Overview

overview

7

Static

static

3

KeePass-2....up.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KeePass-2.57-Setup.exe

  • Size

    4.2MB

  • MD5

    4c1cafc2b3a380208548620a3d53dbba

  • SHA1

    a4c6ae220ecc6b907e56200809edab3bcdc38b30

  • SHA256

    ea53f7f944fada950cd7bb154deb078123a357b7bc5e2484851762b3552eb48b

  • SHA512

    b2a63cff7b7f01c753dac2723e4ca02b2e86e1ed77741f4254b229f3c79e63aa7392fdbb0ad550055b7438c2a05a8536b71ee05b9afb88a72997f8907490d83b

  • SSDEEP

    98304:hkLaasz0D6H/jUdBfhUEKMEoEGfA58ulnYBh+oKLeOKIaE:yaaszr/WrKv7PPoK/

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Users\Admin\AppData\Local\Temp\is-FBSOI.tmp\KeePass-2.57-Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FBSOI.tmp\KeePass-2.57-Setup.tmp" /SL5="$701FE,3483957,781312,C:\Users\Admin\AppData\Local\Temp\KeePass-2.57-Setup.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2692
      • F:\KeePass Password Safe 2\ShInstUtil.exe
        "F:\KeePass Password Safe 2\ShInstUtil.exe" net_check
        3⤵
        • Executes dropped EXE
        PID:4368
      • F:\KeePass Password Safe 2\ShInstUtil.exe
        "F:\KeePass Password Safe 2\ShInstUtil.exe" preload_register
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:5096
      • F:\KeePass Password Safe 2\ShInstUtil.exe
        "F:\KeePass Password Safe 2\ShInstUtil.exe" ngen_install
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" uninstall "F:\KeePass Password Safe 2\KeePass.exe"
          4⤵
            PID:4712
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "F:\KeePass Password Safe 2\KeePass.exe"
            4⤵
              PID:4216
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
                5⤵
                  PID:3924
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1bc -Comment "NGen Worker Process"
                  5⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:3308
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
                  5⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:2912
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 2ac -Pipe 25c -Comment "NGen Worker Process"
                  5⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:1136
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 278 -Comment "NGen Worker Process"
                  5⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:2724
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 254 -Comment "NGen Worker Process"
                  5⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:1896
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2b4 -Pipe 1c4 -Comment "NGen Worker Process"
                  5⤵
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:3772
            • F:\KeePass Password Safe 2\KeePass.exe
              "F:\KeePass Password Safe 2\KeePass.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:3948

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-FBSOI.tmp\KeePass-2.57-Setup.tmp
          Filesize

          3.0MB

          MD5

          515a9f60ae3e548bba65c2d6aba98f75

          SHA1

          6c68ec325522a413e87daac52da8135d5b2a71ca

          SHA256

          88fa32ce3c8c9fa0781e812dee4f6eca307c5c4a50d6a1aafcbcbce94f0c91c1

          SHA512

          7f34993c9043d9b808a9652324d1bff90643f1516c50f4e09b85151cf5b3047a3bdb30923ffc0227bfd1b19ff27fba767b88dedd18db97be8c9efa28b0faa7a9

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\5c12a39692e4bebc2ae235596535d39a\KeePass.ni.exe
          Filesize

          11.4MB

          MD5

          a7b6a8732a9777935c646ea518d8b6a8

          SHA1

          97748d647e2ee59bbfd996bc23d8f4e9aa7c3397

          SHA256

          cee5f0973fd7c782dca7db542a0b33475f2cd819a565684930321f41e4450cbc

          SHA512

          44dc7815dae1db1c1297e73e1683e433f129da05702300abd81d4cb115d540f38882ed734f4077801a2a93dd9348f91c6bb8db56c5d7337ad903b740e464e9dc

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\KeePass\5c12a39692e4bebc2ae235596535d39a\KeePass.ni.exe.aux
          Filesize

          1KB

          MD5

          f2345db44a8fd5a9d95128224f8ce9e3

          SHA1

          46151420adc830fa00a48bd992c9ccc33e305873

          SHA256

          5aec49810f78ae92f40f44c188347dee8dfd013e3d5cd8cef391920bc580c149

          SHA512

          a0834dc4159655b7b411bce8cafee347e0ab70c7966c04bae496d43090b5d355f94b014d9b0f5d6315e2ca2e21d1b0a05ac5d4875459578c736c6b2413015fea

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll
          Filesize

          3.0MB

          MD5

          b0bd1b2c367441f420d9cc270cf7fab6

          SHA1

          bdd65767f9c8047125a86b66b5678d8d72a76911

          SHA256

          447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

          SHA512

          551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux
          Filesize

          708B

          MD5

          688ac15ac387cbac93d705be85b08492

          SHA1

          a4fabce08bbe0fee991a8a1a8e8e62230f360ff2

          SHA256

          ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470

          SHA512

          a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll
          Filesize

          3.0MB

          MD5

          3385fdacfda1fc77da651550a705936d

          SHA1

          207023bf3b3ff2c93e9368ba018d32bb11e47a8a

          SHA256

          44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

          SHA512

          bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll
          Filesize

          314KB

          MD5

          50b28be2b84f9dd1258a346525f8c2e5

          SHA1

          203abebaa5c22c9f6ac099d020711669e6655ed8

          SHA256

          6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

          SHA512

          d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll
          Filesize

          345KB

          MD5

          35738b026183e92c1f7a6344cfa189fd

          SHA1

          ccc1510ef4a88a010087321b8af89f0c0c29b6d8

          SHA256

          4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

          SHA512

          ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll
          Filesize

          986KB

          MD5

          e4b53e736786edcfbfc70f87c5ef4aad

          SHA1

          62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

          SHA256

          9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

          SHA512

          42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

          Download Submit

        • C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux
          Filesize

          912B

          MD5

          255a843ca54e88fd16d2befcc1bafb7a

          SHA1

          aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

          SHA256

          8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

          SHA512

          666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

          Download Submit

        • F:\KeePass Password Safe 2\KeePass.XmlSerializers.dll
          Filesize

          448KB

          MD5

          b5c96e2dbc09f0187f504067eec23e1d

          SHA1

          a80b8f7ef5cd0405d5b3e0611dd110e745208a35

          SHA256

          133c5cef4c3bd5db09e5535ed9faeaec9e371677609762cdc674353e724fe1ed

          SHA512

          3116edd0fc09fc406d8598d73247c5e7813272d8aff35364cf55a0ffec7da4221d223cc9040a1bff802ad8b94c60342b2f322662ffdfde5f5e3873dad13be75e

          Download Submit

        • F:\KeePass Password Safe 2\KeePass.config.xml
          Filesize

          252B

          MD5

          ac0f1e104f82d295c27646bfff39fecc

          SHA1

          34309b00045503fce52adf638ec8be5f32cb6b1d

          SHA256

          c4a3626bbcdfe4b17759e75582ad5f89beaa28efc857431f373e104fbe7b8440

          SHA512

          be3675bbbe47d929a1ca6c5dfefd31b674c7304cc4bfac914d5be9656937554919478feb363fd3a51561bcf879941fcb54b701648057422c452bf677d500a839

          Download Submit

        • F:\KeePass Password Safe 2\KeePass.exe
          Filesize

          3.2MB

          MD5

          339d3b117dd428d5068cd7088ae6733f

          SHA1

          101d1d770719b5cadac23d0ed755ed796ddd2071

          SHA256

          51e1d528bd507ef86d4980fcb553250b655641bfccfadac812835617e2b1d7b3

          SHA512

          ce677aa243c0128f5981d9c3c5a516d3b041eb7f1ce03e4f8095236c55208ce38e7ec945bbce9777350daa027c0c93e73eeecbbb69e95ae0e6ae817ea78a0af9

          Download Submit

        • F:\KeePass Password Safe 2\KeePass.exe.config
          Filesize

          763B

          MD5

          82704da595e970ca358d973fcd8d7858

          SHA1

          5b98c0a8cc8f628db02024aee78619c3abb5de75

          SHA256

          3d918e9ff91d0324f284a4edc536066a924ce07b145b6ae5069963b4df25f4d3

          SHA512

          7db5a1ae3b65198c549369cf020d723553ed1fbb50e7095b6aeb3f7d3b0b485fa3cf38170ad1540634c3124e730604d2e0c6a20b233e270332268333ce915237

          Download Submit

        • F:\KeePass Password Safe 2\ShInstUtil.exe
          Filesize

          94KB

          MD5

          0c1a351da6559ef4d451e72a8ca4d27a

          SHA1

          298871fb0ae9148b4000ed86e4096fd998615ecc

          SHA256

          9c61a071bbb3355c40fb9dc439bad7eb1ff8dc423507fc47e2e36620d7582715

          SHA512

          e6a12af145f9cdc86b17125feaa3d33d8cec1e3f365a10918e030d3fc7a7063f8eee1c5eed8cdf56413da6214ec0f2982b6fc588fe71415a031fc6e6a71d5fba

          Download Submit

        • F:\KeePass Password Safe 2\unins000.exe
          Filesize

          3.0MB

          MD5

          784aab45671c930f05e5bffb4047d8e2

          SHA1

          a7021fdf2b41ed07fe62f57d062065518bb895eb

          SHA256

          13dcbb76df576b6e126a9edc1a2243f209ea994fd2ef0fc29420b14cc03b3154

          SHA512

          f77c84fb1e90f00b1f5b651d36b197edcb6bea7df45e8f51cf98ce9213307a03e3135d3945ae5bb3ff25f66266f2c2a1c75fa25e7d2a3ffac060c82812d16f34

          Download Submit

        • memory/1136-85-0x0000064449A20000-0x0000064449B18000-memory.dmp

          Filesize

          992KB

          Download

        • memory/1896-118-0x0000064445320000-0x000006444561E000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2692-13-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2692-6-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2692-175-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2692-9-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2692-11-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2692-66-0x0000000000400000-0x0000000000708000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2724-100-0x0000064443EC0000-0x0000064443F11000-memory.dmp

          Filesize

          324KB

          Download

        • memory/2912-67-0x00000644451A0000-0x00000644454A4000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/3308-148-0x0000064488000000-0x0000064488B68000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/3772-133-0x0000064449980000-0x00000644499D8000-memory.dmp

          Filesize

          352KB

          Download

        • memory/3924-63-0x0000021BF2DE0000-0x0000021BF2E92000-memory.dmp

          Filesize

          712KB

          Download

        • memory/3924-60-0x0000021BF2690000-0x0000021BF26E0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3924-58-0x0000021BF2F50000-0x0000021BF327A000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/3924-62-0x0000021BF2B60000-0x0000021BF2B82000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3924-61-0x0000021BF3B30000-0x0000021BF3CB6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3924-64-0x0000021BF2B90000-0x0000021BF2BB2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3948-168-0x00000000000E0000-0x000000000040A000-memory.dmp

          Filesize

          3.2MB

          Download

        • memory/3948-179-0x0000000020830000-0x000000002089E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4524-0-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/4524-8-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/4524-2-0x0000000000401000-0x00000000004B7000-memory.dmp

          Filesize

          728KB

          Download