kpot | 576c4e101fec8d64a8c2709c01b01fe0c86d7f688d3660b04ef67ad8fc5df7c8

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4ff1f815f5b3578bd5b0c1f28124cb0_NeikiAnalytics.exe
Size

1.2MB
MD5

c4ff1f815f5b3578bd5b0c1f28124cb0
SHA1

797e41b8638da445c77f4c3a6006302878310b10
SHA256

576c4e101fec8d64a8c2709c01b01fe0c86d7f688d3660b04ef67ad8fc5df7c8
SHA512

3119759336f76de157bb130b6ed861d8eb56f870bf682d0a7a99930f0376e0e631874d83272af9eec5a5663f92e20d67f8fd1b0025c4cb2136d9dd29f87a72d5
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOxA5zYlQvmp8RxAb5J6iHsl5TJ0:E5aIwC+Agr6StVEnmcKxYDvZThTO

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1944-15-0x0000000002270000-0x0000000002299000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exec4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exec4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe

pid	process
2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exec4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
Token: SeTcbPrivilege	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c4ff1f815f5b3578bd5b0c1f28124cb0_NeikiAnalytics.exec4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exec4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exec4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe

pid	process
1944	c4ff1f815f5b3578bd5b0c1f28124cb0_NeikiAnalytics.exe
2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1944 wrote to memory of 2332	1944	c4ff1f815f5b3578bd5b0c1f28124cb0_NeikiAnalytics.exe	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
PID 1944 wrote to memory of 2332	1944	c4ff1f815f5b3578bd5b0c1f28124cb0_NeikiAnalytics.exe	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
PID 1944 wrote to memory of 2332	1944	c4ff1f815f5b3578bd5b0c1f28124cb0_NeikiAnalytics.exe	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 2332 wrote to memory of 4108	2332	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 5000 wrote to memory of 3928	5000	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe
PID 1148 wrote to memory of 4676	1148	c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c4ff1f815f5b3578bd5b0c1f28124cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c4ff1f815f5b3578bd5b0c1f28124cb0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Roaming\WinSocket\c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4548

C:\Users\Admin\AppData\Roaming\WinSocket\c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3928

C:\Users\Admin\AppData\Roaming\WinSocket\c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\c4ff1f916f6b3689bd6b0c1f29124cb0_NeikiAnalytict.exe

Filesize
1.2MB

MD5
c4ff1f815f5b3578bd5b0c1f28124cb0

SHA1
797e41b8638da445c77f4c3a6006302878310b10

SHA256
576c4e101fec8d64a8c2709c01b01fe0c86d7f688d3660b04ef67ad8fc5df7c8

SHA512
3119759336f76de157bb130b6ed861d8eb56f870bf682d0a7a99930f0376e0e631874d83272af9eec5a5663f92e20d67f8fd1b0025c4cb2136d9dd29f87a72d5

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
51KB

MD5
1f141ddddea2fc0e0c934630a6691c6a

SHA1
d1eaca600b094bcdcca3917ebbd86a014fda0b57

SHA256
4400b2dd2d0b9144bed42f6cc9a772902f09fe2e33af654edd1d5ca02673a17b

SHA512
ea8666226e935bad1d654238e7d57ae316ee3b37e37b8d6ea569d2bc77c065fbec0d9ad07b0325d9ec96bea9b0efa1d5f1cd6f4a388f7f163066085efc0d978d

Download Submit
memory/1944-4-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-3-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-2-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-6-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-14-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-13-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-12-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-11-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-10-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-8-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-7-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-5-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1944-15-0x0000000002270000-0x0000000002299000-memory.dmp

Filesize
164KB

Download
memory/1944-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1944-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2332-37-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-36-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-35-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-34-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-33-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-32-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-31-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-30-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-29-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-28-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-27-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-26-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2332-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2332-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2332-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2332-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/2332-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/4108-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4108-51-0x0000022B0CDD0000-0x0000022B0CDD1000-memory.dmp

Filesize
4KB

Download
memory/5000-58-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-60-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-59-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-61-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-63-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-65-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-66-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-68-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-69-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-67-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-64-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-62-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/5000-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/5000-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download