kpot | 501bd7e233abdeeed952af6f9512aac154d599ee3758e56a94e5cb2bf873f3b0

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe
Size

1.3MB
MD5

84e6c3f628bdc35def9d5d12573431e0
SHA1

bae1643c0f4c044471683c2b35d93152cd6284d1
SHA256

501bd7e233abdeeed952af6f9512aac154d599ee3758e56a94e5cb2bf873f3b0
SHA512

7631ff0d6b713a0388665d9af9177a0189d6ed58243e3e3e4dec276d973af5fa36568bb882fbb382c911ab8bb830fe2149e3f8b00797c9672f093c2cde3640ae
SSDEEP

24576:zQ5aILMCfmAUjzX6gfU1pjwjbsXhmvZssrD+nRgnf4NvlOSn:E5aIwC+Agr6g81p1vsrNin

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ba7-22.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3764-15-0x0000000002160000-0x0000000002189000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
Token: SeTcbPrivilege	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3764	84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe
2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 2548	3764	84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe	84
PID 3764 wrote to memory of 2548	3764	84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe	84
PID 3764 wrote to memory of 2548	3764	84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe	84
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 2548 wrote to memory of 2684	2548	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	85
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 1000 wrote to memory of 3484	1000	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	103
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116
PID 424 wrote to memory of 4044	424	94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2684

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3484

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

Filesize
1.3MB

MD5
84e6c3f628bdc35def9d5d12573431e0

SHA1
bae1643c0f4c044471683c2b35d93152cd6284d1

SHA256
501bd7e233abdeeed952af6f9512aac154d599ee3758e56a94e5cb2bf873f3b0

SHA512
7631ff0d6b713a0388665d9af9177a0189d6ed58243e3e3e4dec276d973af5fa36568bb882fbb382c911ab8bb830fe2149e3f8b00797c9672f093c2cde3640ae

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
12KB

MD5
2b892efdc31ca5db3a273b547a306c75

SHA1
3f277e8e32b3f8cde25dd46d1a08f00054234926

SHA256
85ef35aadd6bba5674d2df11a762e5b086f90f3690e99e745b2fef8a44198957

SHA512
16ff4a40b5dc0d8e377fd940e12c68f32576679e777b9c6ec8f21d3874bd4aa9cc063a7ef1e0a953ef9d54645637dc2191c7ded4568e5969b5430dfc66eea365

Download Submit
memory/1000-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1000-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1000-58-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-59-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-60-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-61-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-62-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-63-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-64-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-65-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-66-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-67-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-68-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1000-69-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2548-29-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-37-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2548-36-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-35-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-34-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-33-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-32-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-31-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-30-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/2548-28-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-27-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-26-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2548-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2548-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2548-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/2684-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2684-51-0x0000026FED770000-0x0000026FED771000-memory.dmp

Filesize
4KB

Download
memory/2684-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3764-4-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-5-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3764-15-0x0000000002160000-0x0000000002189000-memory.dmp

Filesize
164KB

Download
memory/3764-2-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-3-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-6-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3764-8-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-9-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-10-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-11-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-12-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-7-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-13-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3764-14-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download