kpot | 915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b.exe
Size

1.3MB
MD5

4722b41cda23cc52e749283e50991ce3
SHA1

f96ee335604b6ebecf4d36831a03c65d8fab258a
SHA256

915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b
SHA512

d9fc42a4f95cc87f352f1e5e5ccf3cc844799ce82f3b0706f6d4f137a2888ada7a11af51c8fc9e2e3e5be682d2baabd3dc255e812477bea53a26d5f664499215
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMc7qzz1IojVD0nb2:E5aIwC+Agr6twjVDOb2

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023406-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4836-15-0x00000000021F0000-0x0000000002219000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
Token: SeTcbPrivilege	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4836	915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b.exe
1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1388	4836	915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b.exe	85
PID 4836 wrote to memory of 1388	4836	915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b.exe	85
PID 4836 wrote to memory of 1388	4836	915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b.exe	85
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 1388 wrote to memory of 4196	1388	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	86
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 3060 wrote to memory of 3588	3060	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	93
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95
PID 920 wrote to memory of 3384	920	916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b.exe
"C:\Users\Admin\AppData\Local\Temp\915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Roaming\WinSocket\916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4196

C:\Users\Admin\AppData\Roaming\WinSocket\916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
C:\Users\Admin\AppData\Roaming\WinSocket\916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3588

C:\Users\Admin\AppData\Roaming\WinSocket\916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
C:\Users\Admin\AppData\Roaming\WinSocket\916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\916ad7cccdf11303d69cc7990cc97a12614a667f021991ce1fca627bf323c88b.exe

Filesize
1.3MB

MD5
4722b41cda23cc52e749283e50991ce3

SHA1
f96ee335604b6ebecf4d36831a03c65d8fab258a

SHA256
915ad6cccdf11303d59cc6890cc86a12514a556f021981ce1fca526bf323c77b

SHA512
d9fc42a4f95cc87f352f1e5e5ccf3cc844799ce82f3b0706f6d4f137a2888ada7a11af51c8fc9e2e3e5be682d2baabd3dc255e812477bea53a26d5f664499215

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
63KB

MD5
9db0d100e67757205cb3ceb438b408e6

SHA1
adf8d46299320419dd2eb0c6a5f1397fe2a37361

SHA256
30d0a119611e9ba19d210a1aeeeea4b05a9d35d72d1c11c826dd774aef2bf478

SHA512
9ff5839c57cd8ff0cf1a96ef026eee82938db912aff52ac566df21b5c82b32fe17dfece8abdaf4a104ed091cafce3004158560cd7e051bb2a3790a83ed1adbaa

Download Submit
memory/1388-30-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-31-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1388-27-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-28-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-29-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-37-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/1388-32-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-33-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-34-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-35-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-36-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1388-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1388-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/1388-26-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3060-58-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-68-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3060-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3060-62-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-64-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-66-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-67-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-69-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-59-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-65-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-63-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-61-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3060-60-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4196-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4196-51-0x000001B51A410000-0x000001B51A411000-memory.dmp

Filesize
4KB

Download
memory/4196-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4836-9-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-3-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-13-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-12-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-4-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-11-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-10-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4836-8-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-7-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-6-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-5-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-2-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4836-15-0x00000000021F0000-0x0000000002219000-memory.dmp

Filesize
164KB

Download
memory/4836-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4836-14-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download