76c39773f1b2801f46d8856d7ad46b97ef500ac07febec3f0bcf623c326aea87

General

Target

kpot.exe
Size

85KB
MD5

1562b53d6506283b35d3beaf2dec92e8
SHA1

fcf2918829132cd43890129b8255f1d1533e07ab
SHA256

76c39773f1b2801f46d8856d7ad46b97ef500ac07febec3f0bcf623c326aea87
SHA512

3ecc8951c9dd308b59a69f7966956abf703c58d8f2f6ca059f9a9350e8d6679eb8063c7c31e4247cfd1cf31f2e2296c53b57b46f9c5b50fdf59c196950ac51b4

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "333730452"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30899938"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "333713858"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40cd5db9e27ed701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899938"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1990252144"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad85d233b5cae84097a520626a0c9cd600000000020000000000106600000001000020000000918dd71630cc2d29bab879ca342d4224a5dfa92785b5b0948704ed6e0e511d44000000000e8000000002000020000000ad5d3f66b1cf6962d877266f160ec350b267d5f0f5282d76bb28fb542093e3f220000000ab4c190d6eff7e4062594b9e5c1c53b4b1eeff7112fc2e9021d889eadb3e19ba4000000080b8d9dfab3b1d2702ad93e2d45a4730e2c46208a1f21127acd59a3e0940bbbee419180c4f3facf573670d224cdfa281a7b8aa752d3a303093eef3bb0eb8e26b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08f8db9e27ed701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad85d233b5cae84097a520626a0c9cd600000000020000000000106600000001000020000000883c9128c72903ae5e8eb1d34f0507ef0cf3ff3fb5bf37e0c722e278b800b285000000000e8000000002000020000000c0a793040e7ec4f142e7d48e99ea2c06f4e9c4de5d0a3eece098dc152590b8d1200000004a1c7b297a15272e92bec31cc5b1ec482c8c8d103c9d49c72133849abe49f17140000000dbb8ab6046d92f6783b8b0bf13c3490a481d5655bb7fca2f8d100df5edc5bad44c1ccd2d02b8e7cc960c4b69c09d1b008dd7a4f555609f68fbc2dda64f475d47	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A225703E-EAD5-11EB-A11C-D22FD1FF01E8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1990252144"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "333762443"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899938"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1995096494"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

kpot.exe

pid process

4016 kpot.exe
4016 kpot.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1152 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1152 iexplore.exe
1152 iexplore.exe
1908 IEXPLORE.EXE
1908 IEXPLORE.EXE

pid	process
4016	kpot.exe
4016	kpot.exe

pid	process
1152	iexplore.exe

pid	process
1152	iexplore.exe
1152	iexplore.exe
1908	IEXPLORE.EXE
1908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1152 wrote to memory of 1908	1152	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 1908	1152	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 1908	1152	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\kpot.exe
"C:\Users\Admin\AppData\Local\Temp\kpot.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
4b8ffe79016c051a1fa57e4ab8ee0e0b

SHA1
a06394b4c74aad7d296327a942729db01486ea26

SHA256
75e171759473658cd648f09d099b249f99a7cb139732201576b07c4554a9c4b9

SHA512
6a057cc6cc12715d6324e0cb8c22c3d1ff5a8bd20c5ecd10e64ae155a5a5936a972374fa8005d9cf195fdd44deeb24e54f27d3eba78aa0f3a82e03e272e39091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
e6a52900fa1b57fb98d31607ccb5e3e3

SHA1
696f039a096926e592dbf79b8f7d1230eb4c64b1

SHA256
3bcf9c5d71fe840e5c0cfa267487ee55d9c05bbefb8003c16f67709248f0d539

SHA512
ee1a7724e3eb15413f75170c0eedf8454130769e85083ee8fa6853c0c0cafe21542c52ddec8f34dc6cfeeefcfa85d7911e3dd88a0daea82add873148ca00d23d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\4RU4NWAL.cookie
MD5
5f6ed9be4c0c7c7589a994f9afb5770c

SHA1
4413ecfecd5729d252b57830799f04d17fad96bb

SHA256
0a57a58f40d6a62975d5ce0929275e287322832ea45b242066e23c6939195826

SHA512
6f6bd8aa910401b8f2e810816b694e4e2760a82e89f56e136ee374c3d75271dd8c978a0cbe8cf9b3e079b12ea0903d60b48be8cd8552c009bc7fb46f0f9ecf2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8VRKMH74.cookie
MD5
5bd6c3599ebdc731500e89f6924baa35

SHA1
22ce685233106b5b99b91ea57c23884ab4ec55ac

SHA256
814b101aecba14b1ac8e6559a075ec8a50fe1d5caaf6c6fdfed95b9080f2182a

SHA512
c4447646041b1185599a3ece9074f89be0bf02a3a8e5820b451fc382c08227a44ff4a0524573826c7e291683cbf9ae1e9aa72c9b2ade823b3346d879111c960a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IVOPCV42.cookie
MD5
bcded513280e7e15f4a9b46c9f174f03

SHA1
ee97447c1f0f960fbf195c6be80aed6e713dd3c2

SHA256
06324275230d7da71c53759f093f784fa7671a0156623225ca4e6c7922ac14ea

SHA512
a63ac4dda6ed2c0b105815fad7cf9fabca52b37fe2523e1697bbbec61386c39ca021d775cd5bb40a8b4a436bdc913fd6831555d7f653e2737157dbda00577853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P47RWLLG.cookie
MD5
341c7a6c6b9288af69b24af3fad6854c

SHA1
f9946cc93e718987f24c693787234f2dd06b487e

SHA256
6fee2dba8b632b2fd44fb5a782b8b737e8bfdcfb8474689530cce7b8dc75b8ec

SHA512
795676b4830debd37162b64ecadbc185e996478fc578f0bdd2fe2254660071fd73e001dbedb0d9af990bfb191cc87b55f0304d0d4242f10baedb97a97df4cc05

Download Submit
memory/1152-114-0x00007FF9610D0000-0x00007FF96113B000-memory.dmp

Filesize
428KB

Download
memory/1908-115-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing