kpot | df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4

General

Target

df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe
Size

246KB
MD5

d1f2ab77ca6038dfb5d09fcf67ab1b12
SHA1

982d9cdb8320861c533986eb6d2c3ac789f4d676
SHA256

df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4
SHA512

69487443c457e8bb9f2ba8707c418b3f2a210d25014991d5a22e40a9b61824bc9f8395e1427d38843876f47236cb4dc74efc1494d25ecaad6e570ce6059ab166

Score

10^/10

kpot stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5048-130-0x0000000000A20000-0x0000000000A3B000-memory.dmp	family_kpot
behavioral2/memory/5048-132-0x0000000002320000-0x000000000240C000-memory.dmp	family_kpot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe

Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 138.197.140.189
Destination IP 138.197.140.189
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 18 https://api.opennicproject.org/geoip/?bare
HTTP URL 38 https://api.opennicproject.org/geoip/?bare
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3624 PING.EXE

description	ioc
Destination IP	138.197.140.189
Destination IP	138.197.140.189

description	flow	ioc
HTTP URL	18	https://api.opennicproject.org/geoip/?bare
HTTP URL	38	https://api.opennicproject.org/geoip/?bare

pid	process
3624	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.execmd.exe

description	pid	process	target process
PID 5048 wrote to memory of 2928	5048	df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe	cmd.exe
PID 5048 wrote to memory of 2928	5048	df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe	cmd.exe
PID 5048 wrote to memory of 2928	5048	df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe	cmd.exe
PID 2928 wrote to memory of 3624	2928	cmd.exe	PING.EXE
PID 2928 wrote to memory of 3624	2928	cmd.exe	PING.EXE
PID 2928 wrote to memory of 3624	2928	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe
"C:\Users\Admin\AppData\Local\Temp\df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\df830756b173bc76343634c2600054b1fcaa5ee3ccbb2f534f22049edcc045d4.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-133-0x0000000000000000-mapping.dmp

Download
memory/3624-134-0x0000000000000000-mapping.dmp

Download
memory/5048-130-0x0000000000A20000-0x0000000000A3B000-memory.dmp

Filesize
108KB

Download
memory/5048-132-0x0000000002320000-0x000000000240C000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads