kpot | ba25564af5c21a501187f82156108be077ae9681994d37446338a108fe86820e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b545085e23c0b6ce5236742ba877d0_NeikiAnalytics.exe
Size

1.1MB
MD5

b9b545085e23c0b6ce5236742ba877d0
SHA1

4f1d59594fe21c95003974f1c93406148a882f35
SHA256

ba25564af5c21a501187f82156108be077ae9681994d37446338a108fe86820e
SHA512

477c8c0c2c534f06ac83704a8270c46218ffb3f19d3ded7e8eadb8a8c43154523eb8e648594197f4dbf0c36b6f7a553dde31ad1e66657e8f6c3d04da71ba067d
SSDEEP

24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSM6J:E5aIwC+Agr6SNO

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1148-16-0x0000000002AB0000-0x0000000002AD9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exeb9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exeb9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe

pid	process
4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exeb9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
Token: SeTcbPrivilege	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b9b545085e23c0b6ce5236742ba877d0_NeikiAnalytics.exeb9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exeb9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exeb9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe

pid	process
1148	b9b545085e23c0b6ce5236742ba877d0_NeikiAnalytics.exe
4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1148 wrote to memory of 4012	1148	b9b545085e23c0b6ce5236742ba877d0_NeikiAnalytics.exe	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
PID 1148 wrote to memory of 4012	1148	b9b545085e23c0b6ce5236742ba877d0_NeikiAnalytics.exe	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
PID 1148 wrote to memory of 4012	1148	b9b545085e23c0b6ce5236742ba877d0_NeikiAnalytics.exe	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 5012	4012	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 3264 wrote to memory of 1044	3264	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe
PID 4316 wrote to memory of 3588	4316	b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9b545085e23c0b6ce5236742ba877d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b9b545085e23c0b6ce5236742ba877d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Roaming\WinSocket\b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:5012

C:\Users\Admin\AppData\Roaming\WinSocket\b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1044

C:\Users\Admin\AppData\Roaming\WinSocket\b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\b9b646096e23c0b7ce6237842ba988d0_NeikiAnalytict.exe

Filesize
1.1MB

MD5
b9b545085e23c0b6ce5236742ba877d0

SHA1
4f1d59594fe21c95003974f1c93406148a882f35

SHA256
ba25564af5c21a501187f82156108be077ae9681994d37446338a108fe86820e

SHA512
477c8c0c2c534f06ac83704a8270c46218ffb3f19d3ded7e8eadb8a8c43154523eb8e648594197f4dbf0c36b6f7a553dde31ad1e66657e8f6c3d04da71ba067d

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
31KB

MD5
df1975d141c9ceff0ddb6ee88f63b28b

SHA1
0bc582db8c789075bb1a49107bb481953a20c08f

SHA256
38c0f3be27075722dc9600889b9bbbdf3fddee81b67174d8c127e2ff180bb5ad

SHA512
31dafaacba4637d39d31d0159fe344dc5d0310b71feb4cc5dc42e1508cb27235e670ccd0f4bdcf275adb809bbf6b4c694b421ef68c0d8f6afb41ab9fc07b858b

Download Submit
memory/1148-7-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-6-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-11-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-10-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-9-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-8-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-13-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-16-0x0000000002AB0000-0x0000000002AD9000-memory.dmp

Filesize
164KB

Download
memory/1148-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1148-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1148-5-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-4-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-3-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-2-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-12-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1148-14-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3264-68-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-69-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3264-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3264-58-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-59-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-60-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-61-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-62-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-63-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-64-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-65-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-66-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3264-67-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4012-30-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-29-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-52-0x00000000030D0000-0x000000000318E000-memory.dmp

Filesize
760KB

Download
memory/4012-53-0x0000000003190000-0x0000000003459000-memory.dmp

Filesize
2.8MB

Download
memory/4012-37-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-28-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4012-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4012-26-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-36-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-27-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-31-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-32-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-33-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-34-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4012-35-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/5012-51-0x0000020053F00000-0x0000020053F01000-memory.dmp

Filesize
4KB

Download
memory/5012-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/5012-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download