Overview

overview

7

Static

static

3

KeePass-2....up.exe

windows7-x64

7

KeePass-2....up.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-06-2024 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KeePass-2.57-Setup.exe

  • Size

    4.2MB

  • MD5

    4c1cafc2b3a380208548620a3d53dbba

  • SHA1

    a4c6ae220ecc6b907e56200809edab3bcdc38b30

  • SHA256

    ea53f7f944fada950cd7bb154deb078123a357b7bc5e2484851762b3552eb48b

  • SHA512

    b2a63cff7b7f01c753dac2723e4ca02b2e86e1ed77741f4254b229f3c79e63aa7392fdbb0ad550055b7438c2a05a8536b71ee05b9afb88a72997f8907490d83b

  • SSDEEP

    98304:hkLaasz0D6H/jUdBfhUEKMEoEGfA58ulnYBh+oKLeOKIaE:yaaszr/WrKv7PPoK/

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 59 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\is-9HKTT.tmp\KeePass-2.57-Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9HKTT.tmp\KeePass-2.57-Setup.tmp" /SL5="$70126,3483957,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
        "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_check
        3⤵
        • Executes dropped EXE
        PID:3064
      • C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
        "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_register
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2172
      • C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
        "C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_install
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
          4⤵
            PID:2872
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
            4⤵
              PID:2076
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
                5⤵
                  PID:2908
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 0 -NGENProcess f4 -Pipe 164 -Comment "NGen Worker Process"
                  5⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:300
            • C:\Program Files\KeePass Password Safe 2\KeePass.exe
              "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:1076
        • C:\Program Files\KeePass Password Safe 2\KeePass.exe
          "C:\Program Files\KeePass Password Safe 2\KeePass.exe"
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1748

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dll
          Filesize

          448KB

          MD5

          b5c96e2dbc09f0187f504067eec23e1d

          SHA1

          a80b8f7ef5cd0405d5b3e0611dd110e745208a35

          SHA256

          133c5cef4c3bd5db09e5535ed9faeaec9e371677609762cdc674353e724fe1ed

          SHA512

          3116edd0fc09fc406d8598d73247c5e7813272d8aff35364cf55a0ffec7da4221d223cc9040a1bff802ad8b94c60342b2f322662ffdfde5f5e3873dad13be75e

          Download Submit

        • C:\Program Files\KeePass Password Safe 2\KeePass.config.xml
          Filesize

          252B

          MD5

          ac0f1e104f82d295c27646bfff39fecc

          SHA1

          34309b00045503fce52adf638ec8be5f32cb6b1d

          SHA256

          c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440

          SHA512

          be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839

          Download Submit

        • C:\Program Files\KeePass Password Safe 2\KeePass.exe.config
          Filesize

          763B

          MD5

          82704da595e970ca358d973fcd8d7858

          SHA1

          5b98c0a8cc8f628db02024aee78619c3abb5de75

          SHA256

          3d918e9ff91d0324f284a4edc536066a924ce07b145b6ae5069963b4df25f4d3

          SHA512

          7db5a1ae3b65198c549369cf020d723553ed1fbb50e7095b6aeb3f7d3b0b485fa3cf38170ad1540634c3124e730604d2e0c6a20b233e270332268333ce915237

          Download Submit

        • C:\Program Files\KeePass Password Safe 2\KeePassLibC64.dll
          Filesize

          767KB

          MD5

          e04fee6be9bc05bb78aacf5910a27345

          SHA1

          3925f42b9ed3921f5cd59b7978e7d5085a0e2d6f

          SHA256

          c2e6eab9dfa0b05905d0cd8a84ed85a6c2fb06b10af6501ff8dced7e2a8d5b5c

          SHA512

          01a1ef7877d227cf408ed53e109391626541724ab73e17b5c8bc9962943e30bf03e7f1578383f58ccbac0c1c89bb5cc0f576d4cdad93660796f1130d2785cfee

          Download Submit

        • C:\Program Files\KeePass Password Safe 2\unins000.exe
          Filesize

          3.0MB

          MD5

          7ffabe0c2166208004684679ae9452bb

          SHA1

          34c9b7d35e34c07d48004ec7212e022c93e90ab4

          SHA256

          cc2f4af7242a24ca06bb2e351a2f3bd905fd869e0604c71053ed0bae48d5c03d

          SHA512

          4f041b66919c8c7d7011826ba7f7b3c87ff21d89f30e08dd25d2e155609f9ce60d58951eb02ead8791df34ff4e7fe1ac86999f9621118fe39ce5319eaeeed086

          Download Submit

        • C:\Users\Admin\AppData\Roaming\KeePass\KeePass.config.xml
          Filesize

          4KB

          MD5

          9ee870eb2f3e047c9a5eec7a713696cc

          SHA1

          e73959946dae35c3e0619d07182b028ff256050e

          SHA256

          fda7f9d9d46522fb421f7f851c05b929bf4059ddc6f10fbc6541bdbffcef42ed

          SHA512

          05427d9cf702bd7a2336a7dc060cb975656441894691195cefa1831886013a3732f992f919f7a556fe5695dfe3eb8ab80c1bde361f1a77e4b0d9a0ca11ccabb1

          Download Submit

        • C:\Users\Admin\Documents\Database.kdbx
          Filesize

          2KB

          MD5

          d9f2e699df3941b7baa736a52ecb771f

          SHA1

          372430dec0fea488cb73725825e8b51f5bf7de71

          SHA256

          a53fa98661f05c7eb1454b4f6c1c6383e5bb59ce125c8288b2fc96eef3350d0f

          SHA512

          a6c02437786f70b01245be308d87703a7ee4403e72aab79ba4741fe168b7ecb39ee069b0e5978d41c4ce0c756dc5d7dba64eeb296765644e8f1a89812993ace2

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\0c5ed7690639df1194ba6470280f3166\KeePass.ni.exe.aux
          Filesize

          1KB

          MD5

          bd6a8d326200c13aa82b727b7c264a6b

          SHA1

          495b9eed3c35cca0d9d0bf9ec9a4aa6d23d0bf38

          SHA256

          f9e1bc94ffa7d76348c3190e91d4c1e588e1e4eeff979a50067469c23781d8d4

          SHA512

          8579591d3a54577cb43bf7404d243a7010593bd682dc223f8cf75165e1fff08adffbbd5582961e4bfaebcdbcc0d332669c813ecfb9871797ac43360b51a815aa

          Download Submit

        • \Program Files\KeePass Password Safe 2\KeePass.exe
          Filesize

          3.2MB

          MD5

          339d3b117dd428d5068cd7088ae6733f

          SHA1

          101d1d770719b5cadac23d0ed755ed796ddd2071

          SHA256

          51e1d528bd507ef86d4980fcb553250b655641bfccfadac812835617e2b1d7b3

          SHA512

          ce677aa243c0128f5981d9c3c5a516d3b041eb7f1ce03e4f8095236c55208ce38e7ec945bbce9777350daa027c0c93e73eeecbbb69e95ae0e6ae817ea78a0af9

          Download Submit

        • \Program Files\KeePass Password Safe 2\ShInstUtil.exe
          Filesize

          94KB

          MD5

          0c1a351da6559ef4d451e72a8ca4d27a

          SHA1

          298871fb0ae9148b4000ed86e4096fd998615ecc

          SHA256

          9c61a071bbb3355c40fb9dc439bad7eb1ff8dc423507fc47e2e36620d7582715

          SHA512

          e6a12af145f9cdc86b17125feaa3d33d8cec1e3f365a10918e030d3fc7a7063f8eee1c5eed8cdf56413da6214ec0f2982b6fc588fe71415a031fc6e6a71d5fba

          Download Submit

        • \Users\Admin\AppData\Local\Temp\is-9HKTT.tmp\KeePass-2.57-Setup.tmp
          Filesize

          3.0MB

          MD5

          515a9f60ae3e548bba65c2d6aba98f75

          SHA1

          6c68ec325522a413e87daac52da8135d5b2a71ca

          SHA256

          88fa32ce3c8c9fa0781e812dee4f6eca307c5c4a50d6a1aafcbcbce94f0c91c1

          SHA512

          7f34993c9043d9b808a9652324d1bff90643f1516c50f4e09b85151cf5b3047a3bdb30923ffc0227bfd1b19ff27fba767b88dedd18db97be8c9efa28b0faa7a9

          Download Submit

        • \Windows\assembly\NativeImages_v4.0.30319_64\KeePass\0c5ed7690639df1194ba6470280f3166\KeePass.ni.exe
          Filesize

          11.1MB

          MD5

          5db2dd17f4f16d02833f171b893f3da1

          SHA1

          899f70e844208bc5320065399b6bbb20d0cc3e3e

          SHA256

          a736e315bd9ec2bc80f4930f0f44985a94886ff9627507c3320f895346394557

          SHA512

          00f0cf0f9224dd2980db1b4fe6c4895f363d846f67b4a2f1d4b2a71c07cfaefb3344559d547f3d359bad18143ec07e896a8959e75bcb38fe0f41f98b60538ff0

          Download Submit

        • memory/300-73-0x000000001B460000-0x000000001B78A000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/300-74-0x0000064488000000-0x0000064488B26000-memory.dmp

          Filesize

          11.1MB

          Download

        • memory/1076-103-0x00000000230F0000-0x0000000023100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1076-92-0x0000000000090000-0x00000000003BA000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/1076-102-0x0000000021250000-0x00000000212BE000-memory.dmp

          Filesize

          440KB

          Download

        • memory/1636-2-0x0000000000401000-0x00000000004B7000-memory.dmp

          Filesize

          728KB

          Download

        • memory/1636-0-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/1636-14-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/1636-99-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/1636-9-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/1748-114-0x000000001F6D0000-0x000000001F73E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/1748-111-0x0000000001000000-0x000000000132A000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/1796-90-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1796-98-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1796-10-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1796-12-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1796-15-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1796-8-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1796-17-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2908-71-0x000000001B390000-0x000000001B6BA000-memory.dmp

          Filesize

          3.2MB

          Download