kpot | b33b49e8d3ea86d34e8b1ea2cb8a7c5164cfce909a71f121a4f3f81057e544c1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8005b95aa2e77989c5e9ab473e97b110_NeikiAnalytics.exe
Size

1.1MB
MD5

8005b95aa2e77989c5e9ab473e97b110
SHA1

a4c2b0cb0d81f969b23d5dd7e99f48bd55fe6b8c
SHA256

b33b49e8d3ea86d34e8b1ea2cb8a7c5164cfce909a71f121a4f3f81057e544c1
SHA512

2d7cfe1a1352d918eb2d31f6c1135f0af057f2a06cb4d447a0fc0acc4a68dc760bcbc2f4aade258b1643adc6c38d242111aa38d5a726586f81a86361fc1643b4
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4En+bcMHI+rMUx+N43XVZpFyD:E5aIwC+Agr6StVEnmcI+2zTyD

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023407-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4268-15-0x0000000002A10000-0x0000000002A39000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
Token: SeTcbPrivilege	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4268	8005b95aa2e77989c5e9ab473e97b110_NeikiAnalytics.exe
1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 1632	4268	8005b95aa2e77989c5e9ab473e97b110_NeikiAnalytics.exe	82
PID 4268 wrote to memory of 1632	4268	8005b95aa2e77989c5e9ab473e97b110_NeikiAnalytics.exe	82
PID 4268 wrote to memory of 1632	4268	8005b95aa2e77989c5e9ab473e97b110_NeikiAnalytics.exe	82
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 1632 wrote to memory of 1940	1632	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	83
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3352 wrote to memory of 220	3352	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	99
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107
PID 3276 wrote to memory of 2544	3276	9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8005b95aa2e77989c5e9ab473e97b110_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8005b95aa2e77989c5e9ab473e97b110_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Roaming\WinSocket\9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1940

C:\Users\Admin\AppData\Roaming\WinSocket\9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:220

C:\Users\Admin\AppData\Roaming\WinSocket\9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\9006b96aa2e88999c6e9ab483e98b110_NeikiAnalytict.exe

Filesize
1.1MB

MD5
8005b95aa2e77989c5e9ab473e97b110

SHA1
a4c2b0cb0d81f969b23d5dd7e99f48bd55fe6b8c

SHA256
b33b49e8d3ea86d34e8b1ea2cb8a7c5164cfce909a71f121a4f3f81057e544c1

SHA512
2d7cfe1a1352d918eb2d31f6c1135f0af057f2a06cb4d447a0fc0acc4a68dc760bcbc2f4aade258b1643adc6c38d242111aa38d5a726586f81a86361fc1643b4

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
42KB

MD5
3de4d0463e2a1926ed0284b87fe4d452

SHA1
9e2d9a40f4d88d1631c259cd87d5dde292f9a461

SHA256
da04b717db5ab7c38be00e1d39eb00728da7564cb614ed3f94e327c81b1d1eed

SHA512
2158bafcc5b01a2d8fc941f94a0a8bacf66b719d0f165ce566da624f8c188fad43e7db065ec91da5506a34c945f4f16352ed45e1def578f65549bb3fbc8c8b08

Download Submit
memory/1632-27-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-28-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-34-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/1632-35-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1632-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1632-26-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-33-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-36-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-29-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-30-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-31-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-32-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1632-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/1632-37-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1940-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1940-51-0x000002857B4B0000-0x000002857B4B1000-memory.dmp

Filesize
4KB

Download
memory/1940-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3352-62-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-61-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3352-58-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-60-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3352-63-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-64-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-65-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-66-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-67-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-59-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-68-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3352-69-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4268-7-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-8-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-13-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-12-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-11-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-10-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-9-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-15-0x0000000002A10000-0x0000000002A39000-memory.dmp

Filesize
164KB

Download
memory/4268-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4268-6-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-5-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-4-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-3-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-2-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4268-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4268-14-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download