kpot | b7967c41436768839f4078e3adacd28d69beabdcc8c159e7e8dc6c934b8f043b

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

614bf24801b45e4471544ea4abd51d00_NEAS.exe
Size

1.3MB
MD5

614bf24801b45e4471544ea4abd51d00
SHA1

3b88a131c3133294dfcaa53ce90f50121e0baf72
SHA256

b7967c41436768839f4078e3adacd28d69beabdcc8c159e7e8dc6c934b8f043b
SHA512

bec241b88d95d0b74fd5d823cac9f2df83b4c7bc482475c3dcb7b33b8516751edfccf384bede898b86f3cee4ef38c60caa0b1da8467e8f604e9e703afb63da18
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMc7qzz1IojVD0UOSQk:E5aIwC+Agr6twjVD3

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bb7-22.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/1360-15-0x0000000002AF0000-0x0000000002B19000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe
892	714bf24901b46e4481644ea4abd61d00_NFAS.exe
796	714bf24901b46e4481644ea4abd61d00_NFAS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe
Token: SeTcbPrivilege	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1360	614bf24801b45e4471544ea4abd51d00_NEAS.exe
1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe
892	714bf24901b46e4481644ea4abd61d00_NFAS.exe
796	714bf24901b46e4481644ea4abd61d00_NFAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1652	1360	614bf24801b45e4471544ea4abd51d00_NEAS.exe	85
PID 1360 wrote to memory of 1652	1360	614bf24801b45e4471544ea4abd51d00_NEAS.exe	85
PID 1360 wrote to memory of 1652	1360	614bf24801b45e4471544ea4abd51d00_NEAS.exe	85
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 1652 wrote to memory of 3748	1652	714bf24901b46e4481644ea4abd61d00_NFAS.exe	86
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 892 wrote to memory of 4700	892	714bf24901b46e4481644ea4abd61d00_NFAS.exe	103
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115
PID 796 wrote to memory of 1360	796	714bf24901b46e4481644ea4abd61d00_NFAS.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\614bf24801b45e4471544ea4abd51d00_NEAS.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3748

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4700

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\714bf24901b46e4481644ea4abd61d00_NFAS.exe

Filesize
1.3MB

MD5
614bf24801b45e4471544ea4abd51d00

SHA1
3b88a131c3133294dfcaa53ce90f50121e0baf72

SHA256
b7967c41436768839f4078e3adacd28d69beabdcc8c159e7e8dc6c934b8f043b

SHA512
bec241b88d95d0b74fd5d823cac9f2df83b4c7bc482475c3dcb7b33b8516751edfccf384bede898b86f3cee4ef38c60caa0b1da8467e8f604e9e703afb63da18

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
47KB

MD5
9adc01e18ed79e9872eb0b6f7ada00e1

SHA1
0bc8ab77c60b599805e1e1a5c9cad57d434c3e4c

SHA256
fa2c601c8d8d0ae03dce073869436e1680989df33154201d5680a2b9152e1c51

SHA512
4ee567c5a528b907bd2f84b283c12095d4803789d1431e7c3ade14aba96b0f745eab42274bbb7e117d506cdb4168b70ec2f72a67c323e9561ce3291360a0003b

Download Submit
memory/892-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/892-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/892-59-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-61-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-64-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-66-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-67-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-68-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-69-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-65-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-63-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-62-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-60-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/892-58-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1360-6-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-2-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-14-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1360-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1360-15-0x0000000002AF0000-0x0000000002B19000-memory.dmp

Filesize
164KB

Download
memory/1360-13-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-12-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-11-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-10-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-9-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-8-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-7-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-4-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-5-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1360-3-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1652-33-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-32-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/1652-37-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-35-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-28-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-29-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-31-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1652-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/1652-36-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-26-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-27-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1652-30-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1652-34-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3748-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3748-51-0x0000020BF2D50000-0x0000020BF2D51000-memory.dmp

Filesize
4KB

Download