kpot | ab33a217d08d3824233cbed661bf4a294838ed246fa0a43d8c0e52d25bc53924

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a76a68e70ed9001d8b8de44ee401f9e0_NeikiAnalytics.exe
Size

847KB
MD5

a76a68e70ed9001d8b8de44ee401f9e0
SHA1

405b35db4cc02bff42ae2b3d1dfb01ec5ebc8a34
SHA256

ab33a217d08d3824233cbed661bf4a294838ed246fa0a43d8c0e52d25bc53924
SHA512

62fe7905e87696e56ca715fe88b250aeaa088d01ccaf223228cc8dc6ddd8f3c326b5e8a2b1f3cc751fa92fe55b5256aa8eacc7251f735e0ea84c73a0c2fe7eab
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSs9U3NL9WEEoLPw9IUMOKg:zQ5aILMCfmAUjzX6xQt9U3917Lw/zx

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233ff-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4664-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
Token: SeTcbPrivilege	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4664	a76a68e70ed9001d8b8de44ee401f9e0_NeikiAnalytics.exe
2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2680	4664	a76a68e70ed9001d8b8de44ee401f9e0_NeikiAnalytics.exe	83
PID 4664 wrote to memory of 2680	4664	a76a68e70ed9001d8b8de44ee401f9e0_NeikiAnalytics.exe	83
PID 4664 wrote to memory of 2680	4664	a76a68e70ed9001d8b8de44ee401f9e0_NeikiAnalytics.exe	83
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 2680 wrote to memory of 1224	2680	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	85
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4760 wrote to memory of 4568	4760	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	93
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95
PID 4476 wrote to memory of 3012	4476	a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a76a68e70ed9001d8b8de44ee401f9e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a76a68e70ed9001d8b8de44ee401f9e0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Roaming\WinSocket\a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1224

C:\Users\Admin\AppData\Roaming\WinSocket\a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4568

C:\Users\Admin\AppData\Roaming\WinSocket\a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\a87a79e80ed9001d9b9de44ee401f9e0_NeikiAnalytict.exe

Filesize
847KB

MD5
a76a68e70ed9001d8b8de44ee401f9e0

SHA1
405b35db4cc02bff42ae2b3d1dfb01ec5ebc8a34

SHA256
ab33a217d08d3824233cbed661bf4a294838ed246fa0a43d8c0e52d25bc53924

SHA512
62fe7905e87696e56ca715fe88b250aeaa088d01ccaf223228cc8dc6ddd8f3c326b5e8a2b1f3cc751fa92fe55b5256aa8eacc7251f735e0ea84c73a0c2fe7eab

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
63KB

MD5
529a9fd0d1717c65907474335d75dded

SHA1
4861b168007a90922e5a805beb13018660c00261

SHA256
34d1cbbf158b610f22420be5b5e3cbd76c8d88006990b4b917ff448409e19f96

SHA512
87134ec405cdfa220f907cd24227304a9bf02ccf4b2e9c12f7186284589e565a304c6b57e7b974a9ee4324c229d71edeed18fefb0faed6fa360311bfd09bcc5c

Download Submit
memory/1224-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1224-53-0x000001C57AFF0000-0x000001C57AFF1000-memory.dmp

Filesize
4KB

Download
memory/2680-31-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-26-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-30-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-27-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-51-0x00000000030A0000-0x000000000315E000-memory.dmp

Filesize
760KB

Download
memory/2680-52-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/2680-29-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-28-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-32-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-33-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2680-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2680-34-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-37-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-36-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2680-35-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4664-8-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-10-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-3-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-4-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-7-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-14-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-9-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-13-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-11-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-12-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-5-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-6-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4664-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4664-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp

Filesize
164KB

Download
memory/4664-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4664-2-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4760-69-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-67-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-66-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-65-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-64-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-63-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-62-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-61-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-60-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-59-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-58-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4760-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4760-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4760-68-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download