kpot | 32c23609e72bd9fb8fab577d18ee7441c3dfb1c0ffaad8a16db8879e7c73bbd5

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe
Size

1.4MB
MD5

3a48c3e72a85863e52b4782b511a0840
SHA1

4794b16f61e21855b03717cdd1934ad6ab9566cf
SHA256

32c23609e72bd9fb8fab577d18ee7441c3dfb1c0ffaad8a16db8879e7c73bbd5
SHA512

ac6b03923f0c87122c52a9f206f834f65a976bf991e81600ea30de303f6b4bb2715a6719dda4aa055a665c30e34904c616492c646a8232d61c4b3e484e011f4a
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMcT/X2dI7T2FAoUcUOp6doF5ES/ooQ:E5aIwC+Agr6tdlmU1/eod

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002341d-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4536-15-0x0000000002220000-0x0000000002249000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
Token: SeTcbPrivilege	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4536	3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe
3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3900	4536	3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe	84
PID 4536 wrote to memory of 3900	4536	3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe	84
PID 4536 wrote to memory of 3900	4536	3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe	84
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3900 wrote to memory of 2980	3900	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	85
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3196 wrote to memory of 2980	3196	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	103
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116
PID 3952 wrote to memory of 4800	3952	3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a48c3e72a85863e52b4782b511a0840_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2980

C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2980

C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\3a49c3e82a96973e62b4892b611a0940_NeikiAnalytict.exe

Filesize
1.4MB

MD5
3a48c3e72a85863e52b4782b511a0840

SHA1
4794b16f61e21855b03717cdd1934ad6ab9566cf

SHA256
32c23609e72bd9fb8fab577d18ee7441c3dfb1c0ffaad8a16db8879e7c73bbd5

SHA512
ac6b03923f0c87122c52a9f206f834f65a976bf991e81600ea30de303f6b4bb2715a6719dda4aa055a665c30e34904c616492c646a8232d61c4b3e484e011f4a

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
42KB

MD5
7a6c113a0a569e63e097cca9d5f2f8de

SHA1
799ab4a7b4cce136239375c3536fb5dbd039b7c4

SHA256
7a4932c170c55f72706f3e298160fe6df5e0f224a6158bd8bd3943fb130cce79

SHA512
f4eb10521fee1e7b0fd91df07e7205bb58ac9cb747eb5baa6c210159c206fa8d0ab0038b77d7b91fa4edd0b27170263d22c4d72ac4133ab1e12a0c880da2a3c2

Download Submit
memory/2980-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2980-53-0x000002427FD80000-0x000002427FD81000-memory.dmp

Filesize
4KB

Download
memory/2980-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3196-63-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-59-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3196-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3196-58-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-61-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-62-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-64-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-65-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-66-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-68-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-69-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-67-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3196-60-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3900-37-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-35-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-34-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-33-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-32-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3900-36-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-51-0x00000000030F0000-0x00000000031AE000-memory.dmp

Filesize
760KB

Download
memory/3900-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3900-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3900-52-0x00000000031B0000-0x0000000003479000-memory.dmp

Filesize
2.8MB

Download
memory/3900-31-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-30-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-29-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-28-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-27-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3900-26-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/4536-15-0x0000000002220000-0x0000000002249000-memory.dmp

Filesize
164KB

Download
memory/4536-12-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4536-11-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4536-13-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-2-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-3-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-4-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-5-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-6-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-7-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-8-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-9-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-10-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4536-14-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download