kpot | 275db0765a0eb16237b55550c8a7e9bda84f98eb39a3ed3c33b054fdd420a3cd

Analysis

max time kernel
130s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe
Size

1.3MB
MD5

d20f6874b72bb6e0ecbb77d82d8c9710
SHA1

6cd5d1f8437dad187f2b78bf9d675c3aeb8acff8
SHA256

275db0765a0eb16237b55550c8a7e9bda84f98eb39a3ed3c33b054fdd420a3cd
SHA512

58f098690fa8adddaa461cd5032592e39dda56682b9cae3b10ed051e08a9f54f0a2b6940d48509384c41464615d1e52d7a7b6069103a7b661539722c8c0fdbe5
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMc7qzz1IojVD0UOSQ+V:E5aIwC+Agr6twjVDh

Score

10^/10

kpot trickbot banker evasion execution stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014909-25.dat	family_kpot
behavioral1/files/0x0008000000014909-59.dat	family_kpot
behavioral1/files/0x0008000000014909-58.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/856-15-0x0000000000310000-0x0000000000339000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
2256	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
2040	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe

Loads dropped DLL 2 IoCs

pid	Process
856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe
856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2676	sc.exe
2556	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe
856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe
856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe
2664	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeTcbPrivilege	2256	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
Token: SeTcbPrivilege	2040	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe
2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
2256	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
2040	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2516	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	28
PID 856 wrote to memory of 2516	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	28
PID 856 wrote to memory of 2516	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	28
PID 856 wrote to memory of 2516	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	28
PID 856 wrote to memory of 2984	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	29
PID 856 wrote to memory of 2984	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	29
PID 856 wrote to memory of 2984	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	29
PID 856 wrote to memory of 2984	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	29
PID 856 wrote to memory of 2552	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	32
PID 856 wrote to memory of 2552	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	32
PID 856 wrote to memory of 2552	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	32
PID 856 wrote to memory of 2552	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	32
PID 856 wrote to memory of 2688	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	34
PID 856 wrote to memory of 2688	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	34
PID 856 wrote to memory of 2688	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	34
PID 856 wrote to memory of 2688	856	d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe	34
PID 2984 wrote to memory of 2556	2984	cmd.exe	37
PID 2984 wrote to memory of 2556	2984	cmd.exe	37
PID 2984 wrote to memory of 2556	2984	cmd.exe	37
PID 2984 wrote to memory of 2556	2984	cmd.exe	37
PID 2516 wrote to memory of 2676	2516	cmd.exe	35
PID 2516 wrote to memory of 2676	2516	cmd.exe	35
PID 2516 wrote to memory of 2676	2516	cmd.exe	35
PID 2516 wrote to memory of 2676	2516	cmd.exe	35
PID 2552 wrote to memory of 2664	2552	cmd.exe	36
PID 2552 wrote to memory of 2664	2552	cmd.exe	36
PID 2552 wrote to memory of 2664	2552	cmd.exe	36
PID 2552 wrote to memory of 2664	2552	cmd.exe	36
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2688 wrote to memory of 2468	2688	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	38
PID 2000 wrote to memory of 2256	2000	taskeng.exe	42
PID 2000 wrote to memory of 2256	2000	taskeng.exe	42
PID 2000 wrote to memory of 2256	2000	taskeng.exe	42
PID 2000 wrote to memory of 2256	2000	taskeng.exe	42
PID 2256 wrote to memory of 1680	2256	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	43
PID 2256 wrote to memory of 1680	2256	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	43
PID 2256 wrote to memory of 1680	2256	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	43
PID 2256 wrote to memory of 1680	2256	d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\d20f6874b72bb6e0ecbb77d82d8c9710_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2468

C:\Windows\system32\taskeng.exe
taskeng.exe {5E104BCB-2F57-412D-91CE-1A8BFFF43792} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1680
- C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2040
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe

Filesize
1.3MB

MD5
d20f6874b72bb6e0ecbb77d82d8c9710

SHA1
6cd5d1f8437dad187f2b78bf9d675c3aeb8acff8

SHA256
275db0765a0eb16237b55550c8a7e9bda84f98eb39a3ed3c33b054fdd420a3cd

SHA512
58f098690fa8adddaa461cd5032592e39dda56682b9cae3b10ed051e08a9f54f0a2b6940d48509384c41464615d1e52d7a7b6069103a7b661539722c8c0fdbe5

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe

Filesize
704KB

MD5
b7c40c99cf3fe5836866df7f4a702133

SHA1
d6fcaeb39bb84c9818c03404c057e63262c0a517

SHA256
0677c71c83d1643856957c43b2651ac6af77a6d5dceb0562de31724baed54c7d

SHA512
523fe41f969811322d99a2089dff175e7cf2a76e52279a74a720ca18b92ec4a839d96d5333e2477a29798eb886d533f61814ca13998e5e8d68b67f1270eb959c

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe

Filesize
665KB

MD5
8328b02f6f7024ae6db113bc7f578b23

SHA1
6a96f0c51a3dcf8b8493bc19da1142d05982d679

SHA256
8b5e5f4763e79b6d2b5ae1ff5cb17c951600dda63e7f6dcb78ce28c6ec44768e

SHA512
2a3cf55b6b2dabde31ba02af659785e906c1e0d6bddfe406707f3eb589666b98da06b1d304337bc71ad0fcb093e3e9088629ee803cf027bbdf3ae0beeb803fbe

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\d20f7984b82bb7e0ecbb88d92d9c9810_NFJLJ.exe

Filesize
183KB

MD5
bc4a750303644e5f269ccf0ae398d121

SHA1
17ffff17a8661a2036b458439bb07dcee4c52663

SHA256
b639442292fc6860a4e0cfab7af0320163d82735cbc594b4cd559fb7ddbb4192

SHA512
7a254d076118cc36d47b21fe080c9db517207f541b8b8cecb02fc52b991fc51ba7f97e574af358af6c1f2c3af8d9f1aa3c79a87973be601905d18269859c2694

Download Submit
memory/856-5-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-4-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-8-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-11-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-10-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-3-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-15-0x0000000000310000-0x0000000000339000-memory.dmp

Filesize
164KB

Download
memory/856-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/856-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/856-12-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-13-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-2-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/856-14-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2256-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-64-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-66-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-73-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2256-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2468-55-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2468-51-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2468-50-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2688-35-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-45-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2688-44-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2688-30-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-31-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-32-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-33-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-34-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-36-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-37-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-38-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-39-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-40-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-41-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download