kpot | 6fe8e8dbc6172e0e3ed76dba865035b711682482eae8bd22e833ae77240e2b4f

General

Target

6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe
Size

1.1MB
MD5

6b5a7896debd0fb5839936dfd1735e00
SHA1

4061d31c112a8af0a942acb78c57c92847e3e7bf
SHA256

6fe8e8dbc6172e0e3ed76dba865035b711682482eae8bd22e833ae77240e2b4f
SHA512

086adec939263d1fb8b86ac6dec8deb2f72062970b03403b3f4b74fe4efe4e6123f313313f5e9cfad8c9503a3ce0d0cc317a58b376a1e33dd462617b59d0f3b1
SSDEEP

12288:zJB0lh5aILwtFPCfmAUtFC6NXbv+GEBQqtGSsGa60C+4PMAQBnm46MoCBuu0JphZ:zQ5aILMCfmAUjzX6xQtjmssdqexO8

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/2456-15-0x0000000002280000-0x00000000022A9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe

pid	process
388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe

description	pid	process
Token: SeTcbPrivilege	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
Token: SeTcbPrivilege	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe

pid	process
2456	6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe
388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe

description	pid	process	target process
PID 2456 wrote to memory of 388	2456	6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
PID 2456 wrote to memory of 388	2456	6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
PID 2456 wrote to memory of 388	2456	6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 388 wrote to memory of 1560	388	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 3944 wrote to memory of 5072	3944	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe
PID 1620 wrote to memory of 4416	1620	7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b5a7896debd0fb5839936dfd1735e00_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Roaming\WinSocket\7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1560

C:\Users\Admin\AppData\Roaming\WinSocket\7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:5072

C:\Users\Admin\AppData\Roaming\WinSocket\7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\7b6a8997debd0fb6939937dfd1836e00_NeikiAnalytict.exe

Filesize
1.1MB

MD5
6b5a7896debd0fb5839936dfd1735e00

SHA1
4061d31c112a8af0a942acb78c57c92847e3e7bf

SHA256
6fe8e8dbc6172e0e3ed76dba865035b711682482eae8bd22e833ae77240e2b4f

SHA512
086adec939263d1fb8b86ac6dec8deb2f72062970b03403b3f4b74fe4efe4e6123f313313f5e9cfad8c9503a3ce0d0cc317a58b376a1e33dd462617b59d0f3b1

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
40KB

MD5
8f999340c9b70bc5085273caaa7e424b

SHA1
ca57248193f97a072cb4fdcd9aefaa4ba159e6c5

SHA256
ef4aaf4ed7e6116c2a4811016684e713b4258e7b9d34d75f8ad59afd54f76dd4

SHA512
16437a04b39fb6dc3986d6d92ec9ab62f5b80304fc2c58b09fafbfaf59cc35eb27abcfe32e6563379c1f4006a5f7f8daf21772c0fdb67e765b3d1d166ccb103c

Download Submit
memory/388-53-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/388-52-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/388-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/388-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1560-51-0x000001842AFC0000-0x000001842AFC1000-memory.dmp

Filesize
4KB

Download
memory/1560-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1560-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2456-5-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-14-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-3-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-2-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-15-0x0000000002280000-0x00000000022A9000-memory.dmp

Filesize
164KB

Download
memory/2456-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2456-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2456-13-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-6-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-7-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-8-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-9-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-10-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-11-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-12-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2456-4-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3944-69-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3944-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3944-67-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-66-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-65-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-64-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-63-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-62-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-61-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-60-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-59-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-58-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3944-68-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads