kpot | 9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee

General

Target

9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe
Size

1.1MB
MD5

948a55cce8a6f69a0bb160c9a277e978
SHA1

a2ea0645a781a18b361de80919fdb1722a93c09e
SHA256

9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee
SHA512

a439fe40a4b9fb23e56a11b944f6c014432979aba34d164a1135f7faf67aad1b29da797f7fd17bfb8eb69044de51478c47ce8be4b33a32f9bf76439aab36246f
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1StE10/ZSeE7LTI3m7D:E5aIwC+Agr6S/FFCwrr1X

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1764-17-0x0000000002500000-0x0000000002529000-memory.dmp	trickbot_loader32
behavioral2/memory/1764-19-0x0000000002500000-0x0000000002529000-memory.dmp	trickbot_loader32
behavioral2/memory/844-43-0x00000000021E0000-0x0000000002209000-memory.dmp	trickbot_loader32
behavioral2/memory/1764-50-0x0000000002500000-0x0000000002529000-memory.dmp	trickbot_loader32
behavioral2/memory/844-59-0x00000000021E0000-0x0000000002209000-memory.dmp	trickbot_loader32
behavioral2/memory/2548-80-0x0000000001620000-0x0000000001649000-memory.dmp	trickbot_loader32
behavioral2/memory/2548-94-0x0000000001620000-0x0000000001649000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe

pid	process
844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe

description pid process

Token: SeTcbPrivilege 2548 9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe

description	pid	process
Token: SeTcbPrivilege	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe

pid	process
1764	9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe
844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe

description	pid	process	target process
PID 1764 wrote to memory of 844	1764	9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
PID 1764 wrote to memory of 844	1764	9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
PID 1764 wrote to memory of 844	1764	9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 844 wrote to memory of 1020	844	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe
PID 2548 wrote to memory of 3148	2548	9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe
"C:\Users\Admin\AppData\Local\Temp\9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Roaming\WinSocket\9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3880

C:\Users\Admin\AppData\Roaming\WinSocket\9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\9cdcd8f9b92936d89f16bfad804049b9992a129ece9826f6aa4afbaeda9988ee.exe
Filesize
1.1MB

MD5
948a55cce8a6f69a0bb160c9a277e978

SHA1
a2ea0645a781a18b361de80919fdb1722a93c09e

SHA256
9cdcd7f8b82935d78f15bfad704049b8982a129ece8725f5aa4afbaeda8877ee

SHA512
a439fe40a4b9fb23e56a11b944f6c014432979aba34d164a1135f7faf67aad1b29da797f7fd17bfb8eb69044de51478c47ce8be4b33a32f9bf76439aab36246f

Download Submit
memory/844-41-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/844-57-0x00000000030E0000-0x000000000319E000-memory.dmp

Filesize
760KB

Download
memory/844-38-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-37-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-52-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/844-30-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-45-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/844-43-0x00000000021E0000-0x0000000002209000-memory.dmp

Filesize
164KB

Download
memory/844-36-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-32-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-31-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-58-0x00000000031A0000-0x0000000003469000-memory.dmp

Filesize
2.8MB

Download
memory/844-42-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-35-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-34-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-33-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-59-0x00000000021E0000-0x0000000002209000-memory.dmp

Filesize
164KB

Download
memory/844-27-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-28-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/844-29-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1020-51-0x00000290A44B0000-0x00000290A44B1000-memory.dmp

Filesize
4KB

Download
memory/1020-53-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1764-16-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-2-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-17-0x0000000002500000-0x0000000002529000-memory.dmp

Filesize
164KB

Download
memory/1764-3-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-15-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1764-14-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-13-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-12-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-11-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-10-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-9-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-8-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-7-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-6-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-50-0x0000000002500000-0x0000000002529000-memory.dmp

Filesize
164KB

Download
memory/1764-5-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-4-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1764-19-0x0000000002500000-0x0000000002529000-memory.dmp

Filesize
164KB

Download
memory/2548-67-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-73-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-66-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-65-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-71-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-70-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-69-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-68-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-94-0x0000000001620000-0x0000000001649000-memory.dmp

Filesize
164KB

Download
memory/2548-74-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-72-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-64-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-78-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2548-80-0x0000000001620000-0x0000000001649000-memory.dmp

Filesize
164KB

Download
memory/2548-79-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/2548-86-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/2548-92-0x0000000001C00000-0x0000000001CBE000-memory.dmp

Filesize
760KB

Download
memory/2548-75-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads