kpot | 581ec1b78be5b92bb91c983eb262244f1c72fc17ada8636eedb111481c52343f

Analysis

max time kernel
137s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aa56222ff77e317fda30ba69896e110_NeikiAnalytics.exe
Size

1006KB
MD5

2aa56222ff77e317fda30ba69896e110
SHA1

ff370fe003ef351562d3dfa67f06b77fbfeeb962
SHA256

581ec1b78be5b92bb91c983eb262244f1c72fc17ada8636eedb111481c52343f
SHA512

17d3d1a4d8f5d3f75826f98605a1ccfcc85abd6ef50e1f75607467b8cf2daa8d794040e50a198702da5bfc2ce348e1d9f6bc68f167c5757070eaf405daf08b78
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEs1HzCHT4TlM9YmJ2Q97v54yRnkQgVfUt:zQ5aILMCfmAUjzX6T0TlOnvPyQCfM

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4192-15-0x0000000002AE0000-0x0000000002B09000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe

pid	process
1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
Token: SeTcbPrivilege	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2aa56222ff77e317fda30ba69896e110_NeikiAnalytics.exe2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe

pid	process
4192	2aa56222ff77e317fda30ba69896e110_NeikiAnalytics.exe
1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4192 wrote to memory of 1456	4192	2aa56222ff77e317fda30ba69896e110_NeikiAnalytics.exe	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
PID 4192 wrote to memory of 1456	4192	2aa56222ff77e317fda30ba69896e110_NeikiAnalytics.exe	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
PID 4192 wrote to memory of 1456	4192	2aa56222ff77e317fda30ba69896e110_NeikiAnalytics.exe	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 1456 wrote to memory of 4876	1456	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3096 wrote to memory of 1992	3096	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe
PID 3164 wrote to memory of 4200	3164	2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2aa56222ff77e317fda30ba69896e110_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2aa56222ff77e317fda30ba69896e110_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Roaming\WinSocket\2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4876

C:\Users\Admin\AppData\Roaming\WinSocket\2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1992

C:\Users\Admin\AppData\Roaming\WinSocket\2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\2aa67222ff88e318fda30ba79997e110_NeikiAnalytict.exe

Filesize
1006KB

MD5
2aa56222ff77e317fda30ba69896e110

SHA1
ff370fe003ef351562d3dfa67f06b77fbfeeb962

SHA256
581ec1b78be5b92bb91c983eb262244f1c72fc17ada8636eedb111481c52343f

SHA512
17d3d1a4d8f5d3f75826f98605a1ccfcc85abd6ef50e1f75607467b8cf2daa8d794040e50a198702da5bfc2ce348e1d9f6bc68f167c5757070eaf405daf08b78

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
29KB

MD5
590b1d91e0fd2028960d89614a3f444c

SHA1
5a6dd222ed9f0e34dd5d387915a2c5fc306f1697

SHA256
cc14bd8a5ecce6d62f768f2530af72c228bb64a75fa34a15284af5ce9415fed8

SHA512
41c8ddad9a5cecbb4a5731394e23dfbfa66e58ce717de2fafa82a4f8bf62e23e28b3863918a668f17908162b427641959f779f1808f4e18513784aafc3891279

Download Submit
memory/1456-30-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-31-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-28-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-29-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-52-0x0000000003140000-0x0000000003409000-memory.dmp

Filesize
2.8MB

Download
memory/1456-51-0x0000000002B70000-0x0000000002C2E000-memory.dmp

Filesize
760KB

Download
memory/1456-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1456-27-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-32-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-33-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-34-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-35-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-36-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-37-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-26-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1456-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3096-63-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-69-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3096-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3096-58-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-59-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-61-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-62-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-64-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-65-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-66-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-67-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3096-68-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4192-3-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-11-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-5-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-2-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4192-4-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4192-14-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-7-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-8-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-13-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-12-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-15-0x0000000002AE0000-0x0000000002B09000-memory.dmp

Filesize
164KB

Download
memory/4192-10-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4192-9-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4876-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4876-53-0x000001B587D20000-0x000001B587D21000-memory.dmp

Filesize
4KB

Download
memory/4876-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download