kpot | cc033a7139570c93b327b1fce324851cce00d81447dea0d0de076ff5e6c2fb82

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf4bcbb83a2b4a75fdd75346ea41490_NeikiAnalytics.exe
Size

1.1MB
MD5

acf4bcbb83a2b4a75fdd75346ea41490
SHA1

d5a27bdce34763bd20a3db2ddce4495323dd30ee
SHA256

cc033a7139570c93b327b1fce324851cce00d81447dea0d0de076ff5e6c2fb82
SHA512

f1833af44d800dbd196f22d46602698f6347274cb884552857d957a8590416493a364a4ad8fe2f94b1323c77f424abc54a50e39a32089afb84ecd0df69ebac0a
SSDEEP

24576:zQ5aILMCfmAUjzX6xQt+4En+bcMHI+rMUx+N43XVZpFyD:E5aIwC+Agr6StVEnmcI+2zTyD

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023432-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4988-15-0x0000000002FF0000-0x0000000003019000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
Token: SeTcbPrivilege	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4988	acf4bcbb83a2b4a75fdd75346ea41490_NeikiAnalytics.exe
1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 1360	4988	acf4bcbb83a2b4a75fdd75346ea41490_NeikiAnalytics.exe	82
PID 4988 wrote to memory of 1360	4988	acf4bcbb83a2b4a75fdd75346ea41490_NeikiAnalytics.exe	82
PID 4988 wrote to memory of 1360	4988	acf4bcbb83a2b4a75fdd75346ea41490_NeikiAnalytics.exe	82
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1360 wrote to memory of 116	1360	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	83
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 1680 wrote to memory of 1192	1680	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	103
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111
PID 3760 wrote to memory of 1036	3760	acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\acf4bcbb83a2b4a75fdd75346ea41490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\acf4bcbb83a2b4a75fdd75346ea41490_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Roaming\WinSocket\acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:116

C:\Users\Admin\AppData\Roaming\WinSocket\acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1192

C:\Users\Admin\AppData\Roaming\WinSocket\acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\acf4bcbb93a2b4a86fdd86347ea41490_NeikiAnalytict.exe

Filesize
1.1MB

MD5
acf4bcbb83a2b4a75fdd75346ea41490

SHA1
d5a27bdce34763bd20a3db2ddce4495323dd30ee

SHA256
cc033a7139570c93b327b1fce324851cce00d81447dea0d0de076ff5e6c2fb82

SHA512
f1833af44d800dbd196f22d46602698f6347274cb884552857d957a8590416493a364a4ad8fe2f94b1323c77f424abc54a50e39a32089afb84ecd0df69ebac0a

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
30KB

MD5
1f11dcad5d7db41a68c36df4f12c65d3

SHA1
b720c1d050059452ec75c518e79381dcdd13ec99

SHA256
22efff8b373b85dae69658a22756a2e97cb26499e099650b8e454a8135dea9ae

SHA512
f1a9dfab556f7b1f2ada8b4431a72f2ae7f1bafc96d45090381eee7bc712b6a0ac5f230ea9db231cc1a985591f377a40f2dcd77f9fd734f0a36a403a09efdb95

Download Submit
memory/116-51-0x000001FC7F590000-0x000001FC7F591000-memory.dmp

Filesize
4KB

Download
memory/116-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/116-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1360-30-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-31-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1360-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1360-29-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-35-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-27-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/1360-32-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-33-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-34-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/1360-26-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-28-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-37-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1360-36-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1680-69-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-68-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1680-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1680-58-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-59-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-60-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-61-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-62-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-63-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-64-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-65-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-66-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1680-67-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4988-11-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-12-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4988-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4988-15-0x0000000002FF0000-0x0000000003019000-memory.dmp

Filesize
164KB

Download
memory/4988-14-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-13-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-3-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-4-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-10-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-9-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-8-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-7-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-6-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-5-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4988-2-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download