kpot | 2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16

Analysis

max time kernel
135s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16.exe
Size

1.3MB
MD5

4fce9750489bad1288f98987d06b252f
SHA1

6d74e9efdd1965525d93b7291200688c9ba82f4d
SHA256

2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16
SHA512

e076d5b5cd0db969d5d15905d33f1079f63bac0031a742ba80327f648643ba73e1d2c9cd617f6be660590d21fb73fee1d0be5b62c2e45b146b52cf510d6f5544
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1SdrzRjVYaQ/n2lbcMfcz5l8ut:E5aIwC+Agr6S/FYqOc2ZE

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233f3-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/712-15-0x00000000029D0000-0x00000000029F9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
Token: SeTcbPrivilege	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
712	2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16.exe
3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 3432	712	2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16.exe	82
PID 712 wrote to memory of 3432	712	2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16.exe	82
PID 712 wrote to memory of 3432	712	2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16.exe	82
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 3432 wrote to memory of 1508	3432	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	83
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 2684 wrote to memory of 4408	2684	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	103
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112
PID 4968 wrote to memory of 4468	4968	2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16.exe
"C:\Users\Admin\AppData\Local\Temp\2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:712
- C:\Users\Admin\AppData\Roaming\WinSocket\2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1508

C:\Users\Admin\AppData\Roaming\WinSocket\2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
C:\Users\Admin\AppData\Roaming\WinSocket\2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4408

C:\Users\Admin\AppData\Roaming\WinSocket\2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
C:\Users\Admin\AppData\Roaming\WinSocket\2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\2ad21f6d7f2a3d9f979f00972b96e7b19aaf13e932c00bcc14acf068187d1e17.exe

Filesize
1.3MB

MD5
4fce9750489bad1288f98987d06b252f

SHA1
6d74e9efdd1965525d93b7291200688c9ba82f4d

SHA256
2ad21f5d6f2a3d8f969f00962b95e6b19aaf13e932c00bcc14acf057176d1e16

SHA512
e076d5b5cd0db969d5d15905d33f1079f63bac0031a742ba80327f648643ba73e1d2c9cd617f6be660590d21fb73fee1d0be5b62c2e45b146b52cf510d6f5544

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
25KB

MD5
60d4667c8776d87f2cbd6fb9f11f94e4

SHA1
c5277ca91e4415be1c9c28296194f3bbf29f6247

SHA256
dbf0af03d86185cc6e321e7e417e7bda7f4e92d79f7f7d38ecdc808f22e3b4c1

SHA512
6a2dae9a8007612655aaa4c290947e1707937d28e80ce4df3e06a75fed9f43d1e5073d9faba66c757643ce2317f2df8c93776a2f0f59019d1a3469111013afe9

Download Submit
memory/712-7-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-6-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-15-0x00000000029D0000-0x00000000029F9000-memory.dmp

Filesize
164KB

Download
memory/712-10-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/712-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/712-9-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-8-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-14-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-11-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-5-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-4-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-3-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-2-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-13-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/712-12-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1508-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1508-51-0x000001F0F0C30000-0x000001F0F0C31000-memory.dmp

Filesize
4KB

Download
memory/2684-61-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2684-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2684-58-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-59-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-62-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-63-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-64-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-65-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-66-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-67-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-69-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2684-68-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3432-28-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-34-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/3432-37-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3432-36-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3432-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3432-27-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/3432-32-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-26-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-29-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-30-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-31-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-33-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3432-35-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download