kpot | 4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98.exe
Size

1.0MB
MD5

553e844acc3061da138250d89712fdba
SHA1

6a7e12e880422c7d17368e13b3797ff334398347
SHA256

4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98
SHA512

480088c005ad42bfc55843765cd9a40344ef7e950a1f00be12abadf4dc267363302da31e950ae2049e14c719fcd0a06f028959240b87e057204ae34e17f04008
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQBnm46MoCBuu0Jphs:zQ5aILMCfmAUjzX6xQtjmssdqmyE5YD

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233f1-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/232-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
Token: SeTcbPrivilege	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
232	4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98.exe
4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4704	232	4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98.exe	82
PID 232 wrote to memory of 4704	232	4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98.exe	82
PID 232 wrote to memory of 4704	232	4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98.exe	82
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 4704 wrote to memory of 3088	4704	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	83
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 1760 wrote to memory of 1680	1760	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	93
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95
PID 2076 wrote to memory of 5108	2076	4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98.exe
"C:\Users\Admin\AppData\Local\Temp\4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Roaming\WinSocket\4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3088

C:\Users\Admin\AppData\Roaming\WinSocket\4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1680

C:\Users\Admin\AppData\Roaming\WinSocket\4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
C:\Users\Admin\AppData\Roaming\WinSocket\4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\4fecad9ba7e278930a7ed8f7b1b2c12f916f2d8aa48a229de14a99b62c736e99.exe

Filesize
1.0MB

MD5
553e844acc3061da138250d89712fdba

SHA1
6a7e12e880422c7d17368e13b3797ff334398347

SHA256
4fecad9ba6e267930a6ed7f6b1b2c12f915f2d7aa47a229de14a89b52c635e98

SHA512
480088c005ad42bfc55843765cd9a40344ef7e950a1f00be12abadf4dc267363302da31e950ae2049e14c719fcd0a06f028959240b87e057204ae34e17f04008

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
55KB

MD5
6b0c6cda9659335cce939e43e24fb09c

SHA1
543a2c39b1e5d061a281e86c944eb7a157c35bd1

SHA256
9394c5763328372da956ba9a7cc3f0da2788da1f472ac213598cd3d6fb894710

SHA512
75287a4a06555d4db1b2c0bace2f9d7da8d5d07dc2c4d9740ea7e93fdc7082c188a8c19f33197c39567832755f3583ba1d1c30393fcca59b1706329e58fe7ff3

Download Submit
memory/232-14-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/232-4-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-2-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp

Filesize
164KB

Download
memory/232-3-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-8-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-5-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/232-13-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-12-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-11-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-10-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-9-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-6-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/232-7-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/1760-68-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-63-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1760-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1760-58-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-59-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-61-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-62-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-69-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-64-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-65-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-66-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-67-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3088-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3088-51-0x0000022CC9A40000-0x0000022CC9A41000-memory.dmp

Filesize
4KB

Download
memory/3088-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4704-29-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/4704-28-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/4704-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4704-26-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-27-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-36-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-30-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-31-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-32-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-33-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-34-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4704-35-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4704-37-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download