kpot | ca0c4e1898a0c65db54648d7adb8d764719a573ed111fa27cfc93745ebeb6878

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

060ff84cd8be4cc07802e40a5c041760_NeikiAnalytics.exe
Size

1.2MB
MD5

060ff84cd8be4cc07802e40a5c041760
SHA1

2446fa40aeae8a48f8460cffc215f0963f2da35c
SHA256

ca0c4e1898a0c65db54648d7adb8d764719a573ed111fa27cfc93745ebeb6878
SHA512

35e9451014af397b8824d288cb375b6843e06b4bc4e64cec1e366424f7d86f610afdb09962b58d75c073d4ef7b65aba6e7d12fe20930c3c6f238f9197f1ed54e
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOrwwyDTWVoWMQvAGeBkJ:E5aIwC+Agr6StVEnmcKrwwyGwI

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023232-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4048-17-0x0000000002B00000-0x0000000002B29000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
Token: SeTcbPrivilege	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4048	060ff84cd8be4cc07802e40a5c041760_NeikiAnalytics.exe
4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4100	4048	060ff84cd8be4cc07802e40a5c041760_NeikiAnalytics.exe	92
PID 4048 wrote to memory of 4100	4048	060ff84cd8be4cc07802e40a5c041760_NeikiAnalytics.exe	92
PID 4048 wrote to memory of 4100	4048	060ff84cd8be4cc07802e40a5c041760_NeikiAnalytics.exe	92
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4100 wrote to memory of 4176	4100	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	93
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4480 wrote to memory of 2376	4480	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	104
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106
PID 4988 wrote to memory of 4700	4988	070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\060ff84cd8be4cc07802e40a5c041760_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\060ff84cd8be4cc07802e40a5c041760_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Roaming\WinSocket\070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:1976

C:\Users\Admin\AppData\Roaming\WinSocket\070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2376

C:\Users\Admin\AppData\Roaming\WinSocket\070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\070ff94cd9be4cc08902e40a6c041870_NeikiAnalytict.exe

Filesize
1.2MB

MD5
060ff84cd8be4cc07802e40a5c041760

SHA1
2446fa40aeae8a48f8460cffc215f0963f2da35c

SHA256
ca0c4e1898a0c65db54648d7adb8d764719a573ed111fa27cfc93745ebeb6878

SHA512
35e9451014af397b8824d288cb375b6843e06b4bc4e64cec1e366424f7d86f610afdb09962b58d75c073d4ef7b65aba6e7d12fe20930c3c6f238f9197f1ed54e

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
36KB

MD5
e126a8d41c553a31dd665217d65538e5

SHA1
3113039a4b97d7be1b3c80e3137b5337e88d1004

SHA256
76e8fc82cc2726a545caabf0a98a441c0bb8ff91c913a961a16f81ab75ac8384

SHA512
0e6f0637649b23f36be5226a23707dab35b14f207792297979ebd835aee7acb6dc45e7983920f3a5fb65ed118eda48e6700a335e17a97c87ae6ccc5d0be7a9de

Download Submit
memory/4048-4-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-3-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-2-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-14-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-13-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-12-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-11-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-10-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-9-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-8-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-7-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-6-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-5-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4048-16-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4048-15-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4048-17-0x0000000002B00000-0x0000000002B29000-memory.dmp

Filesize
164KB

Download
memory/4100-37-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-36-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-35-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-34-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-33-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-32-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-31-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-30-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-29-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-28-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-27-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-26-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4100-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4100-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4100-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4100-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/4176-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4176-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4176-51-0x000001C8FAE90000-0x000001C8FAE91000-memory.dmp

Filesize
4KB

Download
memory/4480-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4480-71-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4480-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download