ea53f7f944fada950cd7bb154deb078123a357b7bc5e2484851762b3552eb48b

Analysis

max time kernel
1556s
max time network
1557s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KeePass-2.57-Setup.exe
Size

4.2MB
MD5

4c1cafc2b3a380208548620a3d53dbba
SHA1

a4c6ae220ecc6b907e56200809edab3bcdc38b30
SHA256

ea53f7f944fada950cd7bb154deb078123a357b7bc5e2484851762b3552eb48b
SHA512

b2a63cff7b7f01c753dac2723e4ca02b2e86e1ed77741f4254b229f3c79e63aa7392fdbb0ad550055b7438c2a05a8536b71ee05b9afb88a72997f8907490d83b
SSDEEP

98304:hkLaasz0D6H/jUdBfhUEKMEoEGfA58ulnYBh+oKLeOKIaE:yaaszr/WrKv7PPoK/

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3040	KeePass-2.57-Setup.tmp
2948	ShInstUtil.exe
2408	ShInstUtil.exe
2340	ShInstUtil.exe
688	KeePass.exe

Loads dropped DLL 8 IoCs

pid	Process
1952	KeePass-2.57-Setup.exe
3040	KeePass-2.57-Setup.tmp
3040	KeePass-2.57-Setup.tmp
3040	KeePass-2.57-Setup.tmp
3040	KeePass-2.57-Setup.tmp
1560	mscorsvw.exe
3040	KeePass-2.57-Setup.tmp
688	KeePass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeePass 2 PreLoad = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\" --preload"	ShInstUtil.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\KeePass Password Safe 2\is-6HNAR.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\XSL\is-S191L.tmp	KeePass-2.57-Setup.tmp
File opened for modification	C:\Program Files\KeePass Password Safe 2\KeePass.chm	KeePass-2.57-Setup.tmp
File opened for modification	C:\Program Files\KeePass Password Safe 2\KeePassLibC64.dll	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-C15T4.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-OV9RK.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\XSL\is-BUE6R.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\XSL\is-KVCAN.tmp	KeePass-2.57-Setup.tmp
File opened for modification	C:\Program Files\KeePass Password Safe 2\unins000.dat	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-4F8DQ.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-9334U.tmp	KeePass-2.57-Setup.tmp
File opened for modification	C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-51H0Q.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-TI7LE.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\XSL\is-83BDV.tmp	KeePass-2.57-Setup.tmp
File opened for modification	C:\Program Files\KeePass Password Safe 2\KeePass.exe	KeePass-2.57-Setup.tmp
File opened for modification	C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-E4IEK.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-TNNSO.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\is-N37G6.tmp	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\XSL\is-KB384.tmp	KeePass-2.57-Setup.tmp
File opened for modification	C:\Program Files\KeePass Password Safe 2\KeePassLibC32.dll	KeePass-2.57-Setup.tmp
File created	C:\Program Files\KeePass Password Safe 2\unins000.dat	KeePass-2.57-Setup.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\618-0\KeePass.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\0c5ed7690639df1194ba6470280f3166\KeePass.ni.exe.aux.tmp	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\ = "&Open with KeePass Password Safe"	KeePass-2.57-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\command	KeePass-2.57-Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open\command\ = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\" \"%1\""	KeePass-2.57-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\DefaultIcon	KeePass-2.57-Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kdbx\ = "kdbxfile"	KeePass-2.57-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile	KeePass-2.57-Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\ = "KeePass Database"	KeePass-2.57-Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\AlwaysShowExt	KeePass-2.57-Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\DefaultIcon\ = "\"C:\\Program Files\\KeePass Password Safe 2\\KeePass.exe\",0"	KeePass-2.57-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell\open	KeePass-2.57-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kdbxfile\shell	KeePass-2.57-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kdbx	KeePass-2.57-Setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	KeePass-2.57-Setup.tmp
3040	KeePass-2.57-Setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
688	KeePass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	KeePass.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3040	KeePass-2.57-Setup.tmp
688	KeePass.exe
688	KeePass.exe
688	KeePass.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
688	KeePass.exe
688	KeePass.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3040	1952	KeePass-2.57-Setup.exe	28
PID 1952 wrote to memory of 3040	1952	KeePass-2.57-Setup.exe	28
PID 1952 wrote to memory of 3040	1952	KeePass-2.57-Setup.exe	28
PID 1952 wrote to memory of 3040	1952	KeePass-2.57-Setup.exe	28
PID 1952 wrote to memory of 3040	1952	KeePass-2.57-Setup.exe	28
PID 1952 wrote to memory of 3040	1952	KeePass-2.57-Setup.exe	28
PID 1952 wrote to memory of 3040	1952	KeePass-2.57-Setup.exe	28
PID 3040 wrote to memory of 2948	3040	KeePass-2.57-Setup.tmp	29
PID 3040 wrote to memory of 2948	3040	KeePass-2.57-Setup.tmp	29
PID 3040 wrote to memory of 2948	3040	KeePass-2.57-Setup.tmp	29
PID 3040 wrote to memory of 2948	3040	KeePass-2.57-Setup.tmp	29
PID 3040 wrote to memory of 2408	3040	KeePass-2.57-Setup.tmp	30
PID 3040 wrote to memory of 2408	3040	KeePass-2.57-Setup.tmp	30
PID 3040 wrote to memory of 2408	3040	KeePass-2.57-Setup.tmp	30
PID 3040 wrote to memory of 2408	3040	KeePass-2.57-Setup.tmp	30
PID 3040 wrote to memory of 2340	3040	KeePass-2.57-Setup.tmp	31
PID 3040 wrote to memory of 2340	3040	KeePass-2.57-Setup.tmp	31
PID 3040 wrote to memory of 2340	3040	KeePass-2.57-Setup.tmp	31
PID 3040 wrote to memory of 2340	3040	KeePass-2.57-Setup.tmp	31
PID 2340 wrote to memory of 2556	2340	ShInstUtil.exe	32
PID 2340 wrote to memory of 2556	2340	ShInstUtil.exe	32
PID 2340 wrote to memory of 2556	2340	ShInstUtil.exe	32
PID 2340 wrote to memory of 2556	2340	ShInstUtil.exe	32
PID 2340 wrote to memory of 2720	2340	ShInstUtil.exe	34
PID 2340 wrote to memory of 2720	2340	ShInstUtil.exe	34
PID 2340 wrote to memory of 2720	2340	ShInstUtil.exe	34
PID 2340 wrote to memory of 2720	2340	ShInstUtil.exe	34
PID 3040 wrote to memory of 688	3040	KeePass-2.57-Setup.tmp	41
PID 3040 wrote to memory of 688	3040	KeePass-2.57-Setup.tmp	41
PID 3040 wrote to memory of 688	3040	KeePass-2.57-Setup.tmp	41
PID 3040 wrote to memory of 688	3040	KeePass-2.57-Setup.tmp	41

C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\is-C27MQ.tmp\KeePass-2.57-Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C27MQ.tmp\KeePass-2.57-Setup.tmp" /SL5="$5001C,3483957,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
    "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check
    3⤵
    - Executes dropped EXE
    PID:2948
- - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
    "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2408
- - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
    "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
      4⤵
      PID:2556
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
      4⤵
      PID:2720
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
        5⤵
        
        PID:1664
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 0 -NGENProcess 10c -Pipe 104 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1560
- - C:\Program Files\KeePass Password Safe 2\KeePass.exe
    "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll

Filesize
448KB

MD5
b5c96e2dbc09f0187f504067eec23e1d

SHA1
a80b8f7ef5cd0405d5b3e0611dd110e745208a35

SHA256
133c5cef4c3bd5db09e5535ed9faeaec9e371677609762cdc674353e724fe1ed

SHA512
3116edd0fc09fc406d8598d73247c5e7813272d8aff35364cf55a0ffec7da4221d223cc9040a1bff802ad8b94c60342b2f322662ffdfde5f5e3873dad13be75e

Download Submit
C:\Program Files\KeePass Password Safe 2\KeePass.config.xml

Filesize
252B

MD5
ac0f1e104f82d295c27646bfff39fecc

SHA1
34309b00045503fce52adf638ec8be5f32cb6b1d

SHA256
c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440

SHA512
be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839

Download Submit
C:\Program Files\KeePass Password Safe 2\KeePass.exe.config

Filesize
763B

MD5
82704da595e970ca358d973fcd8d7858

SHA1
5b98c0a8cc8f628db02024aee78619c3abb5de75

SHA256
3d918e9ff91d0324f284a4edc536066a924ce07b145b6ae5069963b4df25f4d3

SHA512
7db5a1ae3b65198c549369cf020d723553ed1fbb50e7095b6aeb3f7d3b0b485fa3cf38170ad1540634c3124e730604d2e0c6a20b233e270332268333ce915237

Download Submit
C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe

Filesize
94KB

MD5
0c1a351da6559ef4d451e72a8ca4d27a

SHA1
298871fb0ae9148b4000ed86e4096fd998615ecc

SHA256
9c61a071bbb3355c40fb9dc439bad7eb1ff8dc423507fc47e2e36620d7582715

SHA512
e6a12af145f9cdc86b17125feaa3d33d8cec1e3f365a10918e030d3fc7a7063f8eee1c5eed8cdf56413da6214ec0f2982b6fc588fe71415a031fc6e6a71d5fba

Download Submit
C:\Program Files\KeePass Password Safe 2\unins000.exe

Filesize
3.0MB

MD5
784aab45671c930f05e5bffb4047d8e2

SHA1
a7021fdf2b41ed07fe62f57d062065518bb895eb

SHA256
13dcbb76df576b6e126a9edc1a2243f209ea994fd2ef0fc29420b14cc03b3154

SHA512
f77c84fb1e90f00b1f5b651d36b197edcb6bea7df45e8f51cf98ce9213307a03e3135d3945ae5bb3ff25f66266f2c2a1c75fa25e7d2a3ffac060c82812d16f34

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\0c5ed7690639df1194ba6470280f3166\KeePass.ni.exe.aux

Filesize
1KB

MD5
bd6a8d326200c13aa82b727b7c264a6b

SHA1
495b9eed3c35cca0d9d0bf9ec9a4aa6d23d0bf38

SHA256
f9e1bc94ffa7d76348c3190e91d4c1e588e1e4eeff979a50067469c23781d8d4

SHA512
8579591d3a54577cb43bf7404d243a7010593bd682dc223f8cf75165e1fff08adffbbd5582961e4bfaebcdbcc0d332669c813ecfb9871797ac43360b51a815aa

Download Submit
\Program Files\KeePass Password Safe 2\KeePass.exe

Filesize
3.2MB

MD5
339d3b117dd428d5068cd7088ae6733f

SHA1
101d1d770719b5cadac23d0ed755ed796ddd2071

SHA256
51e1d528bd507ef86d4980fcb553250b655641bfccfadac812835617e2b1d7b3

SHA512
ce677aa243c0128f5981d9c3c5a516d3b041eb7f1ce03e4f8095236c55208ce38e7ec945bbce9777350daa027c0c93e73eeecbbb69e95ae0e6ae817ea78a0af9

Download Submit
\Users\Admin\AppData\Local\Temp\is-C27MQ.tmp\KeePass-2.57-Setup.tmp

Filesize
3.0MB

MD5
515a9f60ae3e548bba65c2d6aba98f75

SHA1
6c68ec325522a413e87daac52da8135d5b2a71ca

SHA256
88fa32ce3c8c9fa0781e812dee4f6eca307c5c4a50d6a1aafcbcbce94f0c91c1

SHA512
7f34993c9043d9b808a9652324d1bff90643f1516c50f4e09b85151cf5b3047a3bdb30923ffc0227bfd1b19ff27fba767b88dedd18db97be8c9efa28b0faa7a9

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\0c5ed7690639df1194ba6470280f3166\KeePass.ni.exe

Filesize
11.1MB

MD5
5db2dd17f4f16d02833f171b893f3da1

SHA1
899f70e844208bc5320065399b6bbb20d0cc3e3e

SHA256
a736e315bd9ec2bc80f4930f0f44985a94886ff9627507c3320f895346394557

SHA512
00f0cf0f9224dd2980db1b4fe6c4895f363d846f67b4a2f1d4b2a71c07cfaefb3344559d547f3d359bad18143ec07e896a8959e75bcb38fe0f41f98b60538ff0

Download Submit
memory/688-86-0x00000000012C0000-0x00000000015EA000-memory.dmp

Filesize
3.2MB

Download
memory/688-96-0x00000000214B0000-0x000000002151E000-memory.dmp

Filesize
440KB

Download
memory/1560-69-0x0000064488000000-0x0000064488B26000-memory.dmp

Filesize
11.1MB

Download
memory/1664-66-0x000000001B610000-0x000000001B93A000-memory.dmp

Filesize
3.2MB

Download
memory/1952-93-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1952-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1952-10-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1952-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3040-11-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/3040-92-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/3040-68-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/3040-8-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download