kpot | f6cf48fd583b56af9e05f3a0301fa5643be49cdc4f188392de3e7ba2d7578802

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c32b3b514199c230727a6671d394d9f0_NeikiAnalytics.exe
Size

921KB
MD5

c32b3b514199c230727a6671d394d9f0
SHA1

41a4d0753e5949395cdf0e6743bd6441f5637ce5
SHA256

f6cf48fd583b56af9e05f3a0301fa5643be49cdc4f188392de3e7ba2d7578802
SHA512

98e8c252d96ea83a1ffc6da9e10f14bc90d415dd364102acde859d5210b2542dff02108d3c8a08609ee8e094247a926900af29b693f4b35cba6703571574bc00
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4EnpZgkJOSSkgh:E5aIwC+Agr6StVEn0ksLh

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3128-15-0x0000000002930000-0x0000000002959000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exec32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exec32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe

pid	process
4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exec32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
Token: SeTcbPrivilege	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c32b3b514199c230727a6671d394d9f0_NeikiAnalytics.exec32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exec32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exec32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe

pid	process
3128	c32b3b514199c230727a6671d394d9f0_NeikiAnalytics.exe
4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3128 wrote to memory of 4676	3128	c32b3b514199c230727a6671d394d9f0_NeikiAnalytics.exe	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
PID 3128 wrote to memory of 4676	3128	c32b3b514199c230727a6671d394d9f0_NeikiAnalytics.exe	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
PID 3128 wrote to memory of 4676	3128	c32b3b514199c230727a6671d394d9f0_NeikiAnalytics.exe	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 4676 wrote to memory of 516	4676	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 232 wrote to memory of 4392	232	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe
PID 1696 wrote to memory of 5096	1696	c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c32b3b514199c230727a6671d394d9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c32b3b514199c230727a6671d394d9f0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Roaming\WinSocket\c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:2708

C:\Users\Admin\AppData\Roaming\WinSocket\c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4392

C:\Users\Admin\AppData\Roaming\WinSocket\c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\c32b3b614199c230828a7781d394d9f0_NeikiAnalytict.exe

Filesize
921KB

MD5
c32b3b514199c230727a6671d394d9f0

SHA1
41a4d0753e5949395cdf0e6743bd6441f5637ce5

SHA256
f6cf48fd583b56af9e05f3a0301fa5643be49cdc4f188392de3e7ba2d7578802

SHA512
98e8c252d96ea83a1ffc6da9e10f14bc90d415dd364102acde859d5210b2542dff02108d3c8a08609ee8e094247a926900af29b693f4b35cba6703571574bc00

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
31KB

MD5
a1b88738be0995d07a2349f5708a996e

SHA1
164c47123e90b210276864bda7e8f9e95f6fda8d

SHA256
a1166314cece4f38a12ad6e629a6b2219431876d1196cb0bfc8c17411b44c0e5

SHA512
26227f481989cff6ca319dfeac642308de9e4b599b3da1ad8550b7d5552bd8711e722e1ed01525fe3fc217e70b233c97b66a046639d856e592557eb6cb488a62

Download Submit
memory/232-62-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-63-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-58-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-59-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-61-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/232-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/232-64-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-65-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-66-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-67-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-68-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/232-69-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/516-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/516-51-0x000001D021510000-0x000001D021511000-memory.dmp

Filesize
4KB

Download
memory/3128-5-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-2-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-14-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3128-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3128-13-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-12-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-11-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-10-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-9-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-8-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-7-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-6-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-15-0x0000000002930000-0x0000000002959000-memory.dmp

Filesize
164KB

Download
memory/3128-4-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3128-3-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4676-28-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-26-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4676-37-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4676-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4676-36-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/4676-27-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-35-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-29-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-30-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-31-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-32-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-33-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4676-34-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download