kpot | e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190.exe
Size

1.0MB
MD5

a04be63a0f8001136cbc6de67152c221
SHA1

93eef82de026008c7b2339e00a00e6ecabbb9569
SHA256

e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190
SHA512

003cca043614e6bea198fb938e2d0319c98c5a6847ea68a564f955eaa8eac5c0dad85d6c0b346e798a0f3421213654bb706292effe5902e46a6a964d8d0469f3
SSDEEP

24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUkhmZ9skLez:E5aIwC+Agr6SNbFs

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002354e-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3700-16-0x0000000002200000-0x0000000002229000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
Token: SeTcbPrivilege	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3700	e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190.exe
1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 1852	3700	e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190.exe	91
PID 3700 wrote to memory of 1852	3700	e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190.exe	91
PID 3700 wrote to memory of 1852	3700	e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190.exe	91
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1852 wrote to memory of 700	1852	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	92
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 1564 wrote to memory of 4676	1564	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	110
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115
PID 3940 wrote to memory of 3460	3940	e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190.exe
"C:\Users\Admin\AppData\Local\Temp\e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Roaming\WinSocket\e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:8
1⤵
PID:2476

C:\Users\Admin\AppData\Roaming\WinSocket\e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
C:\Users\Admin\AppData\Roaming\WinSocket\e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4676

C:\Users\Admin\AppData\Roaming\WinSocket\e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
C:\Users\Admin\AppData\Roaming\WinSocket\e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\e794629f969906b9296f809f12696a188f7906ae6619c008232aa816d02b7190.exe

Filesize
1.0MB

MD5
a04be63a0f8001136cbc6de67152c221

SHA1
93eef82de026008c7b2339e00a00e6ecabbb9569

SHA256
e694529f958905b8295f709f12595a177f6905ae5519c007232aa715d02b6190

SHA512
003cca043614e6bea198fb938e2d0319c98c5a6847ea68a564f955eaa8eac5c0dad85d6c0b346e798a0f3421213654bb706292effe5902e46a6a964d8d0469f3

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
11KB

MD5
09d70e6e5890cdece13e6ab2cf811578

SHA1
0fc353ffc929663f1ad7a512489381d216664f75

SHA256
8a13fe9ce8387b846577edb9c275851aeaa05c796e1bb32a59d1a85ae0a95ce3

SHA512
5309206a23588b98b8f9c526814976a9a90c87334e24260623c45e1115af4880016da0cd602b923cded14e34c4e7a6efacb0d0127460852646ff378ce96e9e39

Download Submit
memory/700-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/700-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/700-51-0x000001E29AD70000-0x000001E29AD71000-memory.dmp

Filesize
4KB

Download
memory/1564-65-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-66-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-64-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-59-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-67-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-68-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-69-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-63-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-62-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-60-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-58-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-61-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1564-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1564-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1852-28-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/1852-33-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-32-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-31-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-30-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-29-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-34-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-27-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-26-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1852-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1852-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1852-35-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-36-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1852-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/1852-37-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3700-11-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-9-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-5-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-6-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-7-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-3-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-4-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-10-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-2-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-12-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-13-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3700-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3700-16-0x0000000002200000-0x0000000002229000-memory.dmp

Filesize
164KB

Download
memory/3700-14-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3700-8-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download