kpot | 999d146107e72dcb8472ce7087ee6b0390a98d6b7c741bf160bafb75c791e864

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

687d5fe32d7d5fd6cdb493bc38e0d6c0_NeikiAnalytics.exe
Size

844KB
MD5

687d5fe32d7d5fd6cdb493bc38e0d6c0
SHA1

46ae2b39b44a8b4156afccb2a91816d62b255e3d
SHA256

999d146107e72dcb8472ce7087ee6b0390a98d6b7c741bf160bafb75c791e864
SHA512

7a790f162faa1ed670d7a40432397f033b45ccbf87eb1468c30c218b75c9207cc8e3b76664b19e2bd1df1926cfa4415c0a5d72c408bc1c4d041a4b68b83ba114
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSs9U3NL9WEEoLPw9IBt:zQ5aILMCfmAUjzX6xQt9U3917Lwqt

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002355a-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2028-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
Token: SeTcbPrivilege	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	687d5fe32d7d5fd6cdb493bc38e0d6c0_NeikiAnalytics.exe
544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 544	2028	687d5fe32d7d5fd6cdb493bc38e0d6c0_NeikiAnalytics.exe	89
PID 2028 wrote to memory of 544	2028	687d5fe32d7d5fd6cdb493bc38e0d6c0_NeikiAnalytics.exe	89
PID 2028 wrote to memory of 544	2028	687d5fe32d7d5fd6cdb493bc38e0d6c0_NeikiAnalytics.exe	89
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 544 wrote to memory of 4336	544	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	91
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 4964 wrote to memory of 4832	4964	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	102
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104
PID 2996 wrote to memory of 1764	2996	798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\687d5fe32d7d5fd6cdb493bc38e0d6c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\687d5fe32d7d5fd6cdb493bc38e0d6c0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\WinSocket\798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
1⤵
PID:4184

C:\Users\Admin\AppData\Roaming\WinSocket\798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4832

C:\Users\Admin\AppData\Roaming\WinSocket\798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\798d6fe32d8d6fd7cdb493bc39e0d7c0_NeikiAnalytict.exe

Filesize
844KB

MD5
687d5fe32d7d5fd6cdb493bc38e0d6c0

SHA1
46ae2b39b44a8b4156afccb2a91816d62b255e3d

SHA256
999d146107e72dcb8472ce7087ee6b0390a98d6b7c741bf160bafb75c791e864

SHA512
7a790f162faa1ed670d7a40432397f033b45ccbf87eb1468c30c218b75c9207cc8e3b76664b19e2bd1df1926cfa4415c0a5d72c408bc1c4d041a4b68b83ba114

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
13KB

MD5
08605a138218722601aff18ad2afca0b

SHA1
349648186ae7a821ecad7775c45e028da7931118

SHA256
b587380aefee1865d9fc501e15c358383b20189068ad57ac7a5077125e4bdbb7

SHA512
702c9d462f482050f60f9a6726ec9f27587c90dc6f31b3be73e4836014cbe665919f659b619058aaf0623e5b95401309a855aa4a1f3c11f7a2b9ddfb45ded5ed

Download Submit
memory/544-32-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-33-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/544-36-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-37-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/544-30-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/544-34-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-26-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-35-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-27-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-28-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-29-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/544-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/544-31-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2028-14-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-2-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2028-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp

Filesize
164KB

Download
memory/2028-4-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-12-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-13-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-10-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-11-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-9-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-8-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-7-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-6-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-5-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-3-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4336-51-0x000001A774360000-0x000001A774361000-memory.dmp

Filesize
4KB

Download
memory/4336-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4964-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4964-66-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-68-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-69-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-67-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-58-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-61-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-62-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-65-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-64-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-63-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-59-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4964-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4964-60-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download