kpot | 4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850.exe
Size

1.5MB
MD5

34fc400c62b2218cc536b3e2104d3085
SHA1

02cf6b268ad52001119b41f4a4bfb867c67238a4
SHA256

4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850
SHA512

f6d4d280fd7eac9789afc4743241272db745fdd5d61d4d4c8bf2778b2accd9b1814dcd6efb1ed6caf977ffe8969f97fc4b301d89a50b843941e051978d898c4d
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMcT/X2dI7T2FAoUcUOp6doF5ES/okoOdH:E5aIwC+Agr6tdlmU1/eohQ

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002342a-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4764-15-0x0000000002FF0000-0x0000000003019000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
Token: SeTcbPrivilege	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4764	4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850.exe
4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4000	4764	4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850.exe	83
PID 4764 wrote to memory of 4000	4764	4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850.exe	83
PID 4764 wrote to memory of 4000	4764	4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850.exe	83
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 4000 wrote to memory of 4324	4000	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	84
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 1800 wrote to memory of 2224	1800	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	98
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108
PID 2712 wrote to memory of 3832	2712	4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850.exe
"C:\Users\Admin\AppData\Local\Temp\4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Roaming\WinSocket\4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4324

C:\Users\Admin\AppData\Roaming\WinSocket\4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2224

C:\Users\Admin\AppData\Roaming\WinSocket\4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\4d23b70ec49e9f7fac3efacc26f6989f0d4ec2fbdd4410f17796f9e2d9930960.exe

Filesize
1.5MB

MD5
34fc400c62b2218cc536b3e2104d3085

SHA1
02cf6b268ad52001119b41f4a4bfb867c67238a4

SHA256
4d23b60ec48e9f6fac3efacc25f5978f0d4ec2fbdd4410f16685f8e2d8830850

SHA512
f6d4d280fd7eac9789afc4743241272db745fdd5d61d4d4c8bf2778b2accd9b1814dcd6efb1ed6caf977ffe8969f97fc4b301d89a50b843941e051978d898c4d

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
25KB

MD5
ac91ec356828c9e143410fb04735ddfb

SHA1
03583f9b292df2b7a40e82cad8a696671296d8ee

SHA256
2367dd05efcefa5d229bd45dfa62b772666905fb3e5e11d0ab3aa702617c2bab

SHA512
a0b074dd2e46940f9ca73ef88db7b08f55534dd86f1d9ed419187a7d84079e335c0ba3872b356d8358e79b35f418e451051c0e8d517514f5853687eec29549b0

Download Submit
memory/1800-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1800-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1800-58-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-59-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-61-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-62-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-63-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-64-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-65-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-66-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-67-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-68-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1800-69-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4000-32-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-37-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-36-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4000-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4000-35-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-34-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-33-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-53-0x00000000031B0000-0x0000000003479000-memory.dmp

Filesize
2.8MB

Download
memory/4000-31-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-30-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-29-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-28-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-27-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-26-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4000-52-0x00000000030F0000-0x00000000031AE000-memory.dmp

Filesize
760KB

Download
memory/4324-51-0x000001DDB5F60000-0x000001DDB5F61000-memory.dmp

Filesize
4KB

Download
memory/4324-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4324-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4764-11-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-12-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-7-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-5-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-9-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-10-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-4-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-6-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-13-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4764-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4764-15-0x0000000002FF0000-0x0000000003019000-memory.dmp

Filesize
164KB

Download
memory/4764-14-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-8-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-2-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4764-3-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download