kpot | 89c60b82afbf0756ea95d7c13aa38ac57cf8f5e30f9b6c52f7c8b2aecb6ca76a

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e344c9e21a34872c00333e37372a6a0_NeikiAnalytics.exe
Size

1.1MB
MD5

0e344c9e21a34872c00333e37372a6a0
SHA1

03485f15cfd96d90502a060e1c9ebc42499aa6f8
SHA256

89c60b82afbf0756ea95d7c13aa38ac57cf8f5e30f9b6c52f7c8b2aecb6ca76a
SHA512

de43bb5472d4dbce194f34975fd4e1da26358e226d3662498e498456a3e00e17fc0c6e2cebd2dd1a4f9116f6c62cf987ec6132f7297018764bf0711177be042d
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQBnm46MoCBuu0JpPf:zQ5aILMCfmAUjzX6xQtjmssdqJih

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233b3-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2392-15-0x0000000002A60000-0x0000000002A89000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
Token: SeTcbPrivilege	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2392	0e344c9e21a34872c00333e37372a6a0_NeikiAnalytics.exe
4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4220	2392	0e344c9e21a34872c00333e37372a6a0_NeikiAnalytics.exe	83
PID 2392 wrote to memory of 4220	2392	0e344c9e21a34872c00333e37372a6a0_NeikiAnalytics.exe	83
PID 2392 wrote to memory of 4220	2392	0e344c9e21a34872c00333e37372a6a0_NeikiAnalytics.exe	83
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 4220 wrote to memory of 3932	4220	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	84
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 5096 wrote to memory of 3480	5096	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	98
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100
PID 4928 wrote to memory of 800	4928	0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e344c9e21a34872c00333e37372a6a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e344c9e21a34872c00333e37372a6a0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Roaming\WinSocket\0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3932

C:\Users\Admin\AppData\Roaming\WinSocket\0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3480

C:\Users\Admin\AppData\Roaming\WinSocket\0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\0e344c9e21a34982c00333e38382a7a0_NeikiAnalytict.exe

Filesize
1.1MB

MD5
0e344c9e21a34872c00333e37372a6a0

SHA1
03485f15cfd96d90502a060e1c9ebc42499aa6f8

SHA256
89c60b82afbf0756ea95d7c13aa38ac57cf8f5e30f9b6c52f7c8b2aecb6ca76a

SHA512
de43bb5472d4dbce194f34975fd4e1da26358e226d3662498e498456a3e00e17fc0c6e2cebd2dd1a4f9116f6c62cf987ec6132f7297018764bf0711177be042d

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
46KB

MD5
4574deca7012ccf1e9998fa78a9fa6e0

SHA1
a41ef1fd802557470c8fae3638545733e6f45a60

SHA256
19ad2ea32275475b0d890fdb50cde09d4d40c0cff18664a9cda9d25f73bf745e

SHA512
8d8ec8626e3657eb68034462a5daba0142d17532996fadc1655f211abedb4fd1af35bf9ccb338b58e1488af65a2fa6885a90a49153874e6e9e4b803a40d21ce8

Download Submit
memory/2392-14-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-13-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-15-0x0000000002A60000-0x0000000002A89000-memory.dmp

Filesize
164KB

Download
memory/2392-12-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-11-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-10-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-9-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-8-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-7-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-6-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-5-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-4-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-3-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-2-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2392-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2392-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3932-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3932-51-0x000001F8F5700000-0x000001F8F5701000-memory.dmp

Filesize
4KB

Download
memory/4220-37-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-36-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-35-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-34-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-33-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-32-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-31-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-30-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-29-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-28-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-27-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-26-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4220-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4220-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4220-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4220-52-0x00000000030C0000-0x000000000317E000-memory.dmp

Filesize
760KB

Download
memory/4220-53-0x0000000003180000-0x0000000003449000-memory.dmp

Filesize
2.8MB

Download
memory/5096-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5096-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/5096-69-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-68-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-67-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-66-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-65-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-64-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-63-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-62-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-61-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-60-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-59-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5096-58-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download