kpot | c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe
Size

1.2MB
MD5

a75e5ec8cb970751e03e89715d9376dd
SHA1

757552baa41f16654dabeb2a0931ce27b65c4426
SHA256

c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd
SHA512

b9d35cd5fb15c42741e0e05f8e7bd99d17468ec4d36e3297e37edbe6162b84a23327d026b98d3279c354c0f3faa8735410fc342a8694dc1c5c820196139b9f5e
SSDEEP

24576:zQ5aILMCfmAUjzX6xQtjmssdqex1hl+dZXM:E5aIwC+Agr6StYCXM

Score

10^/10

kpot trickbot banker discovery stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023472-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/5012-15-0x0000000002330000-0x0000000002359000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
Token: SeTcbPrivilege	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5012	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe
3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3372	5012	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe	82
PID 5012 wrote to memory of 3372	5012	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe	82
PID 5012 wrote to memory of 3372	5012	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe	82
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3372 wrote to memory of 2724	3372	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	83
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3132 wrote to memory of 3504	3132	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	94
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96
PID 3452 wrote to memory of 64	3452	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe
"C:\Users\Admin\AppData\Local\Temp\c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2724

C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3504

C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

Filesize
1.2MB

MD5
a75e5ec8cb970751e03e89715d9376dd

SHA1
757552baa41f16654dabeb2a0931ce27b65c4426

SHA256
c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd

SHA512
b9d35cd5fb15c42741e0e05f8e7bd99d17468ec4d36e3297e37edbe6162b84a23327d026b98d3279c354c0f3faa8735410fc342a8694dc1c5c820196139b9f5e

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
49KB

MD5
21d1ec8c22e80c6a214f4d8a4530310a

SHA1
064d26511e0776801c647724a32385ce4f561bf6

SHA256
047f70fc3a0f47f1ea14a284653dbc1da3c9c2490f2ebbe37ff5b35a4a06964e

SHA512
fa3f7a05fa22cf74cf85f026534f2a478bbb7482ae1c3da647642c85b7c1c4262c4b1abcaffb69cdc2dfd293e267f68a0805fbec03c9b423d3397e8cb5c64ee9

Download Submit
memory/2724-51-0x000002BB3FB60000-0x000002BB3FB61000-memory.dmp

Filesize
4KB

Download
memory/2724-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2724-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3132-62-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-66-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-61-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-71-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3132-63-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-64-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-65-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-70-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3132-67-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-68-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-69-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-60-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-59-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3132-58-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3372-34-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-52-0x0000000003120000-0x00000000031DE000-memory.dmp

Filesize
760KB

Download
memory/3372-26-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-36-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-35-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-53-0x00000000031E0000-0x00000000034A9000-memory.dmp

Filesize
2.8MB

Download
memory/3372-33-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3372-32-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3372-28-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-37-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-31-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-30-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-29-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3372-27-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/5012-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/5012-7-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-3-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-6-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-5-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-9-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-2-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-15-0x0000000002330000-0x0000000002359000-memory.dmp

Filesize
164KB

Download
memory/5012-8-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5012-14-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-13-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-10-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-11-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-12-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/5012-4-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download