kpot | 021963f3c5510d0bebd59ba4e9adb52207c18833f71d873e6bbdcb337070bcec

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb2bb9df20395e49df2ddd2fabd40b60_NeikiAnalytics.exe
Size

912KB
MD5

eb2bb9df20395e49df2ddd2fabd40b60
SHA1

b4d07606fc61b8aa01157429d4437c6e46f44381
SHA256

021963f3c5510d0bebd59ba4e9adb52207c18833f71d873e6bbdcb337070bcec
SHA512

d84812197075f51d169f0511a600685aea2e7411db1416cb6226f4148e76505993e4a8abd1891ec12131a7c0d8d2b36d106a66f7a14d7f6c1137e53b61453e37
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4EnpZgkJOSSkW:E5aIwC+Agr6StVEn0ksb

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002341d-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3260-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
Token: SeTcbPrivilege	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3260	eb2bb9df20395e49df2ddd2fabd40b60_NeikiAnalytics.exe
2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 2664	3260	eb2bb9df20395e49df2ddd2fabd40b60_NeikiAnalytics.exe	84
PID 3260 wrote to memory of 2664	3260	eb2bb9df20395e49df2ddd2fabd40b60_NeikiAnalytics.exe	84
PID 3260 wrote to memory of 2664	3260	eb2bb9df20395e49df2ddd2fabd40b60_NeikiAnalytics.exe	84
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 2664 wrote to memory of 1056	2664	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	86
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 1652 wrote to memory of 4308	1652	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	94
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96
PID 4424 wrote to memory of 4688	4424	eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb2bb9df20395e49df2ddd2fabd40b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\eb2bb9df20395e49df2ddd2fabd40b60_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Roaming\WinSocket\eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1056

C:\Users\Admin\AppData\Roaming\WinSocket\eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4308

C:\Users\Admin\AppData\Roaming\WinSocket\eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\eb2bb9df20396e49df2ddd2fabd40b70_NeikiAnalytict.exe

Filesize
912KB

MD5
eb2bb9df20395e49df2ddd2fabd40b60

SHA1
b4d07606fc61b8aa01157429d4437c6e46f44381

SHA256
021963f3c5510d0bebd59ba4e9adb52207c18833f71d873e6bbdcb337070bcec

SHA512
d84812197075f51d169f0511a600685aea2e7411db1416cb6226f4148e76505993e4a8abd1891ec12131a7c0d8d2b36d106a66f7a14d7f6c1137e53b61453e37

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
29KB

MD5
8627d290fd601e2befe4703b746cafc5

SHA1
6a79cec92888e36a7a16f01e76c48ccf7c743c9c

SHA256
9919ea2f0ed29e4af0558734df1fd288291f35962e41c010bc784f96de2991b2

SHA512
2438d6a75ba892be8c2f07661a068f66914eac4b5f1ba56c5e016992afce0d57b886f832b3fa6e8fd53b9031c49659c88f900536bd22bc57b16f551949808ada

Download Submit
memory/1056-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1056-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1056-51-0x000001A614590000-0x000001A614591000-memory.dmp

Filesize
4KB

Download
memory/1652-62-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-66-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-61-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-59-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-63-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-64-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-65-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-60-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-67-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-68-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-69-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-58-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1652-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1652-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2664-32-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-28-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-35-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-34-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-33-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-27-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-31-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-30-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-29-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2664-37-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2664-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/2664-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/2664-26-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2664-36-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/3260-11-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-12-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3260-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp

Filesize
164KB

Download
memory/3260-4-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-13-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3260-9-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-14-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-10-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-8-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-7-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-6-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-2-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-3-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3260-5-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download