kpot | 2a2ee22cdc5eb2c8892c1475ef4dd7b1fe6a9c85988a95634083608f1d5f462a

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48efad4b620a726cd49238df0de9b840_NEAS.exe
Size

1.3MB
MD5

48efad4b620a726cd49238df0de9b840
SHA1

92b7e6dd1ad49d553718da6671306854a7939875
SHA256

2a2ee22cdc5eb2c8892c1475ef4dd7b1fe6a9c85988a95634083608f1d5f462a
SHA512

b1a1498a362cd39eb518f2282e45ded44f5fa75c2a32a8e5cb37eef1c22e252a80950fd098166ad648cbc8dcc851e322b01be14f8e9eb9795c8d18a6a4a8adee
SSDEEP

24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOrt0JD:E5aIwC+Agr6g81p1vsrNir

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ba9-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3856-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1668	49efad4b720a827cd49239df0de9b940_NFAS.exe
1628	49efad4b720a827cd49239df0de9b940_NFAS.exe
464	49efad4b720a827cd49239df0de9b940_NFAS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe
Token: SeTcbPrivilege	464	49efad4b720a827cd49239df0de9b940_NFAS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3856	48efad4b620a726cd49238df0de9b840_NEAS.exe
1668	49efad4b720a827cd49239df0de9b940_NFAS.exe
1628	49efad4b720a827cd49239df0de9b940_NFAS.exe
464	49efad4b720a827cd49239df0de9b940_NFAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 1668	3856	48efad4b620a726cd49238df0de9b840_NEAS.exe	84
PID 3856 wrote to memory of 1668	3856	48efad4b620a726cd49238df0de9b840_NEAS.exe	84
PID 3856 wrote to memory of 1668	3856	48efad4b620a726cd49238df0de9b840_NEAS.exe	84
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1668 wrote to memory of 1348	1668	49efad4b720a827cd49239df0de9b940_NFAS.exe	85
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 1628 wrote to memory of 2076	1628	49efad4b720a827cd49239df0de9b940_NFAS.exe	102
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116
PID 464 wrote to memory of 3028	464	49efad4b720a827cd49239df0de9b940_NFAS.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\48efad4b620a726cd49238df0de9b840_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\48efad4b620a726cd49238df0de9b840_NEAS.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Roaming\WinSocket\49efad4b720a827cd49239df0de9b940_NFAS.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\49efad4b720a827cd49239df0de9b940_NFAS.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1348

C:\Users\Admin\AppData\Roaming\WinSocket\49efad4b720a827cd49239df0de9b940_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\49efad4b720a827cd49239df0de9b940_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2076

C:\Users\Admin\AppData\Roaming\WinSocket\49efad4b720a827cd49239df0de9b940_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\49efad4b720a827cd49239df0de9b940_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\49efad4b720a827cd49239df0de9b940_NFAS.exe

Filesize
1.3MB

MD5
48efad4b620a726cd49238df0de9b840

SHA1
92b7e6dd1ad49d553718da6671306854a7939875

SHA256
2a2ee22cdc5eb2c8892c1475ef4dd7b1fe6a9c85988a95634083608f1d5f462a

SHA512
b1a1498a362cd39eb518f2282e45ded44f5fa75c2a32a8e5cb37eef1c22e252a80950fd098166ad648cbc8dcc851e322b01be14f8e9eb9795c8d18a6a4a8adee

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
18KB

MD5
e92b16303648291d8fcc4bd8c5ddb365

SHA1
483f45b1b185b686ed6e5ae05d104969795871ca

SHA256
f78fd5c07eff695e616e507b7d6150902a5f9794784e69bf92a8038b46ca1a4d

SHA512
589ad2bf356b9a3a2d1dc5b7ef45f10da444ce80e3532fa2caa51cd427e89263451826562e4304f612300f336d9febe0a45572fcdf6918db02d77391bc713f78

Download Submit
memory/1348-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1348-51-0x0000013F7A090000-0x0000013F7A091000-memory.dmp

Filesize
4KB

Download
memory/1628-66-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-69-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-64-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-65-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-59-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-67-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-68-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-62-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-63-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-61-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-60-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-58-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1628-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1628-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1668-31-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-52-0x0000000002C50000-0x0000000002D0E000-memory.dmp

Filesize
760KB

Download
memory/1668-35-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-34-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-33-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-32-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-53-0x0000000003190000-0x0000000003459000-memory.dmp

Filesize
2.8MB

Download
memory/1668-30-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-29-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-28-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-27-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-26-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1668-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1668-37-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1668-36-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/3856-10-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-11-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-3-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-6-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-2-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-7-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-8-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-9-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-12-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-13-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3856-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3856-14-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp

Filesize
164KB

Download