kpot | 5e644560fd7fdd8e48232b56a453e6399cbd6fcd3bd9e2ca4b5ad080b65acae9

General

Target

4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe
Size

1.1MB
MD5

4734c0a9eb2772b527031de553554550
SHA1

7ce834104b1d61a14b7be9345e1e1b7630c171bc
SHA256

5e644560fd7fdd8e48232b56a453e6399cbd6fcd3bd9e2ca4b5ad080b65acae9
SHA512

d24154242aea538ef9996670d69d0f406ff3101f34172580d11b8007e30b5846419aef62b7f107d4acde103de0f5a3c45295d612de14e7c83253006f7d4ebae4
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4En+bcMHI+rMUx+N43IAkPb:E5aIwC+Agr6StVEnmcI+2IAY

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3000-15-0x0000000002FE0000-0x0000000003009000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe

pid	process
4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
Token: SeTcbPrivilege	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe

pid	process
3000	4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe
4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe

description	pid	process	target process
PID 3000 wrote to memory of 4520	3000	4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
PID 3000 wrote to memory of 4520	3000	4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
PID 3000 wrote to memory of 4520	3000	4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4520 wrote to memory of 3340	4520	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4564 wrote to memory of 780	4564	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe
PID 4652 wrote to memory of 2500	4652	4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4734c0a9eb2772b527031de553554550_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Roaming\WinSocket\4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3340

C:\Users\Admin\AppData\Roaming\WinSocket\4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:780

C:\Users\Admin\AppData\Roaming\WinSocket\4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\4834c0a9eb2882b628031de663664660_NeikiAnalytict.exe
Filesize
1.1MB

MD5
4734c0a9eb2772b527031de553554550

SHA1
7ce834104b1d61a14b7be9345e1e1b7630c171bc

SHA256
5e644560fd7fdd8e48232b56a453e6399cbd6fcd3bd9e2ca4b5ad080b65acae9

SHA512
d24154242aea538ef9996670d69d0f406ff3101f34172580d11b8007e30b5846419aef62b7f107d4acde103de0f5a3c45295d612de14e7c83253006f7d4ebae4

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
Filesize
39KB

MD5
9734f289efe1dbab3ab4ff04ac1b2bb0

SHA1
73cffaad39021c84b3f3fbb3af460b2761e1c1e5

SHA256
2ad071d9aec1034f77c296a4cb40761a1419051954c39505045a3401ba41336e

SHA512
fb728270d45afaf82c8b3baf138f5ce5898345a76b5e9bdf51317b349726a90cc13cecc2a8571dd59fb04975a0f0b9e972d01dc2ceb3be09926b8281dd673beb

Download Submit
memory/3000-4-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-15-0x0000000002FE0000-0x0000000003009000-memory.dmp

Filesize
164KB

Download
memory/3000-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3000-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3000-14-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-13-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-12-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-11-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-10-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-9-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-8-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-7-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-6-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-5-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-3-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3000-2-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3340-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3340-51-0x00000237EE990000-0x00000237EE991000-memory.dmp

Filesize
4KB

Download
memory/4520-34-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-26-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-37-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-36-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4520-35-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-32-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-33-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-31-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-30-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-29-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-28-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-27-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4520-43-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4520-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4520-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/4564-69-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-68-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-67-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-66-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-65-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-64-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-63-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-62-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-61-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-60-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-59-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-58-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4564-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4564-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads