Malware Analysis Report

2024-10-19 01:05

Sample ID 240508-dep33she62
Target b0600586fc73f66cf4c5f4024c842ec0_NEIKI
SHA256 065c5a58fda3891a107fc06dfcc7927e67646f0f5ac27f052bfdbd4ecce0257f
Tags
kpot trickbot banker evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

065c5a58fda3891a107fc06dfcc7927e67646f0f5ac27f052bfdbd4ecce0257f

Threat Level: Known bad

The file b0600586fc73f66cf4c5f4024c842ec0_NEIKI was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion execution stealer trojan

KPOT Core Executable

Trickbot x86 loader

Kpot family

Trickbot

KPOT

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 02:55

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 02:55

Reported

2024-05-08 02:58

Platform

win7-20240221-en

Max time kernel

135s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2628 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2628 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2628 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2452 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe
PID 2452 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe
PID 2452 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe
PID 2452 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe
PID 2640 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2640 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2640 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2640 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2520 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2596 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\taskeng.exe

taskeng.exe {9FF93EB6-3E5B-4990-96D7-A544C12920BC} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2452-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-6-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-10-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-14-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-13-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-12-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-11-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-9-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-8-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2452-15-0x00000000003D0000-0x00000000003F9000-memory.dmp

memory/2452-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2452-17-0x0000000000421000-0x0000000000422000-memory.dmp

\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

MD5 b0600586fc73f66cf4c5f4024c842ec0
SHA1 d0419f487fda110bb383b48732c2c5b8af0ac9bf
SHA256 065c5a58fda3891a107fc06dfcc7927e67646f0f5ac27f052bfdbd4ecce0257f
SHA512 8770a43e6b28c93083985ae92fd1ff03f915ee12b5e18798e5f36e06283a54b362a2cc8e0e4f7b3a4d83c3a2584fb8f719036ae194ce720cc49294c9b6289000

memory/2596-44-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2824-49-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2596-37-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-46-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2596-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2596-41-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-40-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-39-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-38-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-36-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-35-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-34-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-33-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-32-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-31-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2596-30-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2824-50-0x0000000010000000-0x000000001001E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1db14f867ddf9af1646e42ec2564464d
SHA1 19804efc7932627078282b0faeed0e6ef59b7a93
SHA256 1726cc980191b12a83e13a3f2b88b1b452b1df131b53af04ae027ad94ac533ef
SHA512 bf0bf15a54463adf447d844cfdf2c68ef1c16bc49439b343b5a64db03aff8f49fc794c8dc8a4b4ab872e95cd52717d1167f9fcb6240b12ea9f9d7bca45e3f310

memory/336-66-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-69-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-68-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-67-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-70-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-72-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-74-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-73-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-71-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-77-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-76-0x0000000000250000-0x0000000000251000-memory.dmp

memory/336-75-0x0000000000250000-0x0000000000251000-memory.dmp

memory/924-93-0x0000000000390000-0x0000000000391000-memory.dmp

memory/924-94-0x0000000000390000-0x0000000000391000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 02:55

Reported

2024-05-08 02:58

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe
PID 1940 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe
PID 1940 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2188 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
BD 58.84.34.214:449 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
BD 58.84.34.214:449 tcp

Files

memory/1940-5-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-6-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-4-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-3-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-2-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-8-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-7-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-9-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-10-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-11-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-14-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-13-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-12-0x0000000002140000-0x0000000002141000-memory.dmp

memory/1940-15-0x0000000002200000-0x0000000002229000-memory.dmp

memory/1940-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1940-17-0x0000000000421000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe

MD5 b0600586fc73f66cf4c5f4024c842ec0
SHA1 d0419f487fda110bb383b48732c2c5b8af0ac9bf
SHA256 065c5a58fda3891a107fc06dfcc7927e67646f0f5ac27f052bfdbd4ecce0257f
SHA512 8770a43e6b28c93083985ae92fd1ff03f915ee12b5e18798e5f36e06283a54b362a2cc8e0e4f7b3a4d83c3a2584fb8f719036ae194ce720cc49294c9b6289000

memory/2188-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2188-42-0x0000000010000000-0x0000000010007000-memory.dmp

memory/4448-47-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2188-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/4448-51-0x000001F490EE0000-0x000001F490EE1000-memory.dmp

memory/4448-46-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2188-52-0x00000000030A0000-0x000000000315E000-memory.dmp

memory/2188-53-0x0000000003160000-0x0000000003429000-memory.dmp

memory/1804-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1804-72-0x0000000000421000-0x0000000000422000-memory.dmp

memory/1804-73-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

MD5 d0798ba15980687f02678721f81818e5
SHA1 986e3a4815c2515c194c240ca9082f759d049ad1
SHA256 a8465a0390a2ee77662a154ac55657c21a0f55e1311ddcc98205a5899ec56c42
SHA512 7e1186ecd31cad7b7b244e7447eca59f6fdb9440baf067b090707677b4e34584d094613b16b1a4fcd29d264ee7215de73fcc070ebe993c921566b1174ac503dd