File name:

KeePass-2.57-Setup.exe

Full analysis: https://app.any.run/tasks/0442aacb-47c3-404d-b85a-22a6496ccaa6
Verdict: Malicious activity
Analysis date: June 12, 2024, 07:51:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4C1CAFC2B3A380208548620A3D53DBBA

SHA1:

A4C6AE220ECC6B907E56200809EDAB3BCDC38B30

SHA256:

EA53F7F944FADA950CD7BB154DEB078123A357B7BC5E2484851762B3552EB48B

SSDEEP:

98304:o+cD4dnNGhcKCW/M0ZX9J7Xl9IBFsoRYLU97xLqHn7WBthBi8sLDaacSGidcWr4X:u4/l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • KeePass-2.57-Setup.exe (PID: 3976)
      • KeePass-2.57-Setup.exe (PID: 2104)
      • mscorsvw.exe (PID: 1864)
      • KeePass-2.57-Setup.tmp (PID: 2108)

    • Changes the autorun value in the registry

      • ShInstUtil.exe (PID: 2044)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • KeePass-2.57-Setup.exe (PID: 3976)
      • KeePass-2.57-Setup.exe (PID: 2104)
      • KeePass-2.57-Setup.tmp (PID: 2108)
      • mscorsvw.exe (PID: 1864)

    • Reads the Windows owner or organization settings

      • KeePass-2.57-Setup.tmp (PID: 2108)

    • Reads security settings of Internet Explorer

      • ShInstUtil.exe (PID: 116)

    • Reads the Internet Settings

      • ShInstUtil.exe (PID: 116)

  • INFO

    • Create files in a temporary directory

      • KeePass-2.57-Setup.exe (PID: 3976)
      • KeePass-2.57-Setup.exe (PID: 2104)

    • Reads the computer name

      • KeePass-2.57-Setup.tmp (PID: 3992)
      • KeePass-2.57-Setup.tmp (PID: 2108)
      • mscorsvw.exe (PID: 304)
      • mscorsvw.exe (PID: 1864)
      • ngen.exe (PID: 1772)
      • ngen.exe (PID: 336)
      • ShInstUtil.exe (PID: 116)

    • Checks supported languages

      • KeePass-2.57-Setup.exe (PID: 3976)
      • KeePass-2.57-Setup.tmp (PID: 3992)
      • KeePass-2.57-Setup.exe (PID: 2104)
      • KeePass-2.57-Setup.tmp (PID: 2108)
      • ShInstUtil.exe (PID: 2032)
      • ShInstUtil.exe (PID: 2044)
      • ShInstUtil.exe (PID: 116)
      • mscorsvw.exe (PID: 1864)
      • ngen.exe (PID: 1772)
      • ngen.exe (PID: 336)
      • mscorsvw.exe (PID: 304)

    • Creates files in the program directory

      • KeePass-2.57-Setup.tmp (PID: 2108)

    • Creates a software uninstall entry

      • KeePass-2.57-Setup.tmp (PID: 2108)

    • Reads the machine GUID from the registry

      • mscorsvw.exe (PID: 304)
      • ngen.exe (PID: 1772)
      • mscorsvw.exe (PID: 1864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (51.8)
.exe | InstallShield setup (20.3)
.exe | Win32 EXE PECompact compressed (generic) (19.6)
.dll | Win32 Dynamic Link Library (generic) (3.1)
.exe | Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 38400
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.57.0.0
ProductVersionNumber: 2.57.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Dominik Reichl
FileDescription: KeePass Password Safe 2.57 Setup
FileVersion: 2.57.0.0
LegalCopyright: Copyright © 2003-2024 Dominik Reichl
OriginalFileName:
ProductName: KeePass Password Safe
ProductVersion: 2.57
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start keepass-2.57-setup.exe keepass-2.57-setup.tmp no specs keepass-2.57-setup.exe keepass-2.57-setup.tmp shinstutil.exe no specs shinstutil.exe shinstutil.exe no specs ngen.exe no specs ngen.exe no specs mscorsvw.exe no specs mscorsvw.exe

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" ngen_installC:\Program Files\KeePass Password Safe 2\ShInstUtil.exeKeePass-2.57-Setup.tmp
User:
admin
Company:
Dominik Reichl
Integrity Level:
HIGH
Description:
ShInstUtil - KeePass Helper Utility
Exit code:
0
Version:
2.57.0.0
Modules
Images
c:\program files\keepass password safe 2\shinstutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 108 -InterruptEvent 0 -NGENProcess f8 -Pipe 104 -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exengen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
336"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" uninstall "C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeShInstUtil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Common Language Runtime native compiler
Exit code:
4294967295
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
1772"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "C:\Program Files\KeePass Password Safe 2\KeePass.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeShInstUtil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Common Language Runtime native compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
1864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 0 -NGENProcess f8 -Pipe 16c -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
ngen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
2032"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" net_checkC:\Program Files\KeePass Password Safe 2\ShInstUtil.exeKeePass-2.57-Setup.tmp
User:
admin
Company:
Dominik Reichl
Integrity Level:
HIGH
Description:
ShInstUtil - KeePass Helper Utility
Exit code:
0
Version:
2.57.0.0
Modules
Images
c:\program files\keepass password safe 2\shinstutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2044"C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe" preload_registerC:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
KeePass-2.57-Setup.tmp
User:
admin
Company:
Dominik Reichl
Integrity Level:
HIGH
Description:
ShInstUtil - KeePass Helper Utility
Exit code:
0
Version:
2.57.0.0
Modules
Images
c:\program files\keepass password safe 2\shinstutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2104"C:\Users\admin\AppData\Local\Temp\KeePass-2.57-Setup.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\KeePass-2.57-Setup.exe
KeePass-2.57-Setup.tmp
User:
admin
Company:
Dominik Reichl
Integrity Level:
HIGH
Description:
KeePass Password Safe 2.57 Setup
Version:
2.57.0.0
Modules
Images
c:\users\admin\appdata\local\temp\keepass-2.57-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2108"C:\Users\admin\AppData\Local\Temp\is-G80HJ.tmp\KeePass-2.57-Setup.tmp" /SL5="$2013A,3483957,781312,C:\Users\admin\AppData\Local\Temp\KeePass-2.57-Setup.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-G80HJ.tmp\KeePass-2.57-Setup.tmp
KeePass-2.57-Setup.exe
User:
admin
Company:
Dominik Reichl
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-g80hj.tmp\keepass-2.57-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3976"C:\Users\admin\AppData\Local\Temp\KeePass-2.57-Setup.exe" C:\Users\admin\AppData\Local\Temp\KeePass-2.57-Setup.exe
explorer.exe
User:
admin
Company:
Dominik Reichl
Integrity Level:
MEDIUM
Description:
KeePass Password Safe 2.57 Setup
Version:
2.57.0.0
Modules
Images
c:\users\admin\appdata\local\temp\keepass-2.57-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
19 434
Read events
19 368
Write events
64
Delete events
2

Modification events

(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
3C0800002E20E6539DBCDA01
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
0764DBF92C81E710D0BF2ED275CFF71693C32F264E121EC736A86699DA15C085
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\KeePass Password Safe 2\KeePass.exe
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
37E3B9C42F85ED66552E8D3ED9A655E3B902A68CD09D2F5AFBAA0120F0A89FA1
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\kdbxfile
Operation:writeName:AlwaysShowExt
Value:
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KeePassPasswordSafe2_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.2
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KeePassPasswordSafe2_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\KeePass Password Safe 2
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KeePassPasswordSafe2_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\KeePass Password Safe 2\
(PID) Process:(2108) KeePass-2.57-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KeePassPasswordSafe2_is1
Operation:writeName:Inno Setup: Icon Group
Value:
KeePass Password Safe 2
Executable files
15
Suspicious files
5
Text files
17
Unknown types
1

Dropped files

PID
Process
Filename
Type
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\unins000.exeexecutable
MD5:784AAB45671C930F05E5BFFB4047D8E2
SHA256:13DCBB76DF576B6E126A9EDC1A2243F209EA994FD2EF0FC29420B14CC03B3154
3976KeePass-2.57-Setup.exeC:\Users\admin\AppData\Local\Temp\is-5BS39.tmp\KeePass-2.57-Setup.tmpexecutable
MD5:515A9F60AE3E548BBA65C2D6ABA98F75
SHA256:88FA32CE3C8C9FA0781E812DEE4F6ECA307C5C4A50D6A1AAFCBCBCE94F0C91C1
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\KeePass.exe.configxml
MD5:82704DA595E970CA358D973FCD8D7858
SHA256:3D918E9FF91D0324F284A4EDC536066A924CE07B145B6AE5069963B4DF25F4D3
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\KeePass.XmlSerializers.dllexecutable
MD5:B5C96E2DBC09F0187F504067EEC23E1D
SHA256:133C5CEF4C3BD5DB09E5535ED9FAEAEC9E371677609762CDC674353E724FE1ED
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\KeePass.config.xmlxml
MD5:AC0F1E104F82D295C27646BFFF39FECC
SHA256:C4A3626BBCDFE4B17759E75582AD5F89BEAA28EFC857431F373E104FBE7B8440
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\is-SRM94.tmpxml
MD5:AC0F1E104F82D295C27646BFFF39FECC
SHA256:C4A3626BBCDFE4B17759E75582AD5F89BEAA28EFC857431F373E104FBE7B8440
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\is-FSJFL.tmpexecutable
MD5:B5C96E2DBC09F0187F504067EEC23E1D
SHA256:133C5CEF4C3BD5DB09E5535ED9FAEAEC9E371677609762CDC674353E724FE1ED
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\is-6BFUP.tmptext
MD5:5AF8E0FC895189C0C6F89D80D639EFD7
SHA256:B3D47DF09908E56B4BAFBF7C2D44FA2AC032912803B10054C17CECF668A1FDF1
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\KeePass.chmbinary
MD5:39AF0D86B85C2E2EE886A8322E7030AE
SHA256:074A6E78D5D1F813A2B66B1B062FA9AE77EFCCCF871B2694E127A61512974D18
2108KeePass-2.57-Setup.tmpC:\Program Files\KeePass Password Safe 2\ShInstUtil.exeexecutable
MD5:0C1A351DA6559EF4D451E72A8CA4D27A
SHA256:9C61A071BBB3355C40FB9DC439BAD7EB1FF8DC423507FC47E2E36620D7582715
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KeePass-2.57-Setup.exe