kpot | c7526127cf979072079ca0c0b7947c3b940e51ff3ee0523f265495e3c5cd5b07

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b68decb16adaccbcc59ec9b06f00c00_NeikiAnalytics.exe
Size

1.1MB
MD5

3b68decb16adaccbcc59ec9b06f00c00
SHA1

aa61660802140f478968719940caa377ed0caf2e
SHA256

c7526127cf979072079ca0c0b7947c3b940e51ff3ee0523f265495e3c5cd5b07
SHA512

b5f90bcc6c77401aea2e4892393448f70b588e30e5c04e1d9d753e9f22b897f9bbaa66a4ec2d2a86b49cfd9f8401aac9876286c71f83e23e055f8848a45eb03b
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQBnm46MoCBuu0Jphc:zQ5aILMCfmAUjzX6xQtjmssdq6Rm

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1916-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe

pid	process
3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
Token: SeTcbPrivilege	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

3b68decb16adaccbcc59ec9b06f00c00_NeikiAnalytics.exe3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe

pid	process
1916	3b68decb16adaccbcc59ec9b06f00c00_NeikiAnalytics.exe
3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1916 wrote to memory of 3844	1916	3b68decb16adaccbcc59ec9b06f00c00_NeikiAnalytics.exe	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
PID 1916 wrote to memory of 3844	1916	3b68decb16adaccbcc59ec9b06f00c00_NeikiAnalytics.exe	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
PID 1916 wrote to memory of 3844	1916	3b68decb16adaccbcc59ec9b06f00c00_NeikiAnalytics.exe	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3844 wrote to memory of 2040	3844	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 3260 wrote to memory of 4132	3260	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe
PID 2252 wrote to memory of 1040	2252	3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b68decb16adaccbcc59ec9b06f00c00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b68decb16adaccbcc59ec9b06f00c00_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\WinSocket\3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2040

C:\Users\Admin\AppData\Roaming\WinSocket\3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4132

C:\Users\Admin\AppData\Roaming\WinSocket\3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\3b79decb17adaccbcc69ec9b07f00c00_NeikiAnalytict.exe

Filesize
1.1MB

MD5
3b68decb16adaccbcc59ec9b06f00c00

SHA1
aa61660802140f478968719940caa377ed0caf2e

SHA256
c7526127cf979072079ca0c0b7947c3b940e51ff3ee0523f265495e3c5cd5b07

SHA512
b5f90bcc6c77401aea2e4892393448f70b588e30e5c04e1d9d753e9f22b897f9bbaa66a4ec2d2a86b49cfd9f8401aac9876286c71f83e23e055f8848a45eb03b

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
58KB

MD5
54887a10b82bf69b2e9c34a93394f2db

SHA1
43d13416d23ef232d71393a057326433b7d05773

SHA256
ed2945dd80ac066ed915d03cf63f5432ee3d597b933265f522e3f7762d80a3ae

SHA512
6560344ba08f34ef6795ac2f730a25ea806aba487821fd056a9616ec22962726fc88824b7a34554aafb878f0e0230abc57b1ea19f535cf156a81610317442605

Download Submit
memory/1916-10-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1916-2-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp

Filesize
164KB

Download
memory/1916-14-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-13-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-3-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-4-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-5-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-6-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-7-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-8-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-9-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1916-11-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1916-12-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2040-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2040-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2040-51-0x0000020BA6750000-0x0000020BA6751000-memory.dmp

Filesize
4KB

Download
memory/3260-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3260-71-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3260-58-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-59-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-60-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-61-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-62-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-63-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-64-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-65-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-66-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-67-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-68-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3260-69-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3844-33-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-34-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-52-0x0000000003070000-0x000000000312E000-memory.dmp

Filesize
760KB

Download
memory/3844-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3844-37-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-36-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-35-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-53-0x0000000003130000-0x00000000033F9000-memory.dmp

Filesize
2.8MB

Download
memory/3844-26-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-32-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-31-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-30-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-29-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-28-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-27-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3844-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download