kpot | ca831e068f3ed3e858c0744ca02012ffdda97cd9eaf7093fdae64b94219b87aa

Analysis

max time kernel
159s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc27dfb42bc4d095f153144a7208bc60_NeikiAnalytics.exe
Size

1.2MB
MD5

dc27dfb42bc4d095f153144a7208bc60
SHA1

84812d62cc2f6974e95f6a606280a50c105a451e
SHA256

ca831e068f3ed3e858c0744ca02012ffdda97cd9eaf7093fdae64b94219b87aa
SHA512

5d693dfcf1c5e0a65bcdfe0333a0e8d49fd07389a14f114372a8ecbf0cb6548996e2ffaad0d4b32de64d22946db395862009408de92137d980235ff1a293c751
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOxA5zYlo1c51Wnq:E5aIwC+Agr6StVEnmcKxY/O1n

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023274-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4660-15-0x0000000002C10000-0x0000000002C39000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
Token: SeTcbPrivilege	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4660	dc27dfb42bc4d095f153144a7208bc60_NeikiAnalytics.exe
4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4180	4660	dc27dfb42bc4d095f153144a7208bc60_NeikiAnalytics.exe	91
PID 4660 wrote to memory of 4180	4660	dc27dfb42bc4d095f153144a7208bc60_NeikiAnalytics.exe	91
PID 4660 wrote to memory of 4180	4660	dc27dfb42bc4d095f153144a7208bc60_NeikiAnalytics.exe	91
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4180 wrote to memory of 1648	4180	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	92
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 4152 wrote to memory of 1768	4152	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	103
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105
PID 2032 wrote to memory of 2776	2032	dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc27dfb42bc4d095f153144a7208bc60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dc27dfb42bc4d095f153144a7208bc60_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Roaming\WinSocket\dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4488 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3704

C:\Users\Admin\AppData\Roaming\WinSocket\dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1768

C:\Users\Admin\AppData\Roaming\WinSocket\dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\dc28dfb42bc4d096f163144a8209bc70_NeikiAnalytict.exe

Filesize
1.2MB

MD5
dc27dfb42bc4d095f153144a7208bc60

SHA1
84812d62cc2f6974e95f6a606280a50c105a451e

SHA256
ca831e068f3ed3e858c0744ca02012ffdda97cd9eaf7093fdae64b94219b87aa

SHA512
5d693dfcf1c5e0a65bcdfe0333a0e8d49fd07389a14f114372a8ecbf0cb6548996e2ffaad0d4b32de64d22946db395862009408de92137d980235ff1a293c751

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
46KB

MD5
429a343c2a3edd8471469dbbe234afb1

SHA1
d0cedf62e2704534532545518845cef5838a2338

SHA256
32d0d0df946ebbab1c7389790288f2a7060f386fa36397f10d45bf7d69ba50d9

SHA512
35051c7eb3bb4dae6d811fa1b89a32b33c7c5eb0c7764d88964688a45535ac0915b43bc03b1620a1ce33646f4d5cf92bc95c8ed4a2e89bfd0789ab917294ea9f

Download Submit
memory/1648-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1648-51-0x000001F3D6DB0000-0x000001F3D6DB1000-memory.dmp

Filesize
4KB

Download
memory/4152-67-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-66-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-63-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-65-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-71-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4152-69-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-68-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-59-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-64-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-62-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-61-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-60-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-72-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4152-58-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4152-84-0x0000000001C50000-0x0000000001D0E000-memory.dmp

Filesize
760KB

Download
memory/4180-31-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-53-0x0000000003130000-0x00000000033F9000-memory.dmp

Filesize
2.8MB

Download
memory/4180-34-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-33-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-32-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-37-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-30-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-29-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-28-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-27-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-26-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4180-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4180-36-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4180-52-0x0000000003070000-0x000000000312E000-memory.dmp

Filesize
760KB

Download
memory/4180-35-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4660-8-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-2-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-3-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-14-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-5-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4660-7-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-4-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-9-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-10-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4660-15-0x0000000002C10000-0x0000000002C39000-memory.dmp

Filesize
164KB

Download
memory/4660-11-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-12-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4660-13-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download