Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
09-03-2024 13:18
General
-
Target
KeePass-2.56-Setup.exe
-
Size
4.2MB
-
MD5
86a0d58d2ae89c639d940dbda48308df
-
SHA1
1280f427d149a8c5ca797a9ea29e711a3fa2b5ef
-
SHA256
92529dc0e6449eca21688601020455505462819217b8e8d51f6e7b1dd05a69ef
-
SHA512
9fffac37da58215108392f8532a2691b8e556175c0e5d8227aad8ab6a923cacb0e0eeca11911bef79b8ab340196c4cc4400e76300c73dbc7993a60386b8dab6a
-
SSDEEP
98304:FkLUpT18sT3OIsoVv/uGRUCyLkVxXBKLeOKIa:GyFOIsO/umyADXBK
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GIUII.tmp\KeePass-2.56-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-GIUII.tmp\KeePass-2.56-Setup.tmp" /SL5="$400F4,3482807,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check3⤵
- Executes dropped EXE
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 0 -NGENProcess f4 -Pipe 164 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Program Files\KeePass Password Safe 2\KeePass.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dllFilesize
448KB
MD589e19d93a58fac5db151666e4babd019
SHA118295f15fa79fe345aa81c894f88c9a0b9e5fffe
SHA2560a9fb364207de3ff6b072b63c3ef35929db58c77f8cca5bc11c61b9d195207f0
SHA5129c1df97295d656b8af5ac82c4c3050bb86daade360e38cb0dbeacba6cc5094288ad2537585b9824812bb9755547eb287ca500137b6117b3150007fa6e4847cc0
-
C:\Program Files\KeePass Password Safe 2\KeePass.config.xmlFilesize
252B
MD5ac0f1e104f82d295c27646bfff39fecc
SHA134309b00045503fce52adf638ec8be5f32cb6b1d
SHA256c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440
SHA512be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe.configFilesize
763B
MD5ff0c23b97df708cca2030a96c914c3a9
SHA18523b7b505f770e5f6ad6561e16a4ecdf2f28ab5
SHA2563348d697fe118aaa0fdd36087c5105d9b9af14abfd0fb10568c118941637c26e
SHA51233af19712cbb57ef3fb74ac0745e097b7aadd2f65cb9073ff52575604d85292206a7687d7104b18ae21fddafed3b12a73c110a491927a478e127ac09a5029265
-
C:\Program Files\KeePass Password Safe 2\unins000.exeFilesize
3.0MB
MD5a96ef5a2191bcf92dd9cc0a62522c69f
SHA1c7f2d102b5fb3883a0906b876fe5c8370d82d0c4
SHA2563b8555ecb75212eb84e09110194b7696d8c3bf8eec87d5a05dcef2684c9ae028
SHA5120d2611617d32a3599714c6fdda5f30d377a776b89ec195f454aafdda381de61fa788dec5886eec62f906b24da0cf1588ccb00702835f2ca8d53f276cf5205741
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\a8cf5006c53d44415e866cc943ccbc93\KeePass.ni.exeFilesize
5.6MB
MD5d850275adc6d458562035d7e6bfd3175
SHA16ea7419b45a5461a79602ed550e856944081ec24
SHA256c57f7e0883ac118e0b9a52144019fdc51e6effd0b6c174e94be74c6e35ea993d
SHA5128c4a685c9d73fa9b851cf98d355a34cf3f02a159f1d280447e4daf29686cd938e770ce2c774e45703d8515039f74738f7efe3dcd4c2e5429f47c6b7e241e4e3b
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\a8cf5006c53d44415e866cc943ccbc93\KeePass.ni.exe.auxFilesize
1KB
MD5e64ee1a7ff6ab5d466952336a29a2a51
SHA1450bbec6060c1b13d131a25d17a8ca4cb36e5284
SHA256492f180716f09a9b294d345b9aa8491074ee0d9dfdb91dc6d08601cf18d1367d
SHA512975f302ec6ea5152bd2888d8c625c33a7b29f48b8dfebd410ac0750316586b170eb11718a7080b6769abd49cf3fb712729467f022045d49fc17073f58a36433b
-
\Program Files\KeePass Password Safe 2\KeePass.exeFilesize
3.1MB
MD5b4250862f4d1f151d2edc123ab2c8a77
SHA1ed1a56b9d794c2b695bf5d587fdf6cdb121a56fa
SHA25609d730282184ec2ba4cc8c1c089837b323e7b6bab0101206e206455d903e4d2a
SHA512e3263cc43f88764626f81f6987de40d707c0a80d74443ac08d7f285e2827ebf325accf9479d499938dad03fa5817544866e72e1c1d1c74bb81d5e04b731ac2ba
-
\Program Files\KeePass Password Safe 2\ShInstUtil.exeFilesize
94KB
MD5f5d989c6a6afc473b8c5e2c4cf1586a5
SHA14607715357d9b869511e50073f75f7f65aea3e0e
SHA256783053f791ac52c7e5600209a5c83c18419d4dd093be9541839d38549f13f91b
SHA512fed81e10aaa6d6fc0d957436b43d1303b5f0736037aa4c0ec69d0b528db6c366ad71c295f1f64eabc89416e7d9e41857f5e451b28b4629ac74736e6d6f89a88e
-
\Users\Admin\AppData\Local\Temp\is-GIUII.tmp\KeePass-2.56-Setup.tmpFilesize
3.0MB
MD5354613dd35e43746f934c0e9d7b2543c
SHA18b7d3e5306279753e025279455a7d97e1c55cfe4
SHA256c11513e77b5cd81f07e33111d7a36f5ee4cf551113e30414de753a4c101173d6
SHA512b3d6a91087a942c5ce04efb179b04989402761b2e634cf1f58924563926d75e034bff675bfb517011c3f91d46d37a5ee69936487830e89270e933c6720d7ef56
-
\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\a8cf5006c53d44415e866cc943ccbc93\KeePass.ni.exeFilesize
5.2MB
MD51f5c1df187ef6f39fc85703a2dc4a3e3
SHA143facaf87362620e3bcdd4319ac27aca6340c071
SHA2562d2c513b3472da6e5aa225b30f88668f09cb2b6dcbe44dfb831b11b58d11393f
SHA512efecd0045c1e69d3cbae1b965d19a108abd436013431599a4c35d551f968d2f2bc0cd03e33374643f6738467c29c50ad287629baa2be829340c1ce7cfbbd4d30
-
\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\a8cf5006c53d44415e866cc943ccbc93\KeePass.ni.exeFilesize
4.0MB
MD548dbdeabee5e9b836a88a200147bc644
SHA1a90586e62fc7f9b82cde498bf012db46987a1875
SHA256abb083a7d78be633f2029d1226122d26799c89ac92d81aa344d7a27953e353ac
SHA5127aed9fd6bd5c4d76f3828ded2393bcc7da923e79955871e73242f077295a04ed6762f2fbdb7f34e19565cf265807f0b809f57f62e6e8eddaf0f736c170b19eb3
-
memory/860-99-0x0000000000840000-0x00000000008C0000-memory.dmpFilesize
512KB
-
memory/860-105-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmpFilesize
9.9MB
-
memory/860-103-0x0000000021230000-0x000000002129E000-memory.dmpFilesize
440KB
-
memory/860-106-0x0000000000840000-0x00000000008C0000-memory.dmpFilesize
512KB
-
memory/860-107-0x0000000000840000-0x00000000008C0000-memory.dmpFilesize
512KB
-
memory/860-104-0x0000000000840000-0x00000000008C0000-memory.dmpFilesize
512KB
-
memory/860-108-0x000000001ABE0000-0x000000001ABE1000-memory.dmpFilesize
4KB
-
memory/860-96-0x0000000000840000-0x00000000008C0000-memory.dmpFilesize
512KB
-
memory/860-91-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmpFilesize
9.9MB
-
memory/860-92-0x00000000003F0000-0x0000000000718000-memory.dmpFilesize
3.2MB
-
memory/860-101-0x000000001ABE0000-0x000000001ABE1000-memory.dmpFilesize
4KB
-
memory/860-110-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmpFilesize
9.9MB
-
memory/2624-98-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmpFilesize
9.9MB
-
memory/2624-65-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmpFilesize
9.9MB
-
memory/2624-63-0x000000001B490000-0x000000001B7B8000-memory.dmpFilesize
3.2MB
-
memory/2728-1-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2728-89-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2728-10-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2772-84-0x000007FEF4E00000-0x000007FEF57EC000-memory.dmpFilesize
9.9MB
-
memory/2772-69-0x0000064488000000-0x0000064488B22000-memory.dmpFilesize
11.1MB
-
memory/2772-68-0x000007FEF4E00000-0x000007FEF57EC000-memory.dmpFilesize
9.9MB
-
memory/2772-67-0x000000001B4E0000-0x000000001B808000-memory.dmpFilesize
3.2MB
-
memory/2952-66-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2952-86-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/2952-88-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/2952-61-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/2952-11-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/2952-8-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB