kpot | 32c23609e72bd9fb8fab577d18ee7441c3dfb1c0ffaad8a16db8879e7c73bbd5

General

Target

3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe
Size

1.4MB
MD5

3a48c3e72a85863e52b4782b511a0840
SHA1

4794b16f61e21855b03717cdd1934ad6ab9566cf
SHA256

32c23609e72bd9fb8fab577d18ee7441c3dfb1c0ffaad8a16db8879e7c73bbd5
SHA512

ac6b03923f0c87122c52a9f206f834f65a976bf991e81600ea30de303f6b4bb2715a6719dda4aa055a665c30e34904c616492c646a8232d61c4b3e484e011f4a
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMcT/X2dI7T2FAoUcUOp6doF5ES/ooQ:E5aIwC+Agr6tdlmU1/eod

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4536-15-0x0000000002220000-0x0000000002249000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

pid	process
3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
Token: SeTcbPrivilege	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

pid	process
4536	3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe
3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

description	pid	process	target process
PID 4536 wrote to memory of 3900	4536	3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
PID 4536 wrote to memory of 3900	4536	3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
PID 4536 wrote to memory of 3900	4536	3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2980

C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2980

C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
Filesize
1.4MB

MD5
3a48c3e72a85863e52b4782b511a0840

SHA1
4794b16f61e21855b03717cdd1934ad6ab9566cf

SHA256
32c23609e72bd9fb8fab577d18ee7441c3dfb1c0ffaad8a16db8879e7c73bbd5

SHA512
ac6b03923f0c87122c52a9f206f834f65a976bf991e81600ea30de303f6b4bb2715a6719dda4aa055a665c30e34904c616492c646a8232d61c4b3e484e011f4a

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
Filesize
42KB

MD5
7a6c113a0a569e63e097cca9d5f2f8de

SHA1
799ab4a7b4cce136239375c3536fb5dbd039b7c4

SHA256
7a4932c170c55f72706f3e298160fe6df5e0f224a6158bd8bd3943fb130cce79

SHA512
f4eb10521fee1e7b0fd91df07e7205bb58ac9cb747eb5baa6c210159c206fa8d0ab0038b77d7b91fa4edd0b27170263d22c4d72ac4133ab1e12a0c880da2a3c2

Download Submit
memory/2980-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2980-53-0x000002427FD80000-0x000002427FD81000-memory.dmp

Filesize
4KB

Download
memory/2980-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3196-63-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3196-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3196-58-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-61-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-64-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-65-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-66-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-68-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-69-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-67-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-60-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-59-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-62-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3900-37-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-52-0x00000000031B0000-0x0000000003479000-memory.dmp

Filesize
2.8MB

Download
memory/3900-34-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-33-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-32-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3900-35-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-51-0x00000000030F0000-0x00000000031AE000-memory.dmp

Filesize
760KB

Download
memory/3900-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3900-36-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-29-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-31-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-30-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3900-28-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-27-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-26-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/4536-6-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-4-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-13-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-11-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4536-3-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-12-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-5-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-2-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-7-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4536-8-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-9-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-10-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-15-0x0000000002220000-0x0000000002249000-memory.dmp

Filesize
164KB

Download
memory/4536-14-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads