Overview

overview

7

Static

static

3

KeePass-2....up.exe

windows7-x64

7

KeePass-2....up.exe

windows10-2004-x64

7

Resubmissions

06-06-2024 13:09

240606-qd156sfe56 7

06-06-2024 12:36

240606-ps182seb8t 7

Analysis

  • max time kernel
    73s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2024 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KeePass-2.56-Setup.exe

  • Size

    4.2MB

  • MD5

    86a0d58d2ae89c639d940dbda48308df

  • SHA1

    1280f427d149a8c5ca797a9ea29e711a3fa2b5ef

  • SHA256

    92529dc0e6449eca21688601020455505462819217b8e8d51f6e7b1dd05a69ef

  • SHA512

    9fffac37da58215108392f8532a2691b8e556175c0e5d8227aad8ab6a923cacb0e0eeca11911bef79b8ab340196c4cc4400e76300c73dbc7993a60386b8dab6a

  • SSDEEP

    98304:FkLUpT18sT3OIsoVv/uGRUCyLkVxXBKLeOKIa:GyFOIsO/umyADXBK

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Local\Temp\is-SR68M.tmp\KeePass-2.56-Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SR68M.tmp\KeePass-2.56-Setup.tmp" /SL5="$5014E,3482807,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.56-Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
        "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check
        3⤵
        • Executes dropped EXE
        PID:2472
      • C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
        "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2620
      • C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
        "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
          4⤵
            PID:2684
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
            4⤵
              PID:2860
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
                5⤵
                  PID:1988
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 0 -NGENProcess f4 -Pipe 164 -Comment "NGen Worker Process"
                  5⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:1816
            • C:\Program Files\KeePass Password Safe 2\KeePass.exe
              "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2292
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://keepass.info/plugins.html
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3012
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:788

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll
          Filesize

          448KB

          MD5

          89e19d93a58fac5db151666e4babd019

          SHA1

          18295f15fa79fe345aa81c894f88c9a0b9e5fffe

          SHA256

          0a9fb364207de3ff6b072b63c3ef35929db58c77f8cca5bc11c61b9d195207f0

          SHA512

          9c1df97295d656b8af5ac82c4c3050bb86daade360e38cb0dbeacba6cc5094288ad2537585b9824812bb9755547eb287ca500137b6117b3150007fa6e4847cc0

          Download Submit
        • C:\Program Files\KeePass Password Safe 2\KeePass.config.xml
          Filesize

          252B

          MD5

          ac0f1e104f82d295c27646bfff39fecc

          SHA1

          34309b00045503fce52adf638ec8be5f32cb6b1d

          SHA256

          c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440

          SHA512

          be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839

          Download Submit
        • C:\Program Files\KeePass Password Safe 2\KeePass.exe.config
          Filesize

          763B

          MD5

          ff0c23b97df708cca2030a96c914c3a9

          SHA1

          8523b7b505f770e5f6ad6561e16a4ecdf2f28ab5

          SHA256

          3348d697fe118aaa0fdd36087c5105d9b9af14abfd0fb10568c118941637c26e

          SHA512

          33af19712cbb57ef3fb74ac0745e097b7aadd2f65cb9073ff52575604d85292206a7687d7104b18ae21fddafed3b12a73c110a491927a478e127ac09a5029265

          Download Submit
        • C:\Program Files\KeePass Password Safe 2\unins000.exe
          Filesize

          3.0MB

          MD5

          a96ef5a2191bcf92dd9cc0a62522c69f

          SHA1

          c7f2d102b5fb3883a0906b876fe5c8370d82d0c4

          SHA256

          3b8555ecb75212eb84e09110194b7696d8c3bf8eec87d5a05dcef2684c9ae028

          SHA512

          0d2611617d32a3599714c6fdda5f30d377a776b89ec195f454aafdda381de61fa788dec5886eec62f906b24da0cf1588ccb00702835f2ca8d53f276cf5205741

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          b38441aae14bc9879764e96bfc83ff56

          SHA1

          ede963267e765868e6cb6f7cad9b3ec8c336d35e

          SHA256

          d9c880748b471111815f0462c3bc569e7d475ec35e620ad2d1e2f0e272bed4f2

          SHA512

          e53f20a370fb36329d4ee0d33bca2374ebf58bbf03f89331f74078a32a65b242af677de384f2bd9d10208126773be3116861a779e0844953e6d40b31d4bf8730

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          55fcae38f0c5fefd261ef28f43b20068

          SHA1

          7fb6e38de9b3080619ebd6c82377d15693e081c1

          SHA256

          745b878da7345d1ca5a86e634fa5f0bab6af456b2a62aa21ef352cbe5ecb541d

          SHA512

          52034eb1925f708967609a087ac382475df89a5016e0066a6143b46cfb30e4a91fa9fa269af820d6002d7f7e5b16d846c092e9391d8edc6a2bb98186acc7ee44

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d08b56521911e57f345e8904091ee254

          SHA1

          252f8b2e4d852f956cecd28744457de33c72a348

          SHA256

          f97aa2d1248295767db57fb5da7f192997dc3eec7b6d198fe332957c060c0294

          SHA512

          f22e9abbc9e22a5ae84a97b5e31dae26530ff5d728ead108ee02f83c270a876826d47b872986a49e3dcaf8a1a912ef660c974f113180a8fb1fb4e0ee23ef4fef

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          f153a96a55babb5d94f6b730674d46d2

          SHA1

          15d49c420b526f5f13638b2ded28793bff99064e

          SHA256

          63659ee5d9acbb383f32f3e83be3bfd3325523920c61fd3c4a84338b44ae8477

          SHA512

          7586c480763c27ff09b14a740fb8d0236f9ab4555a9a95a80aa9e51513bd5e501d2b6e81f073f59cb1af1bb130894902d33cfd6516da437e7490629ef72f6f9e

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          ceb500cc0508c7052345c43b75dc9b28

          SHA1

          55b46c69b4c62513b82c5f3bdae8ed0ccb50f897

          SHA256

          47a238056a12710057ac0c1f36a3322e8e78b3ea3f518ccf2f2214831ab352e7

          SHA512

          7fca396a6cd5e4c5beae81bc4f4a950300842dcad803b22ec027daff6a6f6183e1410a7c6fa8c5b0633fd1ae7ef033c185f8c72fd591d309d877f3cc69cf4425

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          795cc012935f11d0984c72a90447b85f

          SHA1

          1266b41fa7345262a9af86dbcae86824e16ae1fb

          SHA256

          c47dbbaf77266be3ce7f9077b71119962b605d5fac5255846d5902f893dca913

          SHA512

          88b6c836e0a6ae37b4abb1c07bbfa3f349f476e695f1a2ad04743ce0a7bf230f8b2fa652dc47dd0199dfd7934ec5241c8e5ead12db330ab9babe1ed5d96b6985

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          6c756baccecac7ce8a4c3d23afdbc4de

          SHA1

          8df06d01e5b369294500d05b87a5346aa5dd3a41

          SHA256

          e040624e1509befe33b87c7e7f3a992aaa6007c65248f0e8d031540086afb33a

          SHA512

          24268ba1761cdaddb4073b014fe4e8771544fd056b0197e59573efc2035a5812f498ba2139bb8e3ca53d23ce5e972c2268b782d68f2be679a5a5eaab9d148784

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          e7ec20562bdb8ba4255bbdb3516709b4

          SHA1

          7cc4fd5fbc8c85fcf192a610ac108796d9d63ce1

          SHA256

          01884f140e86799cc393da1690641bf5d23f0509e982d855aa63aa28bc7116b8

          SHA512

          d260db6a498ec9a1acc06d4c22d01fb53bfb713ae305a4f57e03a6c8f4bf00c71e1928b4a0d786e63df94f02ff0b1d44a0fcb0160585384b83be566d1a2a3f84

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Cab2DA8.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Tar2E8A.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit
        • C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\a8cf5006c53d44415e866cc943ccbc93\KeePass.ni.exe.aux
          Filesize

          1KB

          MD5

          e64ee1a7ff6ab5d466952336a29a2a51

          SHA1

          450bbec6060c1b13d131a25d17a8ca4cb36e5284

          SHA256

          492f180716f09a9b294d345b9aa8491074ee0d9dfdb91dc6d08601cf18d1367d

          SHA512

          975f302ec6ea5152bd2888d8c625c33a7b29f48b8dfebd410ac0750316586b170eb11718a7080b6769abd49cf3fb712729467f022045d49fc17073f58a36433b

          Download Submit
        • \Program Files\KeePass Password Safe 2\KeePass.exe
          Filesize

          3.1MB

          MD5

          b4250862f4d1f151d2edc123ab2c8a77

          SHA1

          ed1a56b9d794c2b695bf5d587fdf6cdb121a56fa

          SHA256

          09d730282184ec2ba4cc8c1c089837b323e7b6bab0101206e206455d903e4d2a

          SHA512

          e3263cc43f88764626f81f6987de40d707c0a80d74443ac08d7f285e2827ebf325accf9479d499938dad03fa5817544866e72e1c1d1c74bb81d5e04b731ac2ba

          Download Submit
        • \Program Files\KeePass Password Safe 2\ShInstUtil.exe
          Filesize

          94KB

          MD5

          f5d989c6a6afc473b8c5e2c4cf1586a5

          SHA1

          4607715357d9b869511e50073f75f7f65aea3e0e

          SHA256

          783053f791ac52c7e5600209a5c83c18419d4dd093be9541839d38549f13f91b

          SHA512

          fed81e10aaa6d6fc0d957436b43d1303b5f0736037aa4c0ec69d0b528db6c366ad71c295f1f64eabc89416e7d9e41857f5e451b28b4629ac74736e6d6f89a88e

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-SR68M.tmp\KeePass-2.56-Setup.tmp
          Filesize

          3.0MB

          MD5

          354613dd35e43746f934c0e9d7b2543c

          SHA1

          8b7d3e5306279753e025279455a7d97e1c55cfe4

          SHA256

          c11513e77b5cd81f07e33111d7a36f5ee4cf551113e30414de753a4c101173d6

          SHA512

          b3d6a91087a942c5ce04efb179b04989402761b2e634cf1f58924563926d75e034bff675bfb517011c3f91d46d37a5ee69936487830e89270e933c6720d7ef56

          Download Submit
        • \Windows\assembly\NativeImages_v4.0.30319_64\KeePass\a8cf5006c53d44415e866cc943ccbc93\KeePass.ni.exe
          Filesize

          11.1MB

          MD5

          3dc4fb1ec8e864da3a7caadb1d69a511

          SHA1

          eb69f9770f8272b4421fd2829e3515d84fef19e2

          SHA256

          da0a0af23511bdb00d6a5fec945af85bec883cef77ca9263cee775fe47f0159b

          SHA512

          a53e8768426862a9f7f8992f8383cc0423ff1953099ca6e66d442f5bebc218cfeaec88c34382895615c4cff7212d8746fee0b5d9c082f247f97f5a7d58bf5ce1

          Download Submit
        • memory/1816-67-0x000000001B530000-0x000000001B858000-memory.dmp
          Filesize

          3.2MB

          Download
        • memory/1816-68-0x0000064488000000-0x0000064488B22000-memory.dmp
          Filesize

          11.1MB

          Download
        • memory/1988-65-0x000000001B620000-0x000000001B948000-memory.dmp
          Filesize

          3.2MB

          Download
        • memory/2292-97-0x00000000217D0000-0x000000002183E000-memory.dmp
          Filesize

          440KB

          Download
        • memory/2292-86-0x0000000001240000-0x0000000001568000-memory.dmp
          Filesize

          3.2MB

          Download
        • memory/2384-84-0x0000000000400000-0x0000000000708000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/2384-11-0x0000000000400000-0x0000000000708000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/2384-8-0x0000000000400000-0x0000000000708000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/2384-93-0x0000000000400000-0x0000000000708000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/2740-2-0x0000000000401000-0x00000000004B7000-memory.dmp
          Filesize

          728KB

          Download
        • memory/2740-94-0x0000000000400000-0x00000000004CC000-memory.dmp
          Filesize

          816KB

          Download
        • memory/2740-10-0x0000000000400000-0x00000000004CC000-memory.dmp
          Filesize

          816KB

          Download
        • memory/2740-0-0x0000000000400000-0x00000000004CC000-memory.dmp
          Filesize

          816KB

          Download