kpot | 0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14.exe
Size

1011KB
MD5

7ba202c9d9582461d635b342d7e83e41
SHA1

fafb22cbe699c6090a44ddf78ef082ade1b2d498
SHA256

0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14
SHA512

8cc2c5a9b456303db9760c840fe844a29788d82bfb906743d1a3f4b4068a7337ec5b9918bf9a2b21072e2bca001de708ae5914c29b824f39f21fef5317265a6f
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQBnm46MoCBuu0Jphr:zQ5aILMCfmAUjzX6xQtjmssdqg

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/672-15-0x0000000002930000-0x0000000002959000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe

pid	process
1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe

description	pid	process
Token: SeTcbPrivilege	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
Token: SeTcbPrivilege	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14.exe0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe

pid	process
672	0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14.exe
1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 672 wrote to memory of 1808	672	0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14.exe	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
PID 672 wrote to memory of 1808	672	0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14.exe	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
PID 672 wrote to memory of 1808	672	0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14.exe	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 1808 wrote to memory of 1236	1808	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 3380 wrote to memory of 1584	3380	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe
PID 2696 wrote to memory of 672	2696	0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14.exe
"C:\Users\Admin\AppData\Local\Temp\0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Roaming\WinSocket\0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1236

C:\Users\Admin\AppData\Roaming\WinSocket\0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1584

C:\Users\Admin\AppData\Roaming\WinSocket\0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
C:\Users\Admin\AppData\Roaming\WinSocket\0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\0dedcc2d899949f60fffdbc49182799b698321f9af29da373030cb27b93e8e14.exe

Filesize
1011KB

MD5
7ba202c9d9582461d635b342d7e83e41

SHA1
fafb22cbe699c6090a44ddf78ef082ade1b2d498

SHA256
0dedcc2d798848f50fffdbc49172689b587321f9af29da363030cb26b83e7e14

SHA512
8cc2c5a9b456303db9760c840fe844a29788d82bfb906743d1a3f4b4068a7337ec5b9918bf9a2b21072e2bca001de708ae5914c29b824f39f21fef5317265a6f

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
25KB

MD5
7d61dc8632a71479f1c983b5e8713e91

SHA1
b21c98a51dffe9ecaeb5f5da4600f9b6dd04aacf

SHA256
a6ee7997b43d8b3a0a2ecaf948f2ca758be21fec15380b491d389948169d09cc

SHA512
b8bdfca6278898a68e4e2b7140b9205bd9106b817ba66ef4b0503eae64beaa9a71c0fd536e175db390447ade74a7b27feea664f839dcdcec0d8b7970477bb66c

Download Submit
memory/672-8-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-3-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/672-13-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-12-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-11-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-10-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-9-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-7-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/672-6-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-5-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-4-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-2-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/672-15-0x0000000002930000-0x0000000002959000-memory.dmp

Filesize
164KB

Download
memory/672-14-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1236-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1236-51-0x00000210070D0000-0x00000210070D1000-memory.dmp

Filesize
4KB

Download
memory/1236-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1808-35-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-53-0x00000000031D0000-0x0000000003499000-memory.dmp

Filesize
2.8MB

Download
memory/1808-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1808-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1808-31-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-27-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-32-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-33-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1808-26-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-28-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-29-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-30-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-34-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-52-0x0000000003110000-0x00000000031CE000-memory.dmp

Filesize
760KB

Download
memory/1808-36-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1808-37-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/3380-66-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-61-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-64-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-67-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-69-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-68-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-62-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-58-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-60-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-63-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-65-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3380-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3380-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3380-59-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download