kpot | b9099e6b5cb7a631aef9551575a83e5f5b7bf5121bdd76ee7f96c50155e63753

Analysis

max time kernel
135s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63dd50459022417355a344051addbb40_NEAS.exe
Size

926KB
MD5

63dd50459022417355a344051addbb40
SHA1

0c63375768c07404e70aa5af77061d6cc2f4b901
SHA256

b9099e6b5cb7a631aef9551575a83e5f5b7bf5121bdd76ee7f96c50155e63753
SHA512

135710986db626bdf75834ff9779d130d59f63d5afb6df7e45addc6d321154a57176d8a526ff314779c531660e556ab1de50c943392689a7a66943267cf92c08
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQNhW4L+OR9a:zQ5aILMCfmAUjzX6xQtjmsNLRu

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bb6-22.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/1040-15-0x00000000021D0000-0x00000000021F9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
2100	73dd60469022418366a344061addbb40_NFAS.exe
1332	73dd60469022418366a344061addbb40_NFAS.exe
4232	73dd60469022418366a344061addbb40_NFAS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1332	73dd60469022418366a344061addbb40_NFAS.exe
Token: SeTcbPrivilege	4232	73dd60469022418366a344061addbb40_NFAS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1040	63dd50459022417355a344051addbb40_NEAS.exe
2100	73dd60469022418366a344061addbb40_NFAS.exe
1332	73dd60469022418366a344061addbb40_NFAS.exe
4232	73dd60469022418366a344061addbb40_NFAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2100	1040	63dd50459022417355a344051addbb40_NEAS.exe	83
PID 1040 wrote to memory of 2100	1040	63dd50459022417355a344051addbb40_NEAS.exe	83
PID 1040 wrote to memory of 2100	1040	63dd50459022417355a344051addbb40_NEAS.exe	83
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 2100 wrote to memory of 1224	2100	73dd60469022418366a344061addbb40_NFAS.exe	84
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 1332 wrote to memory of 4804	1332	73dd60469022418366a344061addbb40_NFAS.exe	106
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115
PID 4232 wrote to memory of 2728	4232	73dd60469022418366a344061addbb40_NFAS.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\63dd50459022417355a344051addbb40_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\63dd50459022417355a344051addbb40_NEAS.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Roaming\WinSocket\73dd60469022418366a344061addbb40_NFAS.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\73dd60469022418366a344061addbb40_NFAS.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1224

C:\Users\Admin\AppData\Roaming\WinSocket\73dd60469022418366a344061addbb40_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\73dd60469022418366a344061addbb40_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4804

C:\Users\Admin\AppData\Roaming\WinSocket\73dd60469022418366a344061addbb40_NFAS.exe
C:\Users\Admin\AppData\Roaming\WinSocket\73dd60469022418366a344061addbb40_NFAS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\73dd60469022418366a344061addbb40_NFAS.exe

Filesize
926KB

MD5
63dd50459022417355a344051addbb40

SHA1
0c63375768c07404e70aa5af77061d6cc2f4b901

SHA256
b9099e6b5cb7a631aef9551575a83e5f5b7bf5121bdd76ee7f96c50155e63753

SHA512
135710986db626bdf75834ff9779d130d59f63d5afb6df7e45addc6d321154a57176d8a526ff314779c531660e556ab1de50c943392689a7a66943267cf92c08

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
15KB

MD5
67dab9d70f35abc50082c7286f06ef8a

SHA1
e33c8d3d04a9bde4628b4f3bf29577efa7125f3a

SHA256
e80ab5d869313f37b91a758928cd5531b6a4d370f14cedf5cadbdcecc7687709

SHA512
7fe478255159ba0d93a5e149b0d750e37cd1e45a0816a1c8f149224ae1d47182c8c1da66866abacf70d4f8301e608a37f557b8cb1174aa55f07e8e60d164433b

Download Submit
memory/1040-8-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-7-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-15-0x00000000021D0000-0x00000000021F9000-memory.dmp

Filesize
164KB

Download
memory/1040-13-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-12-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-11-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-10-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-9-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-6-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1040-5-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-4-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-3-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-2-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1040-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1040-14-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1224-51-0x000002557AFD0000-0x000002557AFD1000-memory.dmp

Filesize
4KB

Download
memory/1224-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1224-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1332-68-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-62-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1332-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1332-58-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-59-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-60-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-61-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-63-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-64-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-65-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-66-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-67-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1332-69-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2100-32-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-26-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-36-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-35-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/2100-33-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/2100-27-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-34-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-28-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-29-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-30-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2100-31-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2100-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2100-37-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download