kpot | 390b57540c7ab3f9bbb500b3adf9f8eb1603a1573cb495ba64059c6e94717fb0

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

263e906ad0f06d12469bb05958210550_NeikiAnalytics.exe
Size

1.2MB
MD5

263e906ad0f06d12469bb05958210550
SHA1

0eb5fbda88b113086c9ceb5d8da5588a7f74eb38
SHA256

390b57540c7ab3f9bbb500b3adf9f8eb1603a1573cb495ba64059c6e94717fb0
SHA512

ec69e247fd15c53b8621f6d358f5c40056881a2c288a59dec730a48e17d0ae33e6b2f427756ec7d32f73163453424b71bb56f1595ec5c9e9ea8296dd2e72b36b
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sd8zG7u75+FmVf6IIwQREr0F:E5aIwC+Agr6S/FEAGsjiIIbErg

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1976-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe

pid	process
1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
Token: SeTcbPrivilege	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

263e906ad0f06d12469bb05958210550_NeikiAnalytics.exe273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe

pid	process
1976	263e906ad0f06d12469bb05958210550_NeikiAnalytics.exe
1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1976 wrote to memory of 1520	1976	263e906ad0f06d12469bb05958210550_NeikiAnalytics.exe	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
PID 1976 wrote to memory of 1520	1976	263e906ad0f06d12469bb05958210550_NeikiAnalytics.exe	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
PID 1976 wrote to memory of 1520	1976	263e906ad0f06d12469bb05958210550_NeikiAnalytics.exe	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 4236	1520	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 4484 wrote to memory of 3188	4484	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe
PID 3060 wrote to memory of 756	3060	273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\263e906ad0f06d12469bb05958210550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\263e906ad0f06d12469bb05958210550_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Roaming\WinSocket\273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4236

C:\Users\Admin\AppData\Roaming\WinSocket\273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3188

C:\Users\Admin\AppData\Roaming\WinSocket\273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\273e907ad0f07d12479bb06969210660_NeikiAnalytict.exe

Filesize
1.2MB

MD5
263e906ad0f06d12469bb05958210550

SHA1
0eb5fbda88b113086c9ceb5d8da5588a7f74eb38

SHA256
390b57540c7ab3f9bbb500b3adf9f8eb1603a1573cb495ba64059c6e94717fb0

SHA512
ec69e247fd15c53b8621f6d358f5c40056881a2c288a59dec730a48e17d0ae33e6b2f427756ec7d32f73163453424b71bb56f1595ec5c9e9ea8296dd2e72b36b

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
29KB

MD5
04bab62561d421ecc24a5d6e20c96d3c

SHA1
86843b59ed4863890e7e205a36375919772b9f62

SHA256
26e1825ec9b956ca7ae4da1b0977d7b0dd64bb485f373a951e044b413c5c31eb

SHA512
ec0084ed19d6f1f195e6a883e0b40f8c3854fa0d57cb3eb48edcd67635edbc13cdf9938490a3addaabe215ee5984691018453ae427dd9674ef805b067f699c03

Download Submit
memory/1520-30-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-31-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1520-27-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-28-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-29-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1520-52-0x0000000003100000-0x00000000031BE000-memory.dmp

Filesize
760KB

Download
memory/1520-32-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-33-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-34-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-35-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-36-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-37-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1520-53-0x00000000031C0000-0x0000000003489000-memory.dmp

Filesize
2.8MB

Download
memory/1520-26-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1976-6-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-3-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1976-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp

Filesize
164KB

Download
memory/1976-4-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-7-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-8-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-9-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-10-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-11-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-12-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-13-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-14-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-5-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1976-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1976-2-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4236-51-0x000002E637770000-0x000002E637771000-memory.dmp

Filesize
4KB

Download
memory/4236-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4236-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4484-66-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-58-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-68-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-69-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-67-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-61-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4484-63-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-65-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-64-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-62-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-59-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4484-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4484-60-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download