kpot | b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf

Analysis

max time kernel
137s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf.exe
Size

1.3MB
MD5

39bc32190952310708a7fe023e985ec5
SHA1

347066cc8105f3c1a602962a931ced30e7a80694
SHA256

b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf
SHA512

9295d725e06acb21e9445d61ee71404b0e8059862604dc819df1405e53567243cd0f3c67f47f809f9cbdebec0e03ddb7b19e8a24eca3c54773ec394c393771ea
SSDEEP

24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOSMOR:E5aIwC+Agr6g81p1vsrNiv

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b99-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/316-15-0x0000000002D20000-0x0000000002D49000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
Token: SeTcbPrivilege	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
316	b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf.exe
3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 3668	316	b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf.exe	84
PID 316 wrote to memory of 3668	316	b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf.exe	84
PID 316 wrote to memory of 3668	316	b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf.exe	84
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 3668 wrote to memory of 4576	3668	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	85
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 4504 wrote to memory of 3636	4504	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	103
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116
PID 5096 wrote to memory of 2716	5096	b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf.exe
"C:\Users\Admin\AppData\Local\Temp\b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Roaming\WinSocket\b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4576

C:\Users\Admin\AppData\Roaming\WinSocket\b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
C:\Users\Admin\AppData\Roaming\WinSocket\b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3636

C:\Users\Admin\AppData\Roaming\WinSocket\b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
C:\Users\Admin\AppData\Roaming\WinSocket\b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\b99b31331d99770942f8244d7dd3e10007fcef8c81ad7ecaa91b7ef3d99698cf.exe

Filesize
1.3MB

MD5
39bc32190952310708a7fe023e985ec5

SHA1
347066cc8105f3c1a602962a931ced30e7a80694

SHA256
b88b31331d88660942f7244d6dd3e10006fcef7c71ad6ecaa91b6ef3d98587cf

SHA512
9295d725e06acb21e9445d61ee71404b0e8059862604dc819df1405e53567243cd0f3c67f47f809f9cbdebec0e03ddb7b19e8a24eca3c54773ec394c393771ea

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
67KB

MD5
b02147a9804bc7e092fe59893cbec655

SHA1
333be9a3060db793cc4b9a0da0561d1c7927679d

SHA256
e17761b66f8fb8428ac19f8c7aaed1ce49ee6111fa3c528ef68eae04dc89530e

SHA512
617b16d3006b29d58342421c9d7de14f3efebcd980d5b443bbdc457758146ca159fe6ceb5168eeeb17734bef365c6f597b9f85840638339c6672bff0b6422fcc

Download Submit
memory/316-14-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-13-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-12-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-11-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-10-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-9-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-8-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-7-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-6-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-5-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-4-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-3-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-2-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/316-15-0x0000000002D20000-0x0000000002D49000-memory.dmp

Filesize
164KB

Download
memory/316-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/316-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3668-34-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3668-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3668-37-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-36-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-35-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-27-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-33-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-32-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-31-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-30-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-29-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-28-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-26-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3668-51-0x0000000002C90000-0x0000000002D4E000-memory.dmp

Filesize
760KB

Download
memory/3668-53-0x0000000003240000-0x0000000003509000-memory.dmp

Filesize
2.8MB

Download
memory/4504-68-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-61-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-67-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4504-66-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-65-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-64-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-63-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-62-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-69-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-60-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-59-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-58-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/4504-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4576-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4576-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4576-52-0x0000020E66B70000-0x0000020E66B71000-memory.dmp

Filesize
4KB

Download