kpot | 52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1.exe
Size

1.1MB
MD5

9f4ec566dd51c26eabd78ca8f68e8b7c
SHA1

3c74ffea42606156093b6c3d1cbc35f61766ebea
SHA256

52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1
SHA512

b5f33e8842fb8816e4a565a74c31f233aeb8bc8ae111b274fbf380958f70a29b0b4d7d8c8438ea6b72ea8d91e1dd5143e2544f0bc02ae6504ccc69feb253ad56
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4En+bcMHI+rMUx+N43IAkPE:E5aIwC+Agr6StVEnmcI+2IAz

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023433-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2292-15-0x0000000002AE0000-0x0000000002B09000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
Token: SeTcbPrivilege	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2292	52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1.exe
2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2268	2292	52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1.exe	83
PID 2292 wrote to memory of 2268	2292	52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1.exe	83
PID 2292 wrote to memory of 2268	2292	52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1.exe	83
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 2268 wrote to memory of 924	2268	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	84
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 1452 wrote to memory of 2612	1452	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	100
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109
PID 2628 wrote to memory of 1892	2628	62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1.exe
"C:\Users\Admin\AppData\Local\Temp\52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\WinSocket\62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:924

C:\Users\Admin\AppData\Roaming\WinSocket\62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
C:\Users\Admin\AppData\Roaming\WinSocket\62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2612

C:\Users\Admin\AppData\Roaming\WinSocket\62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
C:\Users\Admin\AppData\Roaming\WinSocket\62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\62cd61a78e382e7cc9979071e407630fdd07aaaf17b21d31ff9b3d2d9f81c3a1.exe

Filesize
1.1MB

MD5
9f4ec566dd51c26eabd78ca8f68e8b7c

SHA1
3c74ffea42606156093b6c3d1cbc35f61766ebea

SHA256
52cd51a67e372e6cc8869061e406530fdd06aaaf16b21d31ff9b3d2d8f71c3a1

SHA512
b5f33e8842fb8816e4a565a74c31f233aeb8bc8ae111b274fbf380958f70a29b0b4d7d8c8438ea6b72ea8d91e1dd5143e2544f0bc02ae6504ccc69feb253ad56

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
50KB

MD5
9701def03910be7d92c5df482bd5c4b8

SHA1
9b5f759651a085e80ec268f6df3d48838e9232c6

SHA256
38c867044393ce7a6f51444866c137650211b7a3c27ead413e12b1d4ec43615b

SHA512
a0bf305057a0a3107bd20def0bfee28bb6d5df8f3ea6666e6c78e74e2a4e4b19c99ea8715f6dec0c103859720ac0e7757756aefa6ed2a2ee7bb1d803482b0156

Download Submit
memory/924-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/924-51-0x000001909A720000-0x000001909A721000-memory.dmp

Filesize
4KB

Download
memory/924-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1452-64-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-68-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-60-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-58-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-66-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-67-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-69-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-63-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-65-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-62-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-61-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-59-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1452-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1452-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2268-31-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/2268-33-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2268-32-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/2268-30-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-29-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-28-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-27-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-26-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2268-35-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-36-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-37-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2268-34-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2292-9-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-7-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-3-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-4-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-12-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-6-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-2-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-8-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-5-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-10-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-11-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-13-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2292-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-14-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2292-15-0x0000000002AE0000-0x0000000002B09000-memory.dmp

Filesize
164KB

Download