kpot | 8c7eef20257c2ef7fd28198d093c559f741c5e2c9008ac803481104874c7897c

Analysis

max time kernel
135s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 20:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e4adfb6917649130c5523a4bf06f400_NeikiAnalytics.exe
Size

1.4MB
MD5

7e4adfb6917649130c5523a4bf06f400
SHA1

8eb8a37d9032b17f940c33b77f375bf336fcca86
SHA256

8c7eef20257c2ef7fd28198d093c559f741c5e2c9008ac803481104874c7897c
SHA512

c48811d194373f1d8ea21696922b2825e0fdd533b9068adb86144a7bfc85af1ccf09f440381c45e52315b2774c4041045947db6d431de7fb017581c21967ccc4
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMcT/X2dI7T2FAoUcUOp6doF5ES/oV:E5aIwC+Agr6tdlmU1/eoV

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023427-22.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2436-15-0x0000000002BC0000-0x0000000002BE9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
Token: SeTcbPrivilege	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2436	7e4adfb6917649130c5523a4bf06f400_NeikiAnalytics.exe
4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 4528	2436	7e4adfb6917649130c5523a4bf06f400_NeikiAnalytics.exe	82
PID 2436 wrote to memory of 4528	2436	7e4adfb6917649130c5523a4bf06f400_NeikiAnalytics.exe	82
PID 2436 wrote to memory of 4528	2436	7e4adfb6917649130c5523a4bf06f400_NeikiAnalytics.exe	82
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 4528 wrote to memory of 896	4528	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	83
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 1872 wrote to memory of 3744	1872	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	96
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98
PID 3732 wrote to memory of 3848	3732	8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e4adfb6917649130c5523a4bf06f400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7e4adfb6917649130c5523a4bf06f400_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Roaming\WinSocket\8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:896

C:\Users\Admin\AppData\Roaming\WinSocket\8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3744

C:\Users\Admin\AppData\Roaming\WinSocket\8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\8e4adfb7918749130c6623a4bf07f400_NeikiAnalytict.exe

Filesize
1.4MB

MD5
7e4adfb6917649130c5523a4bf06f400

SHA1
8eb8a37d9032b17f940c33b77f375bf336fcca86

SHA256
8c7eef20257c2ef7fd28198d093c559f741c5e2c9008ac803481104874c7897c

SHA512
c48811d194373f1d8ea21696922b2825e0fdd533b9068adb86144a7bfc85af1ccf09f440381c45e52315b2774c4041045947db6d431de7fb017581c21967ccc4

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
57KB

MD5
1fea92258fc5c9ea815f3855540a0390

SHA1
4f1afb34a04bda8e218426c4bb3449e9e70bcdc0

SHA256
b5bcde431f4f50ba199eb3641eadd18ac36b1c7d4fe9275bbf4ac8487a8b6b9d

SHA512
913c2194c00a1982827f9c0ff8d9bb448fcc1b2d2fd9c3a76f2db82c317a48e8c5c3f6f0cb510a29465dd3d30736ba553b6ee95a179547cbff64c4a47f0cdea3

Download Submit
memory/896-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/896-51-0x00000234C1670000-0x00000234C1671000-memory.dmp

Filesize
4KB

Download
memory/896-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1872-65-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-61-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-66-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-69-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-64-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-63-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-62-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-67-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-60-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-59-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-58-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-68-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1872-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1872-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2436-5-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-2-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-14-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-12-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-11-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2436-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2436-10-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-9-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-8-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-7-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-6-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-15-0x0000000002BC0000-0x0000000002BE9000-memory.dmp

Filesize
164KB

Download
memory/2436-4-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2436-3-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4528-26-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4528-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4528-33-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-37-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-36-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4528-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/4528-32-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-35-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-27-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-28-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-29-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-30-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-31-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4528-34-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download