kpot | 4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f.exe
Size

1.1MB
MD5

1aee717ecfeaae4a113f6d0a2e3209f1
SHA1

79ce52468b618b6e76aea967f1839ff7353609dc
SHA256

4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f
SHA512

c61c0f9134f14cad8ce89dc441d4e465cf10134dfc3112303e46de730646a8c4c563bf853470040b3f6ed52ea7618486e5e9ce789a40463c3ed0ada0483e672b
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1StE10/Zc9gger:E5aIwC+Agr6S/FFC+I

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023266-20.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4472-17-0x0000000002C10000-0x0000000002C39000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
Token: SeTcbPrivilege	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4472	4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f.exe
1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 1208	4472	4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f.exe	91
PID 4472 wrote to memory of 1208	4472	4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f.exe	91
PID 4472 wrote to memory of 1208	4472	4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f.exe	91
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 1208 wrote to memory of 3060	1208	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	92
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 2584 wrote to memory of 1536	2584	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	103
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105
PID 540 wrote to memory of 1772	540	4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f.exe
"C:\Users\Admin\AppData\Local\Temp\4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Roaming\WinSocket\4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3832

C:\Users\Admin\AppData\Roaming\WinSocket\4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1536

C:\Users\Admin\AppData\Roaming\WinSocket\4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\4629d2a094013ebaa2c3627e3a08e88a76a0494fee2dd76228d46ead01244e6f.exe

Filesize
1.1MB

MD5
1aee717ecfeaae4a113f6d0a2e3209f1

SHA1
79ce52468b618b6e76aea967f1839ff7353609dc

SHA256
4528d2a084013ebaa2c3526e3a07e77a65a0484fee2dd65227d45ead01244e5f

SHA512
c61c0f9134f14cad8ce89dc441d4e465cf10134dfc3112303e46de730646a8c4c563bf853470040b3f6ed52ea7618486e5e9ce789a40463c3ed0ada0483e672b

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
40KB

MD5
feaf2a60b6fe8730bc34b7f13b0f1be1

SHA1
06cfae61bf6c8d556dfb8b2d7242bc98c6656ef5

SHA256
8aa122dda9647833474604991314aa838cd55c4cfff311a54729a8101d65d96d

SHA512
f32b3a046accecb704844a532ec87698360841627abb3d2765ec900333af017a727834b0d9033ab4bdbcb00dc0c413f98bdbdfdd2d1edba9ebde45aef0c35a26

Download Submit
memory/1208-29-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-31-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1208-26-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-27-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-28-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1208-52-0x00000000030F0000-0x00000000031AE000-memory.dmp

Filesize
760KB

Download
memory/1208-32-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-33-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-34-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-35-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-36-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-37-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1208-53-0x00000000031B0000-0x0000000003479000-memory.dmp

Filesize
2.8MB

Download
memory/1208-30-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2584-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-58-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2584-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2584-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2584-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3060-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3060-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3060-51-0x0000020AAEDF0000-0x0000020AAEDF1000-memory.dmp

Filesize
4KB

Download
memory/4472-8-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-6-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-4-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-17-0x0000000002C10000-0x0000000002C39000-memory.dmp

Filesize
164KB

Download
memory/4472-10-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-9-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-11-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-12-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-3-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-7-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-2-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-14-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-13-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4472-15-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4472-16-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4472-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download