kpot | 62694bbe5ad0c4c86a70aa3b5b1040ce46f22d0a99dd24f888d26ca40963664c

Reason

Machine shutdown

General

Target

ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
Size

1.2MB
MD5

02c54b72e71ea65747180a14c84a2ca1
SHA1

0ff7516737a6790bbe4875a8a5c98fe20a1d1576
SHA256

ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95
SHA512

2aa8bfa5f1052a19247de879a1e3b14b81ffede11214ae047c3df4bf0477697a61c9392ed1cbab165ad682136db8ca23ab358a57223765e458fe079d4188b5e0
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sd8zG7u75+FmVf69AlRmRHJ:E5aIwC+Agr6S/FEAGsji6lRip

Score

10^/10

kpot trickbot banker discovery stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ad63-21.dat	family_kpot

Kpot family
kpot
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/3132-15-0x00000000024D0000-0x00000000024F9000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "135"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1092	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2020	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2020	vlc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe
2020	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3132	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
2020	vlc.exe
5060	LogonUI.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4876	3132	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	81
PID 3132 wrote to memory of 4876	3132	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	81
PID 3132 wrote to memory of 4876	3132	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	81
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82
PID 4876 wrote to memory of 3984	4876	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
"C:\Users\Admin\AppData\Local\Temp\ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3984

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\SaveUpdate.reg"
1⤵
- Runs .reg file with regedit
PID:1092

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WaitLimit.mpeg2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a22855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Filesize
1.2MB

MD5
02c54b72e71ea65747180a14c84a2ca1

SHA1
0ff7516737a6790bbe4875a8a5c98fe20a1d1576

SHA256
ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95

SHA512
2aa8bfa5f1052a19247de879a1e3b14b81ffede11214ae047c3df4bf0477697a61c9392ed1cbab165ad682136db8ca23ab358a57223765e458fe079d4188b5e0

Download Submit
memory/2020-71-0x00007FF627830000-0x00007FF627928000-memory.dmp

Filesize
992KB

Download
memory/2020-72-0x00007FFEA9620000-0x00007FFEA9654000-memory.dmp

Filesize
208KB

Download
memory/2020-73-0x00007FFE943C0000-0x00007FFE94676000-memory.dmp

Filesize
2.7MB

Download
memory/2020-74-0x00007FFE93100000-0x00007FFE941B0000-memory.dmp

Filesize
16.7MB

Download
memory/3132-11-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-3-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-15-0x00000000024D0000-0x00000000024F9000-memory.dmp

Filesize
164KB

Download
memory/3132-6-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-9-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-8-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3132-7-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-5-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-13-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-2-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/3132-12-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-14-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-10-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3132-4-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3984-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3984-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3984-51-0x0000029DDD3C0000-0x0000029DDD3C1000-memory.dmp

Filesize
4KB

Download
memory/4876-34-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-29-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-28-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-27-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-26-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4876-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4876-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4876-30-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-31-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-32-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-52-0x0000000003160000-0x000000000321D000-memory.dmp

Filesize
756KB

Download
memory/4876-53-0x0000000003220000-0x0000000003594000-memory.dmp

Filesize
3.5MB

Download
memory/4876-33-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-35-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-36-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4876-37-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors