kpot | 50906c7f76bacc04a59ad1a42c31fbdb7d809d356480bfc25fc66768ba81c710

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79429109e926cc92bbc7a263ac9c73b0_NeikiAnalytics.exe
Size

958KB
MD5

79429109e926cc92bbc7a263ac9c73b0
SHA1

c32e62b61a091a7f82c079e8f608d41a821c9ffa
SHA256

50906c7f76bacc04a59ad1a42c31fbdb7d809d356480bfc25fc66768ba81c710
SHA512

28409af1d53ba0273bf41c4b4e9169f3f836ef1084aefea1fd0fa76b4248643172a99499e3e65cd4a15b92c13ce22d525fa3f183d9ff04cfc47a1af2460c7c0d
SSDEEP

24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUkhmZh:E5aIwC+Agr6SNbb

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4052-15-0x0000000002230000-0x0000000002259000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe

pid	process
4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
Token: SeTcbPrivilege	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

79429109e926cc92bbc7a263ac9c73b0_NeikiAnalytics.exe89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe

pid	process
4052	79429109e926cc92bbc7a263ac9c73b0_NeikiAnalytics.exe
4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4052 wrote to memory of 4716	4052	79429109e926cc92bbc7a263ac9c73b0_NeikiAnalytics.exe	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
PID 4052 wrote to memory of 4716	4052	79429109e926cc92bbc7a263ac9c73b0_NeikiAnalytics.exe	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
PID 4052 wrote to memory of 4716	4052	79429109e926cc92bbc7a263ac9c73b0_NeikiAnalytics.exe	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 4716 wrote to memory of 2476	4716	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 1208 wrote to memory of 4896	1208	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe
PID 2192 wrote to memory of 4056	2192	89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\79429109e926cc92bbc7a263ac9c73b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79429109e926cc92bbc7a263ac9c73b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Roaming\WinSocket\89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2476

C:\Users\Admin\AppData\Roaming\WinSocket\89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4896

C:\Users\Admin\AppData\Roaming\WinSocket\89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\89429109e927cc92bbc8a273ac9c83b0_NeikiAnalytict.exe

Filesize
958KB

MD5
79429109e926cc92bbc7a263ac9c73b0

SHA1
c32e62b61a091a7f82c079e8f608d41a821c9ffa

SHA256
50906c7f76bacc04a59ad1a42c31fbdb7d809d356480bfc25fc66768ba81c710

SHA512
28409af1d53ba0273bf41c4b4e9169f3f836ef1084aefea1fd0fa76b4248643172a99499e3e65cd4a15b92c13ce22d525fa3f183d9ff04cfc47a1af2460c7c0d

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
35KB

MD5
0ebecad44daf28f263a0617b66d58d9e

SHA1
9b6d031a2826667fcb2908db5d3d27d642240c67

SHA256
de78aebcc097979028067fd71fe7146ae5cb1a90b73f9658253ba961c6a53f0a

SHA512
9fe7a22c1c0877021635897c5ebf11e7870d020f0077879cd98b8f40e3037c9d0e9a9505dcfaefe7e616dee88d6ec06ea360653a4fb7fcceafcef4dd60d7b9d1

Download Submit
memory/1208-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1208-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1208-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1208-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2476-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2476-51-0x0000019580A80000-0x0000019580A81000-memory.dmp

Filesize
4KB

Download
memory/2476-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4052-15-0x0000000002230000-0x0000000002259000-memory.dmp

Filesize
164KB

Download
memory/4052-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4052-13-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-12-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-11-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-10-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-9-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-8-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-7-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-6-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-5-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-4-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-3-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-2-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-14-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4052-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4716-26-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-34-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-52-0x0000000003080000-0x000000000313E000-memory.dmp

Filesize
760KB

Download
memory/4716-37-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-36-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-35-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4716-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4716-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4716-53-0x0000000003140000-0x0000000003409000-memory.dmp

Filesize
2.8MB

Download
memory/4716-27-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-28-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-29-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-30-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-31-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-32-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4716-33-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download