kpot | 49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1

Analysis

max time kernel
136s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1.exe
Size

1.1MB
MD5

690363b61f68563389ca8db1ca785af0
SHA1

74bdc9e31586b2cb576d3eaa1a8b0de372ca8d12
SHA256

49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1
SHA512

41d415388a67e857c80df205ba7337d51a03aa77de87f3ad51f3f77f53b39ce033d2e5176762fedf3671da8fe3c2d84535514aadb8a2ea39f1740640dce9d6ee
SSDEEP

24576:zQ5aILMCfmAUjzX6xQ0+wCIygDsAUSTsU9+oSAkg:E5aIwC+Agr6SNasr7g

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233ef-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2784-15-0x0000000002160000-0x0000000002189000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
Token: SeTcbPrivilege	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2784	49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1.exe
1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1980	2784	49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1.exe	82
PID 2784 wrote to memory of 1980	2784	49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1.exe	82
PID 2784 wrote to memory of 1980	2784	49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1.exe	82
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 1980 wrote to memory of 4092	1980	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	84
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 4172 wrote to memory of 1240	4172	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	95
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97
PID 2712 wrote to memory of 4428	2712	49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1.exe
"C:\Users\Admin\AppData\Local\Temp\49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\WinSocket\49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4092

C:\Users\Admin\AppData\Roaming\WinSocket\49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
C:\Users\Admin\AppData\Roaming\WinSocket\49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1240

C:\Users\Admin\AppData\Roaming\WinSocket\49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
C:\Users\Admin\AppData\Roaming\WinSocket\49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\49b429ce66f8721d748993484af1c662bc1c6a3800397084c67e8cc92001c4d1.exe

Filesize
1.1MB

MD5
690363b61f68563389ca8db1ca785af0

SHA1
74bdc9e31586b2cb576d3eaa1a8b0de372ca8d12

SHA256
49b429ce55f7621d647983474af1c552bc1c5a3700386074c56e7cc92001c4d1

SHA512
41d415388a67e857c80df205ba7337d51a03aa77de87f3ad51f3f77f53b39ce033d2e5176762fedf3671da8fe3c2d84535514aadb8a2ea39f1740640dce9d6ee

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
57KB

MD5
251e40366e5084d10ee2f0ca8c07bed1

SHA1
6bb3474348f9355600ddf7c2e1d43f5deb40fc62

SHA256
48f09e4503a0dc3818879a1e7630fd38c44da574bcb84cf34fcf78c2ee3c3bf7

SHA512
f07ea1dd42d459cae2099577b146821880cc4e70866ee36332f971df67f0f78e936c47dccdbb2ceaa7b988a9f7c1741aba37d0072112195d092bb83f6a8633d4

Download Submit
memory/1980-27-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-30-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1980-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1980-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1980-26-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-35-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-28-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-29-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/1980-31-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-32-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-33-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-34-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/1980-37-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-36-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2784-8-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-11-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2784-15-0x0000000002160000-0x0000000002189000-memory.dmp

Filesize
164KB

Download
memory/2784-14-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-10-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-9-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-7-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-6-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-5-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-4-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-3-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-2-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-13-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-12-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2784-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4092-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4092-51-0x000001F2AB520000-0x000001F2AB521000-memory.dmp

Filesize
4KB

Download
memory/4172-62-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-61-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-66-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-65-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-64-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-63-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-68-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-67-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-60-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-59-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/4172-58-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4172-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4172-69-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download