kpot | 1a8765f015b8900eef56d9b3a5d983b23f89ff9b824b153038f5b7a3df85b4c6

Analysis

max time kernel
137s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3304af626301c7559bcd937ce300ecc0_NeikiAnalytics.exe
Size

897KB
MD5

3304af626301c7559bcd937ce300ecc0
SHA1

2274927afe05e7e9e57b9c3897900a581cf82685
SHA256

1a8765f015b8900eef56d9b3a5d983b23f89ff9b824b153038f5b7a3df85b4c6
SHA512

0f0869dde252644bb04722a564a7c486d6736549b1c1566353e6859fd0f1131a334571cc6821c1f3b3557f845a2127e64c8d6f314f97bc5736955e03b59c65c4
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQBnmszgH:zQ5aILMCfmAUjzX6xQtjmssszgH

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023410-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4220-15-0x00000000021F0000-0x0000000002219000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
Token: SeTcbPrivilege	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4220	3304af626301c7559bcd937ce300ecc0_NeikiAnalytics.exe
3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 3636	4220	3304af626301c7559bcd937ce300ecc0_NeikiAnalytics.exe	82
PID 4220 wrote to memory of 3636	4220	3304af626301c7559bcd937ce300ecc0_NeikiAnalytics.exe	82
PID 4220 wrote to memory of 3636	4220	3304af626301c7559bcd937ce300ecc0_NeikiAnalytics.exe	82
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 3636 wrote to memory of 2016	3636	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	84
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 1124 wrote to memory of 4644	1124	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	103
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113
PID 4532 wrote to memory of 1404	4532	3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3304af626301c7559bcd937ce300ecc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3304af626301c7559bcd937ce300ecc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Roaming\WinSocket\3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2016

C:\Users\Admin\AppData\Roaming\WinSocket\3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4644

C:\Users\Admin\AppData\Roaming\WinSocket\3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\3304af727301c8669bcd938ce300ecc0_NeikiAnalytict.exe

Filesize
897KB

MD5
3304af626301c7559bcd937ce300ecc0

SHA1
2274927afe05e7e9e57b9c3897900a581cf82685

SHA256
1a8765f015b8900eef56d9b3a5d983b23f89ff9b824b153038f5b7a3df85b4c6

SHA512
0f0869dde252644bb04722a564a7c486d6736549b1c1566353e6859fd0f1131a334571cc6821c1f3b3557f845a2127e64c8d6f314f97bc5736955e03b59c65c4

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
64KB

MD5
8b7259eee21daf511229943aebaf77da

SHA1
36c3a9ad1666aa80a68785d2198e63f4a0286704

SHA256
c761fc21290ef60fcde6985da5879426b2b22df3e3db00a60ceb69cdf704a018

SHA512
5fe155a7af5f2a1acfaabdfc39dad4684d2c830f11d3e5f4d4c072d905f37871b55e4cf50a054a34561655cbb87fe0bb56be3f94b1a132bffbf98bc8908306ac

Download Submit
memory/1124-62-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-65-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-58-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-59-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-60-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-61-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-69-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-63-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-64-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1124-66-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-67-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-68-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1124-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2016-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2016-51-0x0000022F4B740000-0x0000022F4B741000-memory.dmp

Filesize
4KB

Download
memory/2016-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3636-31-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-53-0x0000000003150000-0x0000000003419000-memory.dmp

Filesize
2.8MB

Download
memory/3636-36-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-35-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-34-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-33-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-32-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3636-30-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-29-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-26-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3636-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3636-37-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-27-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-28-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3636-52-0x0000000002B90000-0x0000000002C4E000-memory.dmp

Filesize
760KB

Download
memory/4220-13-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-11-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-8-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-9-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-15-0x00000000021F0000-0x0000000002219000-memory.dmp

Filesize
164KB

Download
memory/4220-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4220-2-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-12-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-10-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-14-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4220-3-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-4-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-5-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4220-7-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download