kpot | f13f6836fa72c9348426a9778b98d58a5f58e80c7bb4a6ac29d3ca0901fefe99

General

Target

0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe
Size

936KB
MD5

0087d536ca5cc779a0506ff565215610
SHA1

428f50f4b30b29341f8362e89436a8e1fd39bd5b
SHA256

f13f6836fa72c9348426a9778b98d58a5f58e80c7bb4a6ac29d3ca0901fefe99
SHA512

e69a8256093c92253251fe4d8fd0fb7d10bcb251e2dda5fd8d394e34210a0b61bce5d2169aceecf505112030825a139a72ca8ae0357876adfefad72693ffd5fe
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQNhW4L3ANa7nEk:zQ5aILMCfmAUjzX6xQtjmsNL4a7Ek

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1816-15-0x0000000002BC0000-0x0000000002BE9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe

pid	process
4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
Token: SeTcbPrivilege	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe

pid	process
1816	0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe
4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe

description	pid	process	target process
PID 1816 wrote to memory of 4696	1816	0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
PID 1816 wrote to memory of 4696	1816	0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
PID 1816 wrote to memory of 4696	1816	0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 4696 wrote to memory of 3044	4696	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2444 wrote to memory of 4776	2444	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe
PID 2180 wrote to memory of 3604	2180	0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0087d536ca5cc779a0506ff565215610_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\WinSocket\0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3044

C:\Users\Admin\AppData\Roaming\WinSocket\0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4776

C:\Users\Admin\AppData\Roaming\WinSocket\0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\0098d637ca6cc889a0607ff676216710_NeikiAnalytict.exe
Filesize
936KB

MD5
0087d536ca5cc779a0506ff565215610

SHA1
428f50f4b30b29341f8362e89436a8e1fd39bd5b

SHA256
f13f6836fa72c9348426a9778b98d58a5f58e80c7bb4a6ac29d3ca0901fefe99

SHA512
e69a8256093c92253251fe4d8fd0fb7d10bcb251e2dda5fd8d394e34210a0b61bce5d2169aceecf505112030825a139a72ca8ae0357876adfefad72693ffd5fe

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
Filesize
26KB

MD5
a34bb8d84c99b6b35a18d336dd77c33e

SHA1
1e4cf3a829f9f3ac8d918d4ac77903dd42cb771c

SHA256
891378909e01379c19c2611484f0e35def7176d8794953bcc8a5bc4e94b4ebb5

SHA512
f9b432875b638c8acc3a549b43c0d30491c9e9992212bec243b4fa578d23c8cdf895b1f7637ef274b675155ef6f0ec8ee5c926889cceaa0a81f54079e5c87e88

Download Submit
memory/1816-15-0x0000000002BC0000-0x0000000002BE9000-memory.dmp

Filesize
164KB

Download
memory/1816-6-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-11-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-10-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-9-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-8-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-7-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-12-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1816-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1816-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-4-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-3-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-2-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-13-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1816-14-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/2444-68-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-69-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2444-58-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-59-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-60-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-61-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-62-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-63-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2444-64-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-65-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-66-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2444-67-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3044-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3044-51-0x0000022E96010000-0x0000022E96011000-memory.dmp

Filesize
4KB

Download
memory/4696-31-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-32-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4696-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4696-26-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-28-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-29-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-30-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4696-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/4696-33-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-34-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-35-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-36-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-37-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4696-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4696-27-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads