kpot | aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59

Analysis

max time kernel
138s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59.exe
Size

1.2MB
MD5

14eed91bc3ae3923ae14c22bd7dc5440
SHA1

94515ef571e8053903c9b0921e5fefe6e56ad6f6
SHA256

aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59
SHA512

90317ab88d238bad3c1706cf3412074b4a7d2433a869b2d43de6288306bca0e093036a3f2764efa02088212584ebe9c24b877db3607fcd33ebe747736186de56
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sd8zG7u75+FmVf6IIwqEK9WHZ:E5aIwC+Agr6S/FEAGsjiIIoZ

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023401-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/1424-15-0x00000000006D0000-0x00000000006F9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
Token: SeTcbPrivilege	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1424	aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59.exe
864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 864	1424	aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59.exe	84
PID 1424 wrote to memory of 864	1424	aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59.exe	84
PID 1424 wrote to memory of 864	1424	aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59.exe	84
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 864 wrote to memory of 1712	864	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	85
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2948 wrote to memory of 4156	2948	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	102
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111
PID 2464 wrote to memory of 4872	2464	aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59.exe
"C:\Users\Admin\AppData\Local\Temp\aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Roaming\WinSocket\aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1712

C:\Users\Admin\AppData\Roaming\WinSocket\aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
C:\Users\Admin\AppData\Roaming\WinSocket\aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4156

C:\Users\Admin\AppData\Roaming\WinSocket\aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
C:\Users\Admin\AppData\Roaming\WinSocket\aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\aea04197ebf66c8796d70b74e9f024c83699be9998e3b0893c040002376b1c69.exe

Filesize
1.2MB

MD5
14eed91bc3ae3923ae14c22bd7dc5440

SHA1
94515ef571e8053903c9b0921e5fefe6e56ad6f6

SHA256
aea04196ebf55c7685d60b64e9f024c73598be9897e3b0793c040002365b1c59

SHA512
90317ab88d238bad3c1706cf3412074b4a7d2433a869b2d43de6288306bca0e093036a3f2764efa02088212584ebe9c24b877db3607fcd33ebe747736186de56

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
32KB

MD5
b862b5a96f6d1d7d66fc6e5a50bc3b6b

SHA1
5f357fe924035931b25304e78138ba5d46c1c9fb

SHA256
c6b715c5cb394aad8dd5b12584df2182476f5519ea1833bde9734d6c6a7c33a2

SHA512
119483ff9370080461a28625147e356c81dc20dfe807bb8c2de3510fea29df23972eb7d81aecb4e3ca69b6fdf3a48fdac703a8c1fc143d421a632bd1eda3352f

Download Submit
memory/864-27-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-29-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-40-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/864-44-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/864-53-0x0000000003180000-0x0000000003449000-memory.dmp

Filesize
2.8MB

Download
memory/864-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/864-36-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-26-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-28-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-52-0x00000000030C0000-0x000000000317E000-memory.dmp

Filesize
760KB

Download
memory/864-30-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-32-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-33-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-34-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-35-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-31-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/864-37-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1424-6-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-13-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-4-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-11-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-8-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-9-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-10-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-5-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-7-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-15-0x00000000006D0000-0x00000000006F9000-memory.dmp

Filesize
164KB

Download
memory/1424-12-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1424-14-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-2-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1424-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1712-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1712-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1712-51-0x0000014F5DBD0000-0x0000014F5DBD1000-memory.dmp

Filesize
4KB

Download
memory/2948-63-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-61-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-66-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-65-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-64-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-68-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-62-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-67-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-60-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-59-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-58-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2948-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2948-69-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download