kpot | 230c75bc525b6ee25ca17be2d1630b361983f1a10e15b33f782ca3cfb983df38

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32f75ff62b7b3b61511d05a4cff972b0_NEAS.exe
Size

1.2MB
MD5

32f75ff62b7b3b61511d05a4cff972b0
SHA1

6622cec40fa950c7875971257594122d436838ac
SHA256

230c75bc525b6ee25ca17be2d1630b361983f1a10e15b33f782ca3cfb983df38
SHA512

90fcbd11aabd987cec243355ba2d99bb228be844f8fda8d3088aac89d781ec28ab4ecf215ee26644120453ba9a24c4caea6300118a9cb453d8403ea51e3fc896
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdr36OTcgapChI/W:E5aIwC+Agr6S/FEVN

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bb6-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4848-15-0x0000000002FE0000-0x0000000003009000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
Token: SeTcbPrivilege	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4848	32f75ff62b7b3b61511d05a4cff972b0_NEAS.exe
3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3572	4848	32f75ff62b7b3b61511d05a4cff972b0_NEAS.exe	84
PID 4848 wrote to memory of 3572	4848	32f75ff62b7b3b61511d05a4cff972b0_NEAS.exe	84
PID 4848 wrote to memory of 3572	4848	32f75ff62b7b3b61511d05a4cff972b0_NEAS.exe	84
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3572 wrote to memory of 8	3572	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	85
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 3164 wrote to memory of 860	3164	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	102
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116
PID 4232 wrote to memory of 1140	4232	32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\32f75ff62b7b3b61511d05a4cff972b0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\32f75ff62b7b3b61511d05a4cff972b0_NEAS.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Roaming\WinSocket\32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:8

C:\Users\Admin\AppData\Roaming\WinSocket\32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:860

C:\Users\Admin\AppData\Roaming\WinSocket\32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\32f86ff72b8b3b71611d06a4cff982b0_NFAS.exe

Filesize
1.2MB

MD5
32f75ff62b7b3b61511d05a4cff972b0

SHA1
6622cec40fa950c7875971257594122d436838ac

SHA256
230c75bc525b6ee25ca17be2d1630b361983f1a10e15b33f782ca3cfb983df38

SHA512
90fcbd11aabd987cec243355ba2d99bb228be844f8fda8d3088aac89d781ec28ab4ecf215ee26644120453ba9a24c4caea6300118a9cb453d8403ea51e3fc896

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
55KB

MD5
ad0b997309fd30253a0119a6c3db769b

SHA1
838da84711562998af3038ac796d156ed2c3c998

SHA256
7a07cada03846ed56f6b104d8ca7e7ba8c9acbe566bf680d44448e245348311f

SHA512
d0ab10e86e3a300449c1b6e7ea900977061b5b4e76059bd284031d50a731ce7bc55898dd06e053108bcd4d26b08048f3c4ed132b61b027dc368fb4fb7a1db681

Download Submit
memory/8-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/8-51-0x000001994A8E0000-0x000001994A8E1000-memory.dmp

Filesize
4KB

Download
memory/3164-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3164-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3164-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3572-26-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/3572-28-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-36-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-27-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-33-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-37-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-32-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-35-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3572-34-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-31-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3572-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3572-29-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-30-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3572-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4848-6-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-4-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4848-2-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-14-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-15-0x0000000002FE0000-0x0000000003009000-memory.dmp

Filesize
164KB

Download
memory/4848-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4848-5-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-3-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-7-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-8-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-9-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-10-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-11-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-12-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4848-13-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download