kpot | 7c41ee75e37ecc7fbd9de1c9f58fda942e6c0962d00dc1b77e32b3f65a3741c8

General

Target

0a7b8509692f0f9b871c7c25df7236f0.exe
Size

1.0MB
MD5

0a7b8509692f0f9b871c7c25df7236f0
SHA1

212db72c960e36d46467302cb79870fd44371178
SHA256

7c41ee75e37ecc7fbd9de1c9f58fda942e6c0962d00dc1b77e32b3f65a3741c8
SHA512

7b77fb482bb568526dc01275093da29a7b4260fd8f4a8cbe98f6024ea511b1d97a1f08dbe16f3d0daadcd68a859fcae5a2b5d8ba95bb9971b96761e34825c62b
SSDEEP

24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUkhmZ9skw:E5aIwC+Agr6SNbG

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\0a8b9609792f0f9b981c8c26df8237f0.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4840-17-0x0000000002B80000-0x0000000002BA9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

0a8b9609792f0f9b981c8c26df8237f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe

pid process

1212 0a8b9609792f0f9b981c8c26df8237f0.exe
1652 0a8b9609792f0f9b981c8c26df8237f0.exe
3340 0a8b9609792f0f9b981c8c26df8237f0.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0a8b9609792f0f9b981c8c26df8237f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe

description pid process

Token: SeTcbPrivilege 1652 0a8b9609792f0f9b981c8c26df8237f0.exe
Token: SeTcbPrivilege 3340 0a8b9609792f0f9b981c8c26df8237f0.exe

pid	process
1212	0a8b9609792f0f9b981c8c26df8237f0.exe
1652	0a8b9609792f0f9b981c8c26df8237f0.exe
3340	0a8b9609792f0f9b981c8c26df8237f0.exe

description	pid	process
Token: SeTcbPrivilege	1652	0a8b9609792f0f9b981c8c26df8237f0.exe
Token: SeTcbPrivilege	3340	0a8b9609792f0f9b981c8c26df8237f0.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0a7b8509692f0f9b871c7c25df7236f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe

pid	process
4840	0a7b8509692f0f9b871c7c25df7236f0.exe
1212	0a8b9609792f0f9b981c8c26df8237f0.exe
1652	0a8b9609792f0f9b981c8c26df8237f0.exe
3340	0a8b9609792f0f9b981c8c26df8237f0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0a7b8509692f0f9b871c7c25df7236f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe0a8b9609792f0f9b981c8c26df8237f0.exe

description	pid	process	target process
PID 4840 wrote to memory of 1212	4840	0a7b8509692f0f9b871c7c25df7236f0.exe	0a8b9609792f0f9b981c8c26df8237f0.exe
PID 4840 wrote to memory of 1212	4840	0a7b8509692f0f9b871c7c25df7236f0.exe	0a8b9609792f0f9b981c8c26df8237f0.exe
PID 4840 wrote to memory of 1212	4840	0a7b8509692f0f9b871c7c25df7236f0.exe	0a8b9609792f0f9b981c8c26df8237f0.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1212 wrote to memory of 1124	1212	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 1652 wrote to memory of 1844	1652	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe
PID 3340 wrote to memory of 1696	3340	0a8b9609792f0f9b981c8c26df8237f0.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a7b8509692f0f9b871c7c25df7236f0.exe
"C:\Users\Admin\AppData\Local\Temp\0a7b8509692f0f9b871c7c25df7236f0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Roaming\WinSocket\0a8b9609792f0f9b981c8c26df8237f0.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0a8b9609792f0f9b981c8c26df8237f0.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1588

C:\Users\Admin\AppData\Roaming\WinSocket\0a8b9609792f0f9b981c8c26df8237f0.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0a8b9609792f0f9b981c8c26df8237f0.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1844

C:\Users\Admin\AppData\Roaming\WinSocket\0a8b9609792f0f9b981c8c26df8237f0.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0a8b9609792f0f9b981c8c26df8237f0.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\0a8b9609792f0f9b981c8c26df8237f0.exe
Filesize
1.0MB

MD5
0a7b8509692f0f9b871c7c25df7236f0

SHA1
212db72c960e36d46467302cb79870fd44371178

SHA256
7c41ee75e37ecc7fbd9de1c9f58fda942e6c0962d00dc1b77e32b3f65a3741c8

SHA512
7b77fb482bb568526dc01275093da29a7b4260fd8f4a8cbe98f6024ea511b1d97a1f08dbe16f3d0daadcd68a859fcae5a2b5d8ba95bb9971b96761e34825c62b

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
Filesize
40KB

MD5
8ad5f0d59d7aa2bb3a5b596b45036336

SHA1
aa20c8a825c9b0f9b248cada13483ac94437ee54

SHA256
34c609a04a9d3c2a4f18d20c4f6d735307b54298d12dc9ac7fdc9240c4916c3e

SHA512
a6e7cc0864d2097ef56c5f775f4eb90d3bec646149687cd74175929536b93de7d5fc1d39492abed1fc9b259863945e91de2658a01368c167a673b71ce629a521

Download Submit
memory/1124-53-0x000002351DD70000-0x000002351DD71000-memory.dmp

Filesize
4KB

Download
memory/1124-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1212-29-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-30-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1212-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1212-27-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-28-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-35-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-51-0x00000000030A0000-0x000000000315E000-memory.dmp

Filesize
760KB

Download
memory/1212-31-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-32-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-33-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-34-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-52-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/1212-26-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-37-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1212-36-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1652-68-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-62-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1652-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1652-58-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-59-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-60-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-61-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-63-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-64-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-65-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-66-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-67-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1652-69-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4840-17-0x0000000002B80000-0x0000000002BA9000-memory.dmp

Filesize
164KB

Download
memory/4840-10-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-3-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-13-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-5-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-11-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-14-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-9-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-12-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-15-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4840-8-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-7-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-6-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-4-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4840-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4840-2-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads