kpot | 02102acc100b9f717d2aa3fb8a9a5357680bb3d42df731474ce10234354fefdf

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e5ff1a22955654aea692376feaa5f20_NeikiAnalytics.exe
Size

1.4MB
MD5

8e5ff1a22955654aea692376feaa5f20
SHA1

6454581d591f6d3a144d1d1e95ce21e14eb5e502
SHA256

02102acc100b9f717d2aa3fb8a9a5357680bb3d42df731474ce10234354fefdf
SHA512

e9698fce960dd153077161089c57cc9d55c2d41b8b813a55ebabba9bf8fae99b04ad0890dc4c60482caa8c2571e3a7536697053db3da22e567e2b1817add296f
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMcT/X2dI7T2FAoUcUOp6doF5ES/oUKs:E5aIwC+Agr6tdlmU1/eoM

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023442-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3444-15-0x0000000002A80000-0x0000000002AA9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
Token: SeTcbPrivilege	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3444	8e5ff1a22955654aea692376feaa5f20_NeikiAnalytics.exe
2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2732	3444	8e5ff1a22955654aea692376feaa5f20_NeikiAnalytics.exe	85
PID 3444 wrote to memory of 2732	3444	8e5ff1a22955654aea692376feaa5f20_NeikiAnalytics.exe	85
PID 3444 wrote to memory of 2732	3444	8e5ff1a22955654aea692376feaa5f20_NeikiAnalytics.exe	85
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 2732 wrote to memory of 2848	2732	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	86
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 3044 wrote to memory of 2924	3044	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	103
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112
PID 4748 wrote to memory of 4832	4748	9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8e5ff1a22955654aea692376feaa5f20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e5ff1a22955654aea692376feaa5f20_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Roaming\WinSocket\9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2848

C:\Users\Admin\AppData\Roaming\WinSocket\9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2924

C:\Users\Admin\AppData\Roaming\WinSocket\9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\9e6ff1a22966764aea792387feaa6f20_NeikiAnalytict.exe

Filesize
1.4MB

MD5
8e5ff1a22955654aea692376feaa5f20

SHA1
6454581d591f6d3a144d1d1e95ce21e14eb5e502

SHA256
02102acc100b9f717d2aa3fb8a9a5357680bb3d42df731474ce10234354fefdf

SHA512
e9698fce960dd153077161089c57cc9d55c2d41b8b813a55ebabba9bf8fae99b04ad0890dc4c60482caa8c2571e3a7536697053db3da22e567e2b1817add296f

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
38KB

MD5
b53041d92fa67ae9cec54884c02ed269

SHA1
fb2bf03273ab9ccf98019a010f9ea5a5b07b3143

SHA256
7d7401fdf77f67599e0b3e842a3ef214de9d2fb6858e2b1e122c90897ccc4113

SHA512
94ec338e7f5b59102cbdfccacf51c2d1a3cf48ad1f5976dd971707a0a512b5047e75e8a0b4a289a654252b5825aa9f0886d6de185913d1c96c4076205b70e113

Download Submit
memory/2732-36-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-32-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-26-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-27-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-28-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2732-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2732-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2732-31-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-52-0x00000000030D0000-0x000000000318E000-memory.dmp

Filesize
760KB

Download
memory/2732-33-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-34-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-35-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-37-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-53-0x0000000003190000-0x0000000003459000-memory.dmp

Filesize
2.8MB

Download
memory/2732-30-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2732-29-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2848-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2848-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2848-51-0x0000020DE59B0000-0x0000020DE59B1000-memory.dmp

Filesize
4KB

Download
memory/3044-68-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-63-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3044-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3044-59-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-60-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-61-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-62-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-64-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-65-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-66-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-67-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-69-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-58-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3444-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3444-5-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-10-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-14-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-9-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-8-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-11-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-7-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-12-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-6-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-3-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-4-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-2-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3444-15-0x0000000002A80000-0x0000000002AA9000-memory.dmp

Filesize
164KB

Download
memory/3444-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3444-13-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download