kpot | 4a78768ec0773d008f88d9ee145c807812555977242cf5b0cf79d46427da29f6

General

Target

79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe
Size

1.1MB
MD5

79def490bc257c50acbd8d39ba3c3dd0
SHA1

0eecd42d71af1b81d8492586aee7d45cf668adef
SHA256

4a78768ec0773d008f88d9ee145c807812555977242cf5b0cf79d46427da29f6
SHA512

52083db0c2ddd9b3a4859acf2f45602fa2ed98003e379348cd07ecba89ddd26735a5febbc0de41f375c80d7918da89e21ec2c5b94e6f047afdb3207091f7558e
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1StE10/Zc9ggeS6X0zh/:E5aIwC+Agr6S/FFC+Hh/

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4988-15-0x0000000002AD0000-0x0000000002AF9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe

pid	process
456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
Token: SeTcbPrivilege	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe

pid	process
4988	79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe
456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe

description	pid	process	target process
PID 4988 wrote to memory of 456	4988	79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
PID 4988 wrote to memory of 456	4988	79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
PID 4988 wrote to memory of 456	4988	79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 456 wrote to memory of 1404	456	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 1520 wrote to memory of 2068	1520	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe
PID 3624 wrote to memory of 2648	3624	89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79def490bc257c50acbd8d39ba3c3dd0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Roaming\WinSocket\89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1404

C:\Users\Admin\AppData\Roaming\WinSocket\89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2068

C:\Users\Admin\AppData\Roaming\WinSocket\89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\89def490bc268c60acbd9d39ba3c3dd0_NeikiAnalytict.exe
Filesize
1.1MB

MD5
79def490bc257c50acbd8d39ba3c3dd0

SHA1
0eecd42d71af1b81d8492586aee7d45cf668adef

SHA256
4a78768ec0773d008f88d9ee145c807812555977242cf5b0cf79d46427da29f6

SHA512
52083db0c2ddd9b3a4859acf2f45602fa2ed98003e379348cd07ecba89ddd26735a5febbc0de41f375c80d7918da89e21ec2c5b94e6f047afdb3207091f7558e

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
Filesize
67KB

MD5
54dc536a30527df907daebfc074f0ad0

SHA1
8dc8bfd3537798dcf1f55e75cd87de849d24ac7e

SHA256
9257f77982197cd5011caeea15dd55e9332c3bb5647e9373fb9e80efdf84350d

SHA512
910ee6d68896c3ff8576663f873349a96a4e6c25231d3affddc50ee4e05487724c2b0cd33e2960fb6177aae16f848cc241fb159257f4dc24e431d628bf76dd4b

Download Submit
memory/456-50-0x0000000003120000-0x00000000031DE000-memory.dmp

Filesize
760KB

Download
memory/456-26-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-53-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/456-27-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-28-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-29-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-30-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-31-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-51-0x00000000031E0000-0x00000000034A9000-memory.dmp

Filesize
2.8MB

Download
memory/456-33-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-34-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-25-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-32-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-35-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-39-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/456-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/456-36-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/456-40-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1404-45-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1404-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1404-54-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1404-52-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1520-69-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-67-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-70-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-79-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1520-73-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1520-59-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-68-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-61-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-62-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-63-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-64-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-65-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1520-66-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2068-87-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/2068-90-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4988-7-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-14-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-12-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-11-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-10-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-9-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-8-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-17-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/4988-6-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-4-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-15-0x0000000002AD0000-0x0000000002AF9000-memory.dmp

Filesize
164KB

Download
memory/4988-3-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-2-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4988-13-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads