kpot | 162be35289daca8688df1a6465ea52fb5d2b97ed09f08cc718977384ab5a6e6f

General

Target

4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe
Size

1.2MB
MD5

4052f1234ba1347a9b19b4e118b2a120
SHA1

99b87ea06a5fb21426f7209ac8962a7ed10c33f0
SHA256

162be35289daca8688df1a6465ea52fb5d2b97ed09f08cc718977384ab5a6e6f
SHA512

ff0212748ad6ac013bd4bb70f02cfd333efbd66777262aa34afb9e00d890f0a343227e3d2cb517d2c08ec327ad51231c07a7a47f6d87a2f5440c7c6d06d0f053
SSDEEP

24576:zQ5aILMCfmAUjzX6xQE4efQg3zNn+2jsvercPk9N4hVI3/TQyFqsM:E5aIwC+Agr6SqCPGvTTM

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1160-15-0x0000000002A50000-0x0000000002A79000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe

pid	process
4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
Token: SeTcbPrivilege	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe

pid	process
1160	4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe
4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe

description	pid	process	target process
PID 1160 wrote to memory of 4012	1160	4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
PID 1160 wrote to memory of 4012	1160	4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
PID 1160 wrote to memory of 4012	1160	4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4012 wrote to memory of 4700	4012	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 312 wrote to memory of 3224	312	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe
PID 4280 wrote to memory of 1240	4280	4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4052f1234ba1347a9b19b4e118b2a120_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Roaming\WinSocket\4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4700

C:\Users\Admin\AppData\Roaming\WinSocket\4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3224

C:\Users\Admin\AppData\Roaming\WinSocket\4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\4062f1234ba1348a9b19b4e119b2a120_NeikiAnalytict.exe
Filesize
1.2MB

MD5
4052f1234ba1347a9b19b4e118b2a120

SHA1
99b87ea06a5fb21426f7209ac8962a7ed10c33f0

SHA256
162be35289daca8688df1a6465ea52fb5d2b97ed09f08cc718977384ab5a6e6f

SHA512
ff0212748ad6ac013bd4bb70f02cfd333efbd66777262aa34afb9e00d890f0a343227e3d2cb517d2c08ec327ad51231c07a7a47f6d87a2f5440c7c6d06d0f053

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini
Filesize
25KB

MD5
b5ce2eae07b523a197946f5b8881ea52

SHA1
cb0ef6abf0891f65dd8bee60335c85803387fa33

SHA256
bcd0f8013bafd9559df534be45157d126ee95ed3ea2f313e3321cd9a56b0923e

SHA512
345937a2ea909a124db99cbfde9179d27274bce5b69796d6027676ee0e9396b44528ef50c47d2286c795509df88fd3f1dbe53972879ae0c7c70224ebfe424ec2

Download Submit
memory/312-61-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-62-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/312-58-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-59-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-60-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-69-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/312-63-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-64-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-65-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-66-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-67-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-68-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/312-84-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1160-15-0x0000000002A50000-0x0000000002A79000-memory.dmp

Filesize
164KB

Download
memory/1160-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1160-14-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-13-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-6-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-12-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-11-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-10-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-9-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-8-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-7-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-5-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-4-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-2-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-3-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1160-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4012-28-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-30-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/4012-37-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4012-35-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-34-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4012-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4012-26-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-27-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-36-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-29-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4012-31-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-32-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4012-33-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4700-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4700-51-0x000002EE08A90000-0x000002EE08A91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads