kpot | c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd

Resubmissions

08-10-2024 04:56

241008-fk1g4szdlr 10

29-09-2024 13:09

240929-qeaplswakm 10

Analysis

max time kernel
33s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe
Size

1.2MB
MD5

a75e5ec8cb970751e03e89715d9376dd
SHA1

757552baa41f16654dabeb2a0931ce27b65c4426
SHA256

c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd
SHA512

b9d35cd5fb15c42741e0e05f8e7bd99d17468ec4d36e3297e37edbe6162b84a23327d026b98d3279c354c0f3faa8735410fc342a8694dc1c5c820196139b9f5e
SSDEEP

24576:zQ5aILMCfmAUjzX6xQtjmssdqex1hl+dZXM:E5aIwC+Agr6StYCXM

Score

10^/10

kpot trickbot banker discovery stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c7d-21.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2352-15-0x0000000002FC0000-0x0000000002FE9000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2352	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe
3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 3924	2352	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe	85
PID 2352 wrote to memory of 3924	2352	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe	85
PID 2352 wrote to memory of 3924	2352	c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe	85
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86
PID 3924 wrote to memory of 3540	3924	c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe
"C:\Users\Admin\AppData\Local\Temp\c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\c78862926827fbb0bde89731f71689a1a94a049cae434a922e23dfe790ac11cd.exe

Filesize
1.2MB

MD5
a75e5ec8cb970751e03e89715d9376dd

SHA1
757552baa41f16654dabeb2a0931ce27b65c4426

SHA256
c67752825726fbb0bde78631f61578a1a84a048cae434a822e23dfe680ac11cd

SHA512
b9d35cd5fb15c42741e0e05f8e7bd99d17468ec4d36e3297e37edbe6162b84a23327d026b98d3279c354c0f3faa8735410fc342a8694dc1c5c820196139b9f5e

Download Submit
C:\Users\Admin\Desktop\EnterRepair.xltm

Filesize
319KB

MD5
ba3c184aa3132b4f1bf93bac02312194

SHA1
277f2aa415e99bc87500268359ddebd859023b6d

SHA256
23f7e1d67f330ca98957d7813e5344cc3dde4e7faf8d46fcb3df51cd4cd65459

SHA512
4ddefe785c06e7d2f863d8576dda4b2fdaf7ae25d3a59dd2036ebf6067484e4f4afa225b533c6a68d996472f27fbb98afbf167b9ec97e57d9401f9fb22bde873

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
a5cf7a2aa849e00f7fd0d5a4a0ce9d6e

SHA1
70209744e4736fa6835201e9600d73e852f773b9

SHA256
bf7e3011458308fc1d0998694d276abf22873db580b312d509e56c4bab7ff6ef

SHA512
5126747cbf47aec3fd93be85331d3f21c586e6a480ee160eab8bbadea2149879f3cdcd7fb76892af3d01f63079d3b29ee5a5af723ed1114a255fe4f0c70409fd

Download Submit
C:\Users\Admin\Desktop\RestoreResize.vsdx

Filesize
332KB

MD5
f34462739b0bfa9d0abf4b70d0315f8d

SHA1
cb3ff25d4650cf8ba09859ea30a70768f529d69c

SHA256
d8b9c5262af35926b04c10842ff9eda8d5e11767daed270f61c29bfc10e76e0f

SHA512
9fb21023ae3485f74501b07b5e826f6338e8e06a6232613530749bcbaa3274309f47c2b8cef788e04b4bb707ea49e942fe60ba24743d6511021fb5a7fef37dec

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
28cfd7e341c27be247dfd17c526c873b

SHA1
a2c7aa1983caf1f8004fc75ce86a419963d356ac

SHA256
386206a3feda91f77a582491e2d3ca6d40832abe269d92c1fa8424b71c718cd3

SHA512
46d1d571ea0380923983e353fdd38ce78bfd77b58ff4aa5d336d59be7acfa0167c1250e0dcda64cc6bd42790a5d15dded2b854425632503a742b078b36e48568

Download Submit
memory/2352-11-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-2-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-10-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-9-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-4-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-8-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-7-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-6-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-5-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-14-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2352-12-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-15-0x0000000002FC0000-0x0000000002FE9000-memory.dmp

Filesize
164KB

Download
memory/2352-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2352-13-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2352-3-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/3540-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3540-51-0x000001C166C20000-0x000001C166C21000-memory.dmp

Filesize
4KB

Download
memory/3540-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3924-27-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-37-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3924-36-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-34-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-35-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3924-31-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-33-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-32-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-52-0x0000000003050000-0x000000000310E000-memory.dmp

Filesize
760KB

Download
memory/3924-53-0x0000000003150000-0x0000000003419000-memory.dmp

Filesize
2.8MB

Download
memory/3924-26-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-28-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-29-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3924-30-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download