kpot | 5da4a387c7225fbd8fe532b1798bd5deb06bc2074610e28225016bc746ecb6ca

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f338cffc5521802e88db04bca8b15530_NeikiAnalytics.exe
Size

1.1MB
MD5

f338cffc5521802e88db04bca8b15530
SHA1

0a93ca88790435c6ad8aa62225ce034a3ff4b2ff
SHA256

5da4a387c7225fbd8fe532b1798bd5deb06bc2074610e28225016bc746ecb6ca
SHA512

fca8d151c41ac8150b93d6fe6a11854b14f8e554e1a6a151ac5e8608ff90813d6603ba970f0ae7d53a44d8be78810455587d4384ae3ffb009a3838bbbee39067
SSDEEP

24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSM632:E5aIwC+Agr6SNG2

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023541-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4004-15-0x0000000002AE0000-0x0000000002B09000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
Token: SeTcbPrivilege	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4004	f338cffc5521802e88db04bca8b15530_NeikiAnalytics.exe
5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 5028	4004	f338cffc5521802e88db04bca8b15530_NeikiAnalytics.exe	90
PID 4004 wrote to memory of 5028	4004	f338cffc5521802e88db04bca8b15530_NeikiAnalytics.exe	90
PID 4004 wrote to memory of 5028	4004	f338cffc5521802e88db04bca8b15530_NeikiAnalytics.exe	90
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 5028 wrote to memory of 1360	5028	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	91
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 4840 wrote to memory of 2584	4840	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	106
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116
PID 5044 wrote to memory of 3632	5044	f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f338cffc5521802e88db04bca8b15530_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f338cffc5521802e88db04bca8b15530_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Roaming\WinSocket\f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
1⤵
PID:3928

C:\Users\Admin\AppData\Roaming\WinSocket\f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2584

C:\Users\Admin\AppData\Roaming\WinSocket\f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\f339cffc6621902e99db04bca9b16630_NeikiAnalytict.exe

Filesize
1.1MB

MD5
f338cffc5521802e88db04bca8b15530

SHA1
0a93ca88790435c6ad8aa62225ce034a3ff4b2ff

SHA256
5da4a387c7225fbd8fe532b1798bd5deb06bc2074610e28225016bc746ecb6ca

SHA512
fca8d151c41ac8150b93d6fe6a11854b14f8e554e1a6a151ac5e8608ff90813d6603ba970f0ae7d53a44d8be78810455587d4384ae3ffb009a3838bbbee39067

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
37KB

MD5
fc0f2895c4481d578b705b433ede9bc0

SHA1
b1c0f3a340ff1c25f0991e5291c16d95b7337f51

SHA256
3edb8d9621c2117af68587f7b4a22d01918deef22c5f3df276c739a699623012

SHA512
c3cf2c484952477ff02f3d91a353a28865c46da68b2f5bd355ea30fe34dee0f68ae2401bef7271051859e5f0f0bd5dcb225b83332f4999fce2fc962de1bd1c74

Download Submit
memory/1360-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1360-51-0x0000020749400000-0x0000020749401000-memory.dmp

Filesize
4KB

Download
memory/4004-4-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-3-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-8-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-7-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-6-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-5-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-10-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-9-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-2-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4004-15-0x0000000002AE0000-0x0000000002B09000-memory.dmp

Filesize
164KB

Download
memory/4004-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4004-11-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-12-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-14-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4004-13-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4840-63-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-69-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4840-58-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-59-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-61-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-62-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4840-66-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-60-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-68-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-67-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-65-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4840-64-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/5028-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/5028-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/5028-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/5028-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download