kpot | 2bbbbc59558516e2781b6187be3caa21b3daf34ea35cedcba41038d100f6cb80

Analysis

max time kernel
138s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

280df8175f9acb9219baef6b26693210_NEAS.exe
Size

1.2MB
MD5

280df8175f9acb9219baef6b26693210
SHA1

3510bf9dacd94065039ab3ecba55b24ce0e016f5
SHA256

2bbbbc59558516e2781b6187be3caa21b3daf34ea35cedcba41038d100f6cb80
SHA512

9efd5d51abbc7a5eddc6e76a607e246e1c8a277a47bdd1aec930e32babec8dc278bddb947c07684bdc20694f0a82f853a0de97f035894656e67bf6190a009fe9
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sdr36OTcgapChIv:E5aIwC+Agr6S/FEVe

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b82-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2704-16-0x00000000021F0000-0x0000000002219000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4052	290df9186f9acb9219baef7b27793210_NFAS.exe
3416	290df9186f9acb9219baef7b27793210_NFAS.exe
5060	290df9186f9acb9219baef7b27793210_NFAS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3416	290df9186f9acb9219baef7b27793210_NFAS.exe
Token: SeTcbPrivilege	5060	290df9186f9acb9219baef7b27793210_NFAS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2704	280df8175f9acb9219baef6b26693210_NEAS.exe
4052	290df9186f9acb9219baef7b27793210_NFAS.exe
3416	290df9186f9acb9219baef7b27793210_NFAS.exe
5060	290df9186f9acb9219baef7b27793210_NFAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4052	2704	280df8175f9acb9219baef6b26693210_NEAS.exe	83
PID 2704 wrote to memory of 4052	2704	280df8175f9acb9219baef6b26693210_NEAS.exe	83
PID 2704 wrote to memory of 4052	2704	280df8175f9acb9219baef6b26693210_NEAS.exe	83
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 4052 wrote to memory of 3168	4052	290df9186f9acb9219baef7b27793210_NFAS.exe	84
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 3416 wrote to memory of 380	3416	290df9186f9acb9219baef7b27793210_NFAS.exe	100
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115
PID 5060 wrote to memory of 396	5060	290df9186f9acb9219baef7b27793210_NFAS.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\280df8175f9acb9219baef6b26693210_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\280df8175f9acb9219baef6b26693210_NEAS.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Roaming\WinSocket\290df9186f9acb9219baef7b27793210_NFAS.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\290df9186f9acb9219baef7b27793210_NFAS.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3168

C:\Users\Admin\AppData\Roaming\WinSocket\290df9186f9acb9219baef7b27793210_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\290df9186f9acb9219baef7b27793210_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:380

C:\Users\Admin\AppData\Roaming\WinSocket\290df9186f9acb9219baef7b27793210_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\290df9186f9acb9219baef7b27793210_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\290df9186f9acb9219baef7b27793210_NFAS.exe

Filesize
1.2MB

MD5
280df8175f9acb9219baef6b26693210

SHA1
3510bf9dacd94065039ab3ecba55b24ce0e016f5

SHA256
2bbbbc59558516e2781b6187be3caa21b3daf34ea35cedcba41038d100f6cb80

SHA512
9efd5d51abbc7a5eddc6e76a607e246e1c8a277a47bdd1aec930e32babec8dc278bddb947c07684bdc20694f0a82f853a0de97f035894656e67bf6190a009fe9

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
39KB

MD5
df549cad1ee7041fb86dfc07a8d94f25

SHA1
71e74c8c42c0b3c481815caa361386963f4d2db0

SHA256
2ab994eaaaa46dcd0bdc54bc09ff580190fbc805fd628326e8d6ccb4b86e08ef

SHA512
4a143bccd682a5dc6bc7114f724eb91efd480028ba6449f73f90abc2ea3cd1487aabf63b5222f099197cd5b20ca7a1a348bbbfdd49724a5ed5ff97a6e64e4bc3

Download Submit
memory/2704-5-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-3-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-10-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-9-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-8-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-7-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-6-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-4-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-14-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-11-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-2-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-16-0x00000000021F0000-0x0000000002219000-memory.dmp

Filesize
164KB

Download
memory/2704-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2704-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2704-12-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2704-13-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3168-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3168-51-0x000002DC8D680000-0x000002DC8D681000-memory.dmp

Filesize
4KB

Download
memory/3416-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3416-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3416-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3416-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4052-35-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-28-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4052-26-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/4052-27-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4052-29-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4052-36-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-30-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-31-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-32-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-33-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-34-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4052-37-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download