kpot | 1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298.exe
Size

943KB
MD5

665b8cace4e7b61cd55c5d338826bb11
SHA1

9e23d18298cbbf523ca764fc2c1c7ebe335f05a4
SHA256

1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298
SHA512

6b424d4c9a4f24bf6966c38e4859d963e664fe7e2b54594c254572dd1fcd1ef497bcd1baf8f37cb52de89af327109d749dedd2c3408526b8a3bf56b995a28e66
SSDEEP

24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUkhmZ1:E5aIwC+Agr6SNbz

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/2080-15-0x0000000002150000-0x0000000002179000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe

pid	process
872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe

description	pid	process
Token: SeTcbPrivilege	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
Token: SeTcbPrivilege	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298.exe1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe

pid	process
2080	1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298.exe
872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2080 wrote to memory of 872	2080	1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298.exe	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
PID 2080 wrote to memory of 872	2080	1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298.exe	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
PID 2080 wrote to memory of 872	2080	1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298.exe	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 872 wrote to memory of 2660	872	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 3440 wrote to memory of 1220	3440	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe
PID 4380 wrote to memory of 636	4380	1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298.exe
"C:\Users\Admin\AppData\Local\Temp\1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Roaming\WinSocket\1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2660

C:\Users\Admin\AppData\Roaming\WinSocket\1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
C:\Users\Admin\AppData\Roaming\WinSocket\1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1220

C:\Users\Admin\AppData\Roaming\WinSocket\1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
C:\Users\Admin\AppData\Roaming\WinSocket\1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\1a27b29b198cc42a20192994a76b6640941997bc9a27c96f74192018973ad299.exe

Filesize
943KB

MD5
665b8cace4e7b61cd55c5d338826bb11

SHA1
9e23d18298cbbf523ca764fc2c1c7ebe335f05a4

SHA256
1a26b29b187cc42a20182884a65b5540841896bc8a26c85f64192017963ad298

SHA512
6b424d4c9a4f24bf6966c38e4859d963e664fe7e2b54594c254572dd1fcd1ef497bcd1baf8f37cb52de89af327109d749dedd2c3408526b8a3bf56b995a28e66

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
29KB

MD5
1f68ff5bd0d77fb275380201b9d1505c

SHA1
3ad0de09100495f40ac1272b8b89ca16affea8d9

SHA256
e160e15b0e5c6430b8a252605282f8c0e96ac9c8201e962b9c10e0042bdc7e1b

SHA512
c1b0ed1a2c44d5971ab9a7028452e94dac1e6c5887469654396c21178ab01dc2954128f5280072b4855eea03ea70f2550c8f04b997cadefd5acbbe0df2663b76

Download Submit
memory/872-52-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/872-51-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/872-28-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-29-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-30-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-31-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/872-27-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-32-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-33-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-34-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-35-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/872-36-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-26-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/872-37-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2080-7-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-12-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2080-8-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-14-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-6-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-5-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-13-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2080-10-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-11-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-9-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-15-0x0000000002150000-0x0000000002179000-memory.dmp

Filesize
164KB

Download
memory/2080-4-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-2-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2080-3-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2660-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2660-53-0x000002CCB1310000-0x000002CCB1311000-memory.dmp

Filesize
4KB

Download
memory/2660-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3440-69-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-65-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-63-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-66-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-67-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-60-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-68-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-58-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-64-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-62-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-61-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3440-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3440-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3440-59-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download