kpot | 93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f.exe
Size

945KB
MD5

0a55b482dca249b3c7d7a0c2d13551cf
SHA1

edcc7d8b878b10cd805cd50a897e1c42cd2de342
SHA256

93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f
SHA512

49f70fd5f3089c9c2d79e347c3248c35e1402025d4d3b987393807e9384f6165ff09c5c108b8b76334578042da6fa4955290b8cd3709211cac0404b9a8abce7a
SSDEEP

24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUkhmZ/:E5aIwC+Agr6SNbh

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002340d-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/1240-15-0x00000000029D0000-0x00000000029F9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
Token: SeTcbPrivilege	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1240	93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f.exe
3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 3964	1240	93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f.exe	81
PID 1240 wrote to memory of 3964	1240	93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f.exe	81
PID 1240 wrote to memory of 3964	1240	93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f.exe	81
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 3964 wrote to memory of 2724	3964	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	83
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 928 wrote to memory of 932	928	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	93
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95
PID 1036 wrote to memory of 4200	1036	93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f.exe
"C:\Users\Admin\AppData\Local\Temp\93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Roaming\WinSocket\93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2724

C:\Users\Admin\AppData\Roaming\WinSocket\93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
C:\Users\Admin\AppData\Roaming\WinSocket\93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:932

C:\Users\Admin\AppData\Roaming\WinSocket\93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
C:\Users\Admin\AppData\Roaming\WinSocket\93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\93668ee96d7fe1cbfadb6be2641a1662ddc8610eeec6b6f198c64b3f4e3de09f.exe

Filesize
945KB

MD5
0a55b482dca249b3c7d7a0c2d13551cf

SHA1
edcc7d8b878b10cd805cd50a897e1c42cd2de342

SHA256
93557ee95d6fe1cbfadb5be2541a1552ddc7510eeec5b5f197c54b3f4e3de08f

SHA512
49f70fd5f3089c9c2d79e347c3248c35e1402025d4d3b987393807e9384f6165ff09c5c108b8b76334578042da6fa4955290b8cd3709211cac0404b9a8abce7a

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
17KB

MD5
ad4be672d2541c305397fd0349e072b3

SHA1
6416ca2fbee90c8ab742c161b941744c6cc76a06

SHA256
24639ed7673d347f2b43e439eb35f58431d017280809a3630b7185856c4610ac

SHA512
5f089922936b92bb14cf1714c30ee3e9ee7ae1e18ab619ff616d379f35a30eff8670422b6b22ee0afaf55e8f3c31153b6e6bf4b80f4399dbbf588e1f9a5f7bc9

Download Submit
memory/928-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/928-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/928-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/928-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1240-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1240-2-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-13-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-12-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-11-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-10-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-9-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-8-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-7-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-4-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-15-0x00000000029D0000-0x00000000029F9000-memory.dmp

Filesize
164KB

Download
memory/1240-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1240-14-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-6-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1240-3-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2724-51-0x0000018F53480000-0x0000018F53481000-memory.dmp

Filesize
4KB

Download
memory/2724-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3964-28-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3964-29-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3964-30-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-26-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-27-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-31-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/3964-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/3964-37-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-32-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-33-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-34-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-35-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-36-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3964-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download