kpot | 186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0.exe
Size

1.3MB
MD5

0359f4837e843248e96a967edde37779
SHA1

e1dcb3d426b9284f78990b8d56627447bad1480a
SHA256

186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0
SHA512

5be6597570844df99d1ab43151ffdaa3793519fd8dde811aff211254421bdb2486f880110d8ed0ebe3df80b60717603821fa42f8568da98fdc1a0541d19d525a
SSDEEP

24576:zQ5aILMCfmAUjzX6xQtjmssdqex1hl+dZNNVpr:E5aIwC+Agr6StYCNV

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023420-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/968-15-0x0000000002200000-0x0000000002229000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
Token: SeTcbPrivilege	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
968	186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0.exe
368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 368	968	186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0.exe	78
PID 968 wrote to memory of 368	968	186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0.exe	78
PID 968 wrote to memory of 368	968	186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0.exe	78
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 368 wrote to memory of 1492	368	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	79
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 628 wrote to memory of 2636	628	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	81
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83
PID 1760 wrote to memory of 1564	1760	197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0.exe
"C:\Users\Admin\AppData\Local\Temp\186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Roaming\WinSocket\197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1492

C:\Users\Admin\AppData\Roaming\WinSocket\197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
C:\Users\Admin\AppData\Roaming\WinSocket\197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2636

C:\Users\Admin\AppData\Roaming\WinSocket\197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
C:\Users\Admin\AppData\Roaming\WinSocket\197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\197bde94e02917a477db3bb188c8e222dd46ff79aae1a9f0097023fd02d61af0.exe

Filesize
1.3MB

MD5
0359f4837e843248e96a967edde37779

SHA1
e1dcb3d426b9284f78990b8d56627447bad1480a

SHA256
186bde84e02816a466db3bb177c7e222dd45ff68aae1a8f0096023fd02d51af0

SHA512
5be6597570844df99d1ab43151ffdaa3793519fd8dde811aff211254421bdb2486f880110d8ed0ebe3df80b60717603821fa42f8568da98fdc1a0541d19d525a

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
67KB

MD5
7122edaa15a9bdafb9dfed28fe7d0ccb

SHA1
a6850f5002fde894772ab146b5e1b1b66eb90d69

SHA256
f51b36ed5dd55a6f3ecd2cca6be85410bae1c5198affbc69b69b722502d34ca4

SHA512
579dd75aabe35ea518e0aeef3d90cc2b831e1c484c7216814a02c4ebe224f037f42297837113a57626540ba0c8ebc5f72e539094bd4ba2fcd9d53ea2a8772553

Download Submit
memory/368-30-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-29-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/368-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/368-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/368-26-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-35-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-27-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-28-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-52-0x00000000030B0000-0x000000000316E000-memory.dmp

Filesize
760KB

Download
memory/368-31-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-32-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-33-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-34-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-53-0x0000000003170000-0x0000000003439000-memory.dmp

Filesize
2.8MB

Download
memory/368-36-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/368-37-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/628-59-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-61-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-73-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/628-72-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/628-60-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-58-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-63-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-65-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-66-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-68-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-69-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-67-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-64-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/628-62-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/968-8-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-11-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-13-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-5-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-6-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-3-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-15-0x0000000002200000-0x0000000002229000-memory.dmp

Filesize
164KB

Download
memory/968-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/968-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/968-9-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-2-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-7-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-12-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-14-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-10-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/968-4-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1492-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1492-51-0x0000022E93760000-0x0000022E93761000-memory.dmp

Filesize
4KB

Download