kpot | 76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4.exe
Size

1.0MB
MD5

2db5244491847dca25de6f13731585ae
SHA1

fdd0eae1c9a0739d69db5539fa1b0e3e2600a5f5
SHA256

76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4
SHA512

d2cc2d6f86190df9365087eca911eb3e30d0d00047bcb71ef2f9d263931281ca4e27486ee6a3a81f228760c1e49fa8735e72e9ab014cda14c654b0a5825680ac
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQBnm46MoCBuu0Jphc:zQ5aILMCfmAUjzX6xQtjmssdqNYJuB

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002343a-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2144-15-0x0000000002200000-0x0000000002229000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
Token: SeTcbPrivilege	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2144	76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4.exe
3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3320	2144	76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4.exe	82
PID 2144 wrote to memory of 3320	2144	76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4.exe	82
PID 2144 wrote to memory of 3320	2144	76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4.exe	82
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 3320 wrote to memory of 384	3320	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	83
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 2400 wrote to memory of 3068	2400	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	93
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95
PID 1596 wrote to memory of 448	1596	87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4.exe
"C:\Users\Admin\AppData\Local\Temp\76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Roaming\WinSocket\87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:384

C:\Users\Admin\AppData\Roaming\WinSocket\87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
C:\Users\Admin\AppData\Roaming\WinSocket\87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3068

C:\Users\Admin\AppData\Roaming\WinSocket\87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
C:\Users\Admin\AppData\Roaming\WinSocket\87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\87921d7d0f69d01e308c0e8073149b291ce01af40f443e1244eb7406e82a1ab4.exe

Filesize
1.0MB

MD5
2db5244491847dca25de6f13731585ae

SHA1
fdd0eae1c9a0739d69db5539fa1b0e3e2600a5f5

SHA256
76821d6d0f58d01e307c0e7063148b291ce01af40f443e1244eb6405e72a1ab4

SHA512
d2cc2d6f86190df9365087eca911eb3e30d0d00047bcb71ef2f9d263931281ca4e27486ee6a3a81f228760c1e49fa8735e72e9ab014cda14c654b0a5825680ac

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
67KB

MD5
5d461d335203813a2851739ec003ff88

SHA1
a7c2bdac97274bd16a32313a5662f8ce3d9d4424

SHA256
c0157440d37f53308230a367ab0544d29a209f5e985fda6d00740c21a8854309

SHA512
3a67451c371fbc7efe38dc533b4fef87982e3d830610950180f0e111688f95a08c48e0d102d231da54a466ff81d6a1fb9d404cc683115a6fc729300cd387f8fc

Download Submit
memory/384-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/384-53-0x000001F27B3D0000-0x000001F27B3D1000-memory.dmp

Filesize
4KB

Download
memory/2144-8-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-7-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-12-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-11-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-10-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-9-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2144-15-0x0000000002200000-0x0000000002229000-memory.dmp

Filesize
164KB

Download
memory/2144-6-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-5-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-2-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2144-13-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-4-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-14-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2400-61-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-65-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-84-0x0000000001C00000-0x0000000001CBE000-memory.dmp

Filesize
760KB

Download
memory/2400-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2400-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2400-58-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-59-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-62-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-63-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-66-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-67-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-68-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-69-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-64-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2400-60-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3320-27-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-28-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-52-0x00000000031A0000-0x0000000003469000-memory.dmp

Filesize
2.8MB

Download
memory/3320-51-0x00000000030E0000-0x000000000319E000-memory.dmp

Filesize
760KB

Download
memory/3320-34-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-26-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-37-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3320-36-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-33-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3320-29-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-30-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-31-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-32-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3320-35-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download