kpot | 32da2833789e98e64aab32f079f7fc60585f37cbe019e3ec5c706e25f2358c25

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66478190d00339ec93b4b6c10f1d0b30_NeikiAnalytics.exe
Size

1.1MB
MD5

66478190d00339ec93b4b6c10f1d0b30
SHA1

40e92c21ad4a5183c6d97edb84a4f4dcb30c9462
SHA256

32da2833789e98e64aab32f079f7fc60585f37cbe019e3ec5c706e25f2358c25
SHA512

55cf0074ff79ec7d2ec460267c21a9fc0b63cbc855cea6e22db59796371d6022b2962403b61c1f0c3c8bf5b452386031c24149b7669266c2bae629af2673517c
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4En+bcMHI+rMUx+N43XVZpFyKN:E5aIwC+Agr6StVEnmcI+2zTyg

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233c0-22.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3632-15-0x0000000002950000-0x0000000002979000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
Token: SeTcbPrivilege	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3632	66478190d00339ec93b4b6c10f1d0b30_NeikiAnalytics.exe
3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 3392	3632	66478190d00339ec93b4b6c10f1d0b30_NeikiAnalytics.exe	82
PID 3632 wrote to memory of 3392	3632	66478190d00339ec93b4b6c10f1d0b30_NeikiAnalytics.exe	82
PID 3632 wrote to memory of 3392	3632	66478190d00339ec93b4b6c10f1d0b30_NeikiAnalytics.exe	82
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 3392 wrote to memory of 1568	3392	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	83
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4764 wrote to memory of 4648	4764	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	99
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108
PID 4568 wrote to memory of 1428	4568	77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\66478190d00339ec93b4b6c10f1d0b30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66478190d00339ec93b4b6c10f1d0b30_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Roaming\WinSocket\77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1568

C:\Users\Admin\AppData\Roaming\WinSocket\77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4648

C:\Users\Admin\AppData\Roaming\WinSocket\77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\77489190d00339ec93b4b7c10f1d0b30_NeikiAnalytict.exe

Filesize
1.1MB

MD5
66478190d00339ec93b4b6c10f1d0b30

SHA1
40e92c21ad4a5183c6d97edb84a4f4dcb30c9462

SHA256
32da2833789e98e64aab32f079f7fc60585f37cbe019e3ec5c706e25f2358c25

SHA512
55cf0074ff79ec7d2ec460267c21a9fc0b63cbc855cea6e22db59796371d6022b2962403b61c1f0c3c8bf5b452386031c24149b7669266c2bae629af2673517c

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
45KB

MD5
ffd8486ce27b29682281ba170cfa4c9c

SHA1
0cac36148b973121e4f21c9b032104dc4434d852

SHA256
228b074c1f39304d66e1af216cf47483de8f3bdf1208eab0ce8874104caf8170

SHA512
eaee75542bd1285003c407844cda09cd36f5a8b21d3d74b05465f8dd2ece28edfae21c73c8746a4926f9e7fd3c0cd92eb237bc2afcfa5cf6397a05b8ece5d1b2

Download Submit
memory/1568-51-0x00000164A71A0000-0x00000164A71A1000-memory.dmp

Filesize
4KB

Download
memory/1568-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1568-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3392-28-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-30-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3392-26-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-27-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-34-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-29-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-52-0x0000000003110000-0x00000000031CE000-memory.dmp

Filesize
760KB

Download
memory/3392-31-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-32-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-33-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-53-0x00000000031D0000-0x0000000003499000-memory.dmp

Filesize
2.8MB

Download
memory/3392-37-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-36-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-35-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3392-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3632-5-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-8-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3632-2-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-4-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-6-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-7-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-14-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-9-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-10-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-11-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-12-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-3-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-15-0x0000000002950000-0x0000000002979000-memory.dmp

Filesize
164KB

Download
memory/3632-13-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3632-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4764-69-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-67-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-66-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-65-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-64-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-63-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-62-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-61-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-60-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-59-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-58-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4764-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4764-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4764-68-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download