
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

0a:d5:ab:ba:9f:d4:f7:9e:5f:11:cd:a2:0c:34:e7:7b:e3:61:b2:0b
Signer

.text
Size: 589KB - Virtual size: 589KB

.rdata
Size: 154KB - Virtual size: 154KB

.data
Size: 207KB - Virtual size: 208KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 38KB - Virtual size: 38KB

.reloc
Size: 45KB - Virtual size: 45KB