kpot | f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781.exe
Size

1.7MB
MD5

5bca5e00493c3ae96fbc3b76d1d6d039
SHA1

dc797c1990a0c214aa1bd5b6240f1e4561061547
SHA256

f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781
SHA512

ae9b682216fc2c9c48137c40ac1cc3f0688c7eae26f39eba2256d1ea62793ba1621731ccb70d3b130bb54144f8531efe3388ea1aaa0fc1bd8e32f5117ee92c35
SSDEEP

24576:zQ5aILMCfmAUjzX6xQE4efQg3zNn+2jsvercPk9N4hVI3/BxL+XKHZjb//8ISgHa:E5aIwC+Agr6SqCPGC6HZkIT/cR

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233d2-20.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/428-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
Token: SeTcbPrivilege	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
428	f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781.exe
3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 3420	428	f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781.exe	82
PID 428 wrote to memory of 3420	428	f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781.exe	82
PID 428 wrote to memory of 3420	428	f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781.exe	82
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3420 wrote to memory of 2256	3420	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	85
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3984 wrote to memory of 1408	3984	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	96
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98
PID 3784 wrote to memory of 4416	3784	f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781.exe
"C:\Users\Admin\AppData\Local\Temp\f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Roaming\WinSocket\f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2256

C:\Users\Admin\AppData\Roaming\WinSocket\f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
C:\Users\Admin\AppData\Roaming\WinSocket\f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1408

C:\Users\Admin\AppData\Roaming\WinSocket\f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
C:\Users\Admin\AppData\Roaming\WinSocket\f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\f179d8c3ae93de0f498eecc2fc4cc0e42d99cc37fd0dd9cee329f3ba2d609891.exe

Filesize
1.7MB

MD5
5bca5e00493c3ae96fbc3b76d1d6d039

SHA1
dc797c1990a0c214aa1bd5b6240f1e4561061547

SHA256
f169d7c3ae83de0f497eecc2fc4cc0e42d89cc36fd0dd8cee328f3ba2d509781

SHA512
ae9b682216fc2c9c48137c40ac1cc3f0688c7eae26f39eba2256d1ea62793ba1621731ccb70d3b130bb54144f8531efe3388ea1aaa0fc1bd8e32f5117ee92c35

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
40KB

MD5
7f80bb869a13b3e8eb90a67cdc720d71

SHA1
01abd5fa4d55f8b27fe4259978938bc92172d70f

SHA256
48b460118c1641feb1843a2e9fc233dabb16f5159fdeb7d6bba4270fdf0269c1

SHA512
ad24e7a6a0695aed61e9d30ffecc543d8b287f57d8b5e043f2111b22af6ac9e78de951de0c673051bd91f0ddef2f8a137e6c96331d5672c36ca440306ae21f36

Download Submit
memory/428-14-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-13-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-15-0x0000000002FD0000-0x0000000002FF9000-memory.dmp

Filesize
164KB

Download
memory/428-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/428-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/428-12-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-11-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-10-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-9-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-8-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-7-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-6-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-5-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-4-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-3-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/428-2-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2256-51-0x000001B2158F0000-0x000001B2158F1000-memory.dmp

Filesize
4KB

Download
memory/2256-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3420-27-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-37-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-36-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-35-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-34-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-33-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-32-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-31-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-30-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-29-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-28-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-26-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3420-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3420-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3420-52-0x0000000003090000-0x000000000314E000-memory.dmp

Filesize
760KB

Download
memory/3420-53-0x0000000003190000-0x0000000003459000-memory.dmp

Filesize
2.8MB

Download
memory/3984-69-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-68-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-67-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-66-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-65-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-64-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-63-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-62-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-61-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-60-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-59-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-58-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3984-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3984-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download