kpot | 52350936a08be514f83eaaead34623358b61a368d8c331b03f757ac24c821706

General

Target

87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe
Size

1.4MB
MD5

87539b262882915ee5e8b863fccea410
SHA1

1588f339647b7603b2418b05a80aab334f75e89d
SHA256

52350936a08be514f83eaaead34623358b61a368d8c331b03f757ac24c821706
SHA512

d0da8dad1a8ba392bb5c5b92d37e511efac91469c83c9373b750d6484d8ab8d0b88d536da62e4dc093fef939ed39cca5f7d4fecca076f7e9d0fb588919a504e3
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMcT/X2dI7T2FAoUcUOp6doF5ES/o4E:E5aIwC+Agr6tdlmU1/eo4E

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/5024-16-0x0000000002FE0000-0x0000000003009000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe

pid	process
764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
Token: SeTcbPrivilege	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe

pid	process
5024	87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe
764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe

description	pid	process	target process
PID 5024 wrote to memory of 764	5024	87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
PID 5024 wrote to memory of 764	5024	87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
PID 5024 wrote to memory of 764	5024	87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 764 wrote to memory of 1888	764	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 5044 wrote to memory of 4896	5044	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe
PID 3892 wrote to memory of 4284	3892	98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\87539b262882915ee5e8b863fccea410_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Roaming\WinSocket\98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:8
1⤵
PID:4024

C:\Users\Admin\AppData\Roaming\WinSocket\98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4896

C:\Users\Admin\AppData\Roaming\WinSocket\98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\98639b272992916ee6e9b973fccea410_NeikiAnalytict.exe
Filesize
1.4MB

MD5
87539b262882915ee5e8b863fccea410

SHA1
1588f339647b7603b2418b05a80aab334f75e89d

SHA256
52350936a08be514f83eaaead34623358b61a368d8c331b03f757ac24c821706

SHA512
d0da8dad1a8ba392bb5c5b92d37e511efac91469c83c9373b750d6484d8ab8d0b88d536da62e4dc093fef939ed39cca5f7d4fecca076f7e9d0fb588919a504e3

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
Filesize
53KB

MD5
54cd280e6cb9d28ff2011f5eb7179328

SHA1
0264ff0b9d684100b5ffea5c6fd29fc174362257

SHA256
03591de35fea30ce7a2f1401448a56e1b102ffb50bd8d83b59242bba70d87bba

SHA512
b4654eb24887fcd092e0c762900d4d8d0f69d96146db420ff11ccc233bb2a6d2d1954232bfdbb12d4acb2e9f229d98edebd0d211508f294eb2378efb036182d4

Download Submit
memory/764-33-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-53-0x0000000003180000-0x0000000003449000-memory.dmp

Filesize
2.8MB

Download
memory/764-26-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-27-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-28-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-29-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/764-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/764-36-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-52-0x00000000030C0000-0x000000000317E000-memory.dmp

Filesize
760KB

Download
memory/764-30-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-31-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-32-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-35-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-34-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/764-37-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1888-51-0x00000183DCEA0000-0x00000183DCEA1000-memory.dmp

Filesize
4KB

Download
memory/1888-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1888-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/5024-7-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-9-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-3-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-4-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-6-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-5-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-8-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-14-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-10-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5024-11-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-12-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-13-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5024-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/5024-16-0x0000000002FE0000-0x0000000003009000-memory.dmp

Filesize
164KB

Download
memory/5024-2-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5044-69-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-67-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-66-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-65-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-64-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-63-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-62-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-61-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-60-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-59-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-58-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/5044-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/5044-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5044-68-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads