Analysis
-
max time kernel
97s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
24-05-2024 13:17
General
-
Target
KeePass-2.56-Setup.exe
-
Size
4.2MB
-
MD5
86a0d58d2ae89c639d940dbda48308df
-
SHA1
1280f427d149a8c5ca797a9ea29e711a3fa2b5ef
-
SHA256
92529dc0e6449eca21688601020455505462819217b8e8d51f6e7b1dd05a69ef
-
SHA512
9fffac37da58215108392f8532a2691b8e556175c0e5d8227aad8ab6a923cacb0e0eeca11911bef79b8ab340196c4cc4400e76300c73dbc7993a60386b8dab6a
-
SSDEEP
98304:FkLUpT18sT3OIsoVv/uGRUCyLkVxXBKLeOKIa:GyFOIsO/umyADXBK
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 11 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-OJE25.tmp\KeePass-2.56-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-OJE25.tmp\KeePass-2.56-Setup.tmp" /SL5="$4023E,3482807,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check3⤵
- Executes dropped EXE
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 28c -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 288 -Pipe 1c8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 2ac -Pipe 1e8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 288 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2b0 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2bc -Pipe 284 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Program Files\KeePass Password Safe 2\KeePass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Program Files\KeePass Password Safe 2\KeePass.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dllFilesize
448KB
MD589e19d93a58fac5db151666e4babd019
SHA118295f15fa79fe345aa81c894f88c9a0b9e5fffe
SHA2560a9fb364207de3ff6b072b63c3ef35929db58c77f8cca5bc11c61b9d195207f0
SHA5129c1df97295d656b8af5ac82c4c3050bb86daade360e38cb0dbeacba6cc5094288ad2537585b9824812bb9755547eb287ca500137b6117b3150007fa6e4847cc0
-
C:\Program Files\KeePass Password Safe 2\KeePass.config.xmlFilesize
252B
MD5ac0f1e104f82d295c27646bfff39fecc
SHA134309b00045503fce52adf638ec8be5f32cb6b1d
SHA256c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440
SHA512be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839
-
C:\Program Files\KeePass Password Safe 2\KeePass.exeFilesize
3.1MB
MD5b4250862f4d1f151d2edc123ab2c8a77
SHA1ed1a56b9d794c2b695bf5d587fdf6cdb121a56fa
SHA25609d730282184ec2ba4cc8c1c089837b323e7b6bab0101206e206455d903e4d2a
SHA512e3263cc43f88764626f81f6987de40d707c0a80d74443ac08d7f285e2827ebf325accf9479d499938dad03fa5817544866e72e1c1d1c74bb81d5e04b731ac2ba
-
C:\Program Files\KeePass Password Safe 2\KeePass.exe.configFilesize
763B
MD5ff0c23b97df708cca2030a96c914c3a9
SHA18523b7b505f770e5f6ad6561e16a4ecdf2f28ab5
SHA2563348d697fe118aaa0fdd36087c5105d9b9af14abfd0fb10568c118941637c26e
SHA51233af19712cbb57ef3fb74ac0745e097b7aadd2f65cb9073ff52575604d85292206a7687d7104b18ae21fddafed3b12a73c110a491927a478e127ac09a5029265
-
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exeFilesize
94KB
MD5f5d989c6a6afc473b8c5e2c4cf1586a5
SHA14607715357d9b869511e50073f75f7f65aea3e0e
SHA256783053f791ac52c7e5600209a5c83c18419d4dd093be9541839d38549f13f91b
SHA512fed81e10aaa6d6fc0d957436b43d1303b5f0736037aa4c0ec69d0b528db6c366ad71c295f1f64eabc89416e7d9e41857f5e451b28b4629ac74736e6d6f89a88e
-
C:\Program Files\KeePass Password Safe 2\unins000.exeFilesize
3.0MB
MD5a96ef5a2191bcf92dd9cc0a62522c69f
SHA1c7f2d102b5fb3883a0906b876fe5c8370d82d0c4
SHA2563b8555ecb75212eb84e09110194b7696d8c3bf8eec87d5a05dcef2684c9ae028
SHA5120d2611617d32a3599714c6fdda5f30d377a776b89ec195f454aafdda381de61fa788dec5886eec62f906b24da0cf1588ccb00702835f2ca8d53f276cf5205741
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KeePass.exe.logFilesize
1KB
MD5fb4ee9ee60e5d08b931d9e9ac0d03199
SHA1f4d95d1307979ded7cd15f9798d077c5186c832b
SHA25653bcdf089df966f97986fc0696fbc720b2031bc925f712b404989aaedf0d4aac
SHA512cb672e5f20031ac8ee1aafec88b674dc0464dd2cd287482a3633746d8184006a6cc31703bf4011a3fbd4f88a1f11e4e21fe84fc8d7970ff2aee93dc6c15f2e2b
-
C:\Users\Admin\AppData\Local\Temp\is-OJE25.tmp\KeePass-2.56-Setup.tmpFilesize
3.0MB
MD5354613dd35e43746f934c0e9d7b2543c
SHA18b7d3e5306279753e025279455a7d97e1c55cfe4
SHA256c11513e77b5cd81f07e33111d7a36f5ee4cf551113e30414de753a4c101173d6
SHA512b3d6a91087a942c5ce04efb179b04989402761b2e634cf1f58924563926d75e034bff675bfb517011c3f91d46d37a5ee69936487830e89270e933c6720d7ef56
-
C:\Users\Admin\AppData\Roaming\KeePass\KeePass.config.xmlFilesize
3KB
MD5a504197f62d2636d05d0d7388b752484
SHA1538a7f216557c7f53dbd2e70f26b226f7104a2e7
SHA2568a045ba53f096aecd741e38488d72473378593dcd3cbe4fd97d4b0e133dd4c91
SHA5124d1347f6aa54b8e239f23f86096662f90aa493bf444ca2f59ab1e0836cd350b8c1370b74ce0c2cfa9a8f8bac193e3073536b08a7bf1f110a79de8f401ceba304
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\f303a963447fcb6b2307b72edab46e58\KeePass.ni.exeFilesize
11.4MB
MD52f856e06222f7e26999e53396e4ce7d7
SHA14eb190fa96382b7cf30e0ea41c0ad65db5c0ba4f
SHA25644d49be085f891f4f881c5e1865575e34cd49d12602196915ae2a1fc702ea3f9
SHA5127e24e2e02c7362889a6eeaa81b67e4e4ec4777a8f013c2ebc2414f4164b94bbbd56d124eb33945d20b11258270e3eee48608636f350404e0594cb5bec673d49d
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\f303a963447fcb6b2307b72edab46e58\KeePass.ni.exe.auxFilesize
1KB
MD5f2986f1ced2942290c4e14cd1e9084c8
SHA1693cf3496def9f4c2766a33b7bdde063eef8d2c8
SHA2566d10119b7ecd681408e10c025bb6ffff2e0c8a7f21862ade12eea0538e399935
SHA5121c1ce774a5e1bb9c2cce28d7d7d22275dc71076a82a5b3c45436bd236b48d55ba32d22b4e1ed004dcb95b5fe1452c0f04a6733bdb12a033df934c44a444a26c9
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dllFilesize
3.0MB
MD55968702720c09d48fc7a0aae9f458a3e
SHA164ec4c0ee94a26fdd26f7f02892a313793ca3333
SHA2561db11e73cdfebf485614216e227af712214049b909490e500bd0189a580a7eea
SHA512107b18bb1f4d5441c015a657aab87581d4e37d72321ceac4208ff00f93e82d98f340dce8e6493e8f89a0104c3f71443455ab7f88433a173b5dc75e1274b21164
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll.auxFilesize
708B
MD5babee7fd2083dd07600dd5c55c7ccb19
SHA1d60268525947cb482d08dc82bf8dbedc4153ecc7
SHA256211f95dde18026099e727ea7dd3c59b2f44e4b8d6bc37a400b4e77dd35407fb8
SHA512fb07b7940e0caa80c779f80a79c855f360a6032f4cfbc55d1d244070d638e2edc7969ebdbb1bc695b7a6e2a4ea8b9197287ee27acaf6e0ec3e7a2114c892034c
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\129af40f419d925ba9d07ca47a83708d\System.Deployment.ni.dllFilesize
3.0MB
MD55ce272c443c76c6a0268b17307086373
SHA19da215c4f1fa2367b0abb062ae23c49c27e0cf6e
SHA2561bda44e93fabab317c5d2768199ae87d47868e2ba1bd5c4eafbbc78fa3ae7414
SHA512a6a66cc3a2b2080973edea313fc2f486c26c43280ffb1790c39f7e4983671abeb7c4b7e42c247823e2f30c284467e0848259d9d8bbbe50e3858bb5dc23a29d94
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dllFilesize
314KB
MD50ec738c1551385a6ab8287162ead2385
SHA1576f4ac07fa966785607109902714f104c2b6fdb
SHA2562be57b6de3fa61e65fab74f2911edeee2d0c4d3f0e2e0371bfca72498a4ac60e
SHA512abfa6e2d47c55b65bf81a240c32bc7dbbdf739b23d4ddeb6b95d4c39eec7c0f59d3b788239b7ef4419d31176cd2a5338bda535c9241ba24ddecaaae36b57303a
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
345KB
MD59ca5ccbe1085d777dc220ad37e26d6d3
SHA17f63e7d7764a4dc13a8b9cbec50749229cb93bca
SHA256f362820cf09248efe993990b005ae1cbc856a048f08d7e1b494d980bff8a2342
SHA512bc5142e7741071dcbff36c8320d7b217ddfc95c43b3c2a422ff2439e0eb46669c23d1ceda2956735c9a5cf66f489de21eba9a85d3b8d50959d898a213be3c3ea
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dllFilesize
986KB
MD5f7c61b3ccddcebf97d4f2fcd7d2fc298
SHA13d4149310ceafb8b989afda01ac47abd4b9eae32
SHA2568effa08244a2d3dc6573065c372c8fc06e515f584d6f7760ffafc6fcd91b7957
SHA5120fd5437a6f77375b930ae913f955ef5b25c1374ae0ac491e4873ba4e303a0e4542a312d82096cbd6c171b4ed81859f2ab8ef2e2dcb20d534e5a923eb5314fa4f
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.auxFilesize
912B
MD5c7f1888df8d5f0cee44055889d7145a0
SHA12b38514613fdcf0bd151d72e1754f82c8600238f
SHA25686a58da68258f409d91c6178502763d92d53d5a81a0c65ea0da5826aa95dced2
SHA512a96ac1b47a8ddb9efcf4b1483c47ef8141b05e47c68e9357ffb239033434b9450ef562f5a1ebb0a741c401c384da95780482a647270fd39558a1d73990101670
-
memory/1292-173-0x0000000020790000-0x00000000207FE000-memory.dmpFilesize
440KB
-
memory/1292-162-0x00000000003F0000-0x0000000000718000-memory.dmpFilesize
3.2MB
-
memory/1660-114-0x0000064445320000-0x000006444561E000-memory.dmpFilesize
3.0MB
-
memory/1812-0-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1812-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/1812-7-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1812-170-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2020-56-0x0000016776E90000-0x00000167771B8000-memory.dmpFilesize
3.2MB
-
memory/2020-59-0x00000167771C0000-0x0000016777348000-memory.dmpFilesize
1.5MB
-
memory/2020-58-0x0000016776950000-0x00000167769A0000-memory.dmpFilesize
320KB
-
memory/2020-62-0x0000016776B00000-0x0000016776B22000-memory.dmpFilesize
136KB
-
memory/2020-61-0x0000016776D20000-0x0000016776DD2000-memory.dmpFilesize
712KB
-
memory/2020-60-0x0000016776AD0000-0x0000016776AF2000-memory.dmpFilesize
136KB
-
memory/2264-96-0x0000064443EC0000-0x0000064443F11000-memory.dmpFilesize
324KB
-
memory/3008-81-0x0000064449A20000-0x0000064449B18000-memory.dmpFilesize
992KB
-
memory/3172-144-0x0000064488000000-0x0000064488B64000-memory.dmpFilesize
11.4MB
-
memory/4336-129-0x0000064449980000-0x00000644499D8000-memory.dmpFilesize
352KB
-
memory/4816-160-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/4816-8-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/4816-169-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/4816-11-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/4816-6-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/5064-64-0x00000644451A0000-0x00000644454A4000-memory.dmpFilesize
3.0MB