kpot | 3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76

Analysis

max time kernel
139s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76.exe
Size

1.5MB
MD5

40dd05b56bf98199aadbed28207d51fb
SHA1

faa08e44867bb2f19c968b3148185a78ade55ae8
SHA256

3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76
SHA512

44815f53dae643ea82964a91d1854bf27741d62c50145443fe2e2ecb9b11c706909e4cc196eeffca9558a1e462fad6de91f924c0a30c885b1d0bec27dae32b4d
SSDEEP

24576:zQ5aILMCfmAUjzX6xQtpj/Yz6XVSvmHaZkI+oq6dTnHv5yIi734DHrPyYN/y:E5aIwC+Agr6St1lOqq+jCpLPy

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023310-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3008-15-0x0000000002AE0000-0x0000000002B09000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
Token: SeTcbPrivilege	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3008	3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76.exe
5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 5048	3008	3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76.exe	91
PID 3008 wrote to memory of 5048	3008	3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76.exe	91
PID 3008 wrote to memory of 5048	3008	3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76.exe	91
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 5048 wrote to memory of 3444	5048	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	92
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3652 wrote to memory of 3188	3652	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	108
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117
PID 3264 wrote to memory of 1904	3264	3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76.exe
"C:\Users\Admin\AppData\Local\Temp\3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Roaming\WinSocket\3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
1⤵
PID:3080

C:\Users\Admin\AppData\Roaming\WinSocket\3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3188

C:\Users\Admin\AppData\Roaming\WinSocket\3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\3db1b439099c3103979f1f10437adfac892e9999ee87378ae9cbc991ac147a87.exe

Filesize
1.5MB

MD5
40dd05b56bf98199aadbed28207d51fb

SHA1
faa08e44867bb2f19c968b3148185a78ade55ae8

SHA256
3db1b438098c3103968f1f10436adfac782e9899ee76367ae9cbc881ac146a76

SHA512
44815f53dae643ea82964a91d1854bf27741d62c50145443fe2e2ecb9b11c706909e4cc196eeffca9558a1e462fad6de91f924c0a30c885b1d0bec27dae32b4d

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
48KB

MD5
39ac649093b24997ef3b8ace0d587fb3

SHA1
c99b7712e4817ba2ae48a38ad8e84f2801d6243a

SHA256
0b6c166edf0f987e22fc9be80caac18772926dc3ff5559e742ed2c5ae7be7162

SHA512
bec8238d540ab4a7434eec817720a33ed5f0903a721be4f6283c252befe6496c88fb579c5b5da2f009adfb023839941e8445c91df292afb30cb3cae9bc3fd920

Download Submit
memory/3008-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3008-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3008-5-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-4-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-3-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-10-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-2-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-15-0x0000000002AE0000-0x0000000002B09000-memory.dmp

Filesize
164KB

Download
memory/3008-9-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-6-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-14-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-13-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-12-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-11-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-7-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3008-8-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3444-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3444-53-0x0000025B90E80000-0x0000025B90E81000-memory.dmp

Filesize
4KB

Download
memory/3444-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3652-67-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-69-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-74-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3652-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3652-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3652-58-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-59-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-60-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-61-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-62-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-63-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-64-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-65-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-66-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3652-68-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/5048-26-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-36-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-28-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-29-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-51-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/5048-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5048-37-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/5048-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/5048-52-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/5048-27-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-31-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-32-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-33-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-34-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-35-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/5048-30-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download