kpot | f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599.exe
Size

1.1MB
MD5

e2033482b1fe8d03a3fb8a16a7c99134
SHA1

be42717d3bf76893aad0ffd3ecce1c534ff4ef83
SHA256

f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599
SHA512

f89f9e42703ae7a3034b4a0f87ce8b505b1751295a631c626462ba7323189d0bc6fa0a80c203a8201de82c58507722f11712ac9b647460bb2c265a694766aaf5
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQBnm46MoCBuu0JphT:zQ5aILMCfmAUjzX6xQtjmssdqex/n

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023407-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/1724-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
Token: SeTcbPrivilege	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1724	f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599.exe
1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1852	1724	f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599.exe	82
PID 1724 wrote to memory of 1852	1724	f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599.exe	82
PID 1724 wrote to memory of 1852	1724	f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599.exe	82
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1852 wrote to memory of 4380	1852	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	84
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 1092 wrote to memory of 1824	1092	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	96
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98
PID 4592 wrote to memory of 3148	4592	f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599.exe
"C:\Users\Admin\AppData\Local\Temp\f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\WinSocket\f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4380

C:\Users\Admin\AppData\Roaming\WinSocket\f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
C:\Users\Admin\AppData\Roaming\WinSocket\f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1824

C:\Users\Admin\AppData\Roaming\WinSocket\f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
C:\Users\Admin\AppData\Roaming\WinSocket\f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\f7874d9c3bdf43e83d269cb1e2963819a0f4d3c2ca1918f9b2639684a89b7699.exe

Filesize
1.1MB

MD5
e2033482b1fe8d03a3fb8a16a7c99134

SHA1
be42717d3bf76893aad0ffd3ecce1c534ff4ef83

SHA256
f6764d8c3bdf43e73d258cb1e2853719a0f4d3c2ca1917f8b2538574a79b6599

SHA512
f89f9e42703ae7a3034b4a0f87ce8b505b1751295a631c626462ba7323189d0bc6fa0a80c203a8201de82c58507722f11712ac9b647460bb2c265a694766aaf5

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
22KB

MD5
f95d1cd2f85b02311beb993f8a0a4d92

SHA1
d2fc5f5ac49538bf69104a96207ac81b6b7676da

SHA256
a83abdf42a6e30d7534b8264f0fb9eed378b6bf1dba3b86c6e3821092d65295c

SHA512
19d67a01b3dccf8718f52a79247788e1b4e40d53c6baa99370312ffbce1c82feeb99c3a9fa409ccb971b59d30ce4be3e621e880057a46d751584d264008d5f25

Download Submit
memory/1092-64-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-65-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-58-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-60-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-61-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-63-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-59-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1092-67-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-68-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-69-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1092-66-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1092-62-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1724-8-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-5-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp

Filesize
164KB

Download
memory/1724-10-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-14-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1724-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1724-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-12-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-11-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-9-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-4-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-3-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-7-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1724-6-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1852-32-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-33-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-36-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/1852-53-0x0000000003160000-0x0000000003429000-memory.dmp

Filesize
2.8MB

Download
memory/1852-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1852-26-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-27-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-28-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-29-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-30-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-31-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-37-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1852-34-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-35-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1852-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4380-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4380-51-0x000002377C920000-0x000002377C921000-memory.dmp

Filesize
4KB

Download
memory/4380-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download