8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170

Analysis

max time kernel
133s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 22:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
Size

783KB
MD5

a041f05a12fdffbd7b803e4c3df76500
SHA1

b6b07f6ae0ef625fd29121dbe1c3601a34150a27
SHA256

8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170
SHA512

6c8e477d757cf4eddb8629ac1065325f1bdf2d45b3b95ed84dc52d2bc339bf3f3c8628c9d57dd29beeaa6f024cc129ae956b70080833f1d2ce89cde722bd6186
SSDEEP

12288:C761wOyrC4dtJHekiIPlHB1GzVoFB6UCBmdquf0qyoOCJUp+1EwOjo4snLM9TxBu:C7M1iJHJT1DGh9idqu8HoHUp+JUsLau

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	DropboxUpdate.exe

Executes dropped EXE 6 IoCs

pid	Process
432	DropboxUpdate.exe
1796	DropboxUpdate.exe
4116	DropboxUpdate.exe
1060	DropboxUpdate.exe
1380	DropboxUpdate.exe
4844	DropboxUpdate.exe

Loads dropped DLL 12 IoCs

pid	Process
432	DropboxUpdate.exe
1796	DropboxUpdate.exe
4116	DropboxUpdate.exe
4116	DropboxUpdate.exe
4116	DropboxUpdate.exe
4116	DropboxUpdate.exe
432	DropboxUpdate.exe
1060	DropboxUpdate.exe
1380	DropboxUpdate.exe
4844	DropboxUpdate.exe
4844	DropboxUpdate.exe
1380	DropboxUpdate.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1412	msiexec.exe
6	1412	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	DropboxUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_th.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ko.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdateHelper.msi	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_es-419.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_zh-TW.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateOnDemand.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_no.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ms.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_fr.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ja.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ru.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_th.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_uk.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateBroker.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_ms.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxCleanup.exe	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_id.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_it.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_pt-BR.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_id.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_da.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_ja.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\psuser.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_en.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_es.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_it.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\@PaxHeader	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\npDropboxUpdate3.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_es.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_ko.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_da.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\npDropboxUpdate3.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdateOnDemand.exe	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_en.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_sv.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdate.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_de.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_pt-BR.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxCleanup.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdateBroker.exe	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_pl.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\psmachine.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Temp\GUT97DC.tmp	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\@PaxHeader	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_fr.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_uk.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdate.exe	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_de.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\psmachine.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxCrashHandler.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateHelper.msi	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxCrashHandler.exe	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdate.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_zh-TW.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_es-419.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_no.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_zh-CN.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_nl.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_ru.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\psuser.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_zh-CN.dll	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA596.tmp	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File created	C:\Windows\Installer\e57a18f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{099218A5-A723-43DC-8DB5-6173656A1E94}	msiexec.exe
File created	C:\Windows\Installer\e57a193.msi	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File opened for modification	C:\Windows\Installer\e57a18f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1060	DropboxUpdate.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DropboxUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\Version = "16974735"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass\CLSID\ = "{3A337332-37E4-4063-B4F3-6416846C8A33}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}\ = "IApp"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback\CLSID\ = "{49423331-2B41-4EDE-838E-F8C8F3F6BF62}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine.1.0\ = "DropboxUpdate CredentialDialog"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\LocalServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}\LocalService = "dbupdate"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC422F86-7267-4AF2-8F4F-A20C060621DE}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher.1.0	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Dropbox Update Legacy On Demand"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassSvc\CLSID\ = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\ = "IGoogleUpdate3WebSecurity"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.911.1\\DropboxUpdateBroker.exe\""	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher.1.0\ = "Dropbox Update Process Launcher Class"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}\ProxyStubClsid32\ = "{FE504B1C-2666-4039-831D-655FAA0FB97B}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine.1.0	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\ProgID\ = "DropboxUpdate.CoCreateAsync.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}\VersionIndependentProgID\ = "DropboxUpdate.ProcessLauncher"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\ = "CoCreateAsync"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05378308-2559-4C71-B758-7DACD5A359BA}\NumMethods\ = "6"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}\NumMethods\ = "24"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}\ = "IGoogleUpdate3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\Elevation	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine\CLSID\ = "{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F84F5221-63AA-431E-A57C-D7D03649E3E6}\ = "IRegistrationUpdateHook"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E38012B-D35D-4278-BBFD-E5AC871D3E60}\NumMethods\ = "4"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEF2D6E-1CE5-4823-88D0-7F727719D0A2}\NumMethods\ = "4"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}\ = "IAppVersionWeb"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}\NumMethods\ = "14"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A812990327ACD34D85B163756A6E149	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F84F5221-63AA-431E-A57C-D7D03649E3E6}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine.1.0\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\Elevation	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\Elevation	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService.1.0	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\NumMethods\ = "42"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService\CLSID\ = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}\ = "IOneClickProcessLauncher"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\ProxyStubClsid32\ = "{FE504B1C-2666-4039-831D-655FAA0FB97B}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}\NumMethods\ = "10"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0\CLSID\ = "{A496C5D9-84FE-4E84-9D20-7481589E1C23}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\VersionIndependentProgID\ = "DropboxUpdate.CoCreateAsync"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\ = "ServiceModule"	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
432	DropboxUpdate.exe
432	DropboxUpdate.exe
1412	msiexec.exe
1412	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	DropboxUpdate.exe
Token: SeShutdownPrivilege	432	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	432	DropboxUpdate.exe
Token: SeSecurityPrivilege	1412	msiexec.exe
Token: SeCreateTokenPrivilege	432	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	432	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	432	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	432	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	432	DropboxUpdate.exe
Token: SeTcbPrivilege	432	DropboxUpdate.exe
Token: SeSecurityPrivilege	432	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	432	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	432	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	432	DropboxUpdate.exe
Token: SeSystemtimePrivilege	432	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	432	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	432	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	432	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	432	DropboxUpdate.exe
Token: SeBackupPrivilege	432	DropboxUpdate.exe
Token: SeRestorePrivilege	432	DropboxUpdate.exe
Token: SeShutdownPrivilege	432	DropboxUpdate.exe
Token: SeDebugPrivilege	432	DropboxUpdate.exe
Token: SeAuditPrivilege	432	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	432	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	432	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	432	DropboxUpdate.exe
Token: SeUndockPrivilege	432	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	432	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	432	DropboxUpdate.exe
Token: SeManageVolumePrivilege	432	DropboxUpdate.exe
Token: SeImpersonatePrivilege	432	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	432	DropboxUpdate.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe
Token: SeTakeOwnershipPrivilege	1412	msiexec.exe
Token: SeRestorePrivilege	1412	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 432	5004	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe	85
PID 5004 wrote to memory of 432	5004	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe	85
PID 5004 wrote to memory of 432	5004	8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe	85
PID 432 wrote to memory of 1796	432	DropboxUpdate.exe	88
PID 432 wrote to memory of 1796	432	DropboxUpdate.exe	88
PID 432 wrote to memory of 1796	432	DropboxUpdate.exe	88
PID 432 wrote to memory of 4116	432	DropboxUpdate.exe	91
PID 432 wrote to memory of 4116	432	DropboxUpdate.exe	91
PID 432 wrote to memory of 4116	432	DropboxUpdate.exe	91
PID 432 wrote to memory of 1060	432	DropboxUpdate.exe	92
PID 432 wrote to memory of 1060	432	DropboxUpdate.exe	92
PID 432 wrote to memory of 1060	432	DropboxUpdate.exe	92
PID 432 wrote to memory of 1380	432	DropboxUpdate.exe	93
PID 432 wrote to memory of 1380	432	DropboxUpdate.exe	93
PID 432 wrote to memory of 1380	432	DropboxUpdate.exe	93

C:\Users\Admin\AppData\Local\Temp\8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe
"C:\Users\Admin\AppData\Local\Temp\8ac23dd0b20406004f6756889c62383c9dacd2f53ec2339a0af2a7671ef1a170.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdate.exe" /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjplZGdlOjplSndOeThFS3dqQU1BTkJmR1QzTFNMSTBhYjJKakRGa2d2Z0JvN0JSTzJVOWRJSW9fcnUtLV91WThOeHU0NWJ2ODJyMmxRa2hIVjd0Tlo2MXo4UENsX3gydUp5R1kzeDByb3Y5VktPU1ZRWW5aSGFWS1hNcEthOWptdjZab0NGQnNRenNXUVhCS2FHZ1pkLUlFSGtpQ3c3cC13TUljUl9tQE1FVEEifQ"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1796
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4116
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVJFSlFVa1ZCVlZSSU9qcGxaR2RsT2pwbFNuZE9lVGhGUzNkcVFVMUJUa0ptUjFRelRGTk1TVEJoWWpKS2FrUkdhMmQyWjBKdk4wSlNUekpWT1dSSlNXOWZjblV0TFY5MVdUaE9lSFUwTldKMk9ESnlNbXhSYTJoSVZqZDBUbG8yTVhvNFVFTnNYM2d5ZFVwNVIxa3plREJ5YjNZNVZrdFBVMVpSV1c1YVNHRldTMWhOY0V0aE9XcHRkalphYjBOR1FuTlJlbk5YVVZoQ1MyRkhaMXBrTFVsRlNHdHBRM2MzY0MxM1RVbGpVbDl0UUUxRlZFRWlmUSIgcHJvdG9jb2w9IjMuMCIgdmVyc2lvbj0iMS4zLjkxMS4xIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0ie0EzOUNGQzcyLTAwMjctNDA2Mi05ODI1LUFDNDhBODkxREEyNn0iIHVzZXJpZD0iezQ4MThGNjg4LUI2NkMtNEEyRC1BRUQ1LTgzRjVCNUM2MjUwQ30iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9IntBQUIzRTRENi00QkQ2LTQwQTktOThCQy1ENDNGQTdBOTczQ0Z9Ij48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7RDg5NjhGRjItRTBCMS00QTEzLUEzRTItQzlGMjk5NUYzQkM2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjkxMS4xIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1060
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjplZGdlOjplSndOeThFS3dqQU1BTkJmR1QzTFNMSTBhYjJKakRGa2d2Z0JvN0JSTzJVOWRJSW9fcnUtLV91WThOeHU0NWJ2ODJyMmxRa2hIVjd0Tlo2MXo4UENsX3gydUp5R1kzeDByb3Y5VktPU1ZRWW5aSGFWS1hNcEthOWptdjZab0NGQnNRenNXUVhCS2FHZ1pkLUlFSGtpQ3c3cC13TUljUl9tQE1FVEEifQ&nolaunch=0" /installsource taggedmi /sessionid "{A39CFC72-0027-4062-9825-AC48A891DA26}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a192.rbs

Filesize
7KB

MD5
436f3b53e63624f5c0d3d69d4cb4d650

SHA1
0568e8ea65e74287deecffef70b7c1dc8428e0ac

SHA256
3526c448ee2db4e09aa1d056f6362fba7fc3ad1185314f640a3ff7cb74c7e16e

SHA512
8479bbd49e25ec2639fa0cd51b89c619c92cd3358c27861c155ebedc8126465ad4fa86260826123da11c98a85d1d0a0d2907afe66ea94d3fa067b7894d74c3d8

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxCleanup.exe

Filesize
323KB

MD5
a00bde016bdb87f3a975fc5e92dcee17

SHA1
664cbe91e0628cb3780b1666d568c2d1ab77d294

SHA256
5b2bcbf5bdebbba87cf3adc3830351861b7152ab5b9923560836ab865f10504a

SHA512
331e80a6e40e6a47cac247e1d64d612eaeb4980a91034449b4736bc13f82d5cc4db61875b05abe3eb9639b8bd2f52043051d7cb9545d11831fb8be88834de556

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxCrashHandler.exe

Filesize
130KB

MD5
3b607e9ae169797c5112736dd445db25

SHA1
076e59938996baf436888e2ecb536353071e0adf

SHA256
e7141aeb22ea3165a4f7fb8c4d210151575f1b95ef545e0978a2174598a08265

SHA512
1a80b6ed790d3325c365de14d7bdd4d98473c2cfd8a4eb5d97f99d9383946e6c9e892820e54182b06359f495cc42f261e455e3097413c605f0f208d7b6e3c2cd

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdate.exe

Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdateBroker.exe

Filesize
76KB

MD5
0cd7fddf34527ffbc563277cea3f575b

SHA1
cb83cd412163c3e89789e2cf3054a4110b72b998

SHA256
f4d066ce16ca47b19f5acec41155906ba08e0a6a565108ea77ae6c8f1136a55c

SHA512
fb50ddccd59a5bd9989f0eb5e44fcaa074e023328587d90d3dee740888b7b67b9f84270a55acaa4a6a523987c5edaab99ed39dedc7b1ca9c88aed87ffc9e600a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdateHelper.msi

Filesize
44KB

MD5
9ab89a05f39ef9f354de6d4074bf105b

SHA1
19cb4715f2f24b70a41a7cd33193a48f79a2fe93

SHA256
df7c8bcdbcf6247c25abdc09d332858b01450225a4ebb29ac6df4f713691b399

SHA512
ff5c51a2d11fac17d829d63fe7b43edf9fbd5acabdbc668d4eec495ef6edc5079cd9fd8b4d39902f4881920f61494966f8464009db4542a13c284da1cd6c8341

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\DropboxUpdateOnDemand.exe

Filesize
76KB

MD5
2ecab51764bc64fa9472eea19cba6ed0

SHA1
3412685e6d900c028e2818e99fe6ed1566a54830

SHA256
22729f1b9b966c1adfa268a806856b22e1769a5ff6e56475b0d286b9bf507314

SHA512
bf5914f482265dcaab858b457dc032893c49073f081a858b51e7575212d11fe4603e90da538a521a6b4817115d7b71783b985de083476a78e4649fcf94410744

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdate.dll

Filesize
1.1MB

MD5
eefc49f19dc8e732750b382e13cee819

SHA1
315a225ac014b3f8e8ed77c8fd5f7f7f75e8352a

SHA256
b0a29239fe624adb271a557409727eea317702f65f34f1ed84c55de6bc77cb25

SHA512
e8c5a7c30552b6688ba716d3f565abda7334f3ec2026ea8482eacf3d7b9396bf13fe76263a911002fc752d492f98303fd8dd3d8b478fe1fd5219e2e1835d1f00

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_da.dll

Filesize
33KB

MD5
126ce0740c8eae19471301f903c27108

SHA1
9a6e94d91f3e0c72df906b5f386a90c061aeebf7

SHA256
a315a0732a38934cddeddc8b403104dc10bd97f66d70ae1a60ef72fd4230beee

SHA512
1512d98f7d721c66c50a9dd799749366c64d9856e8bec788dde46eaf91c3459bbea08fe67cd6aeb851001d6b047e0db82002cb69e56e16a2fff551575fcf332b

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_de.dll

Filesize
36KB

MD5
e0991c448cd818500f6c8f7509a84a40

SHA1
8f02d704805158e19c4b135bd3a9d5bd86e405e1

SHA256
c5212e357b3cba3564f357df0133735d9b5d482dc3e3ab70810bd72a62f3ca4d

SHA512
39ac38bc3679b54d500019d9014b4c78636f0fd23afa89605517939b164bed4efe7e38af1ab74cea5a9fcbbaa2548780c1037d570553c1d33c0d9b99cdfb4380

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_en.dll

Filesize
32KB

MD5
094b3376219215b2fea6acc3a9103b25

SHA1
20879bf11c9ab154616068adf70832a3c3e0d26f

SHA256
a4f9ef601bdf067426c30827957a2097653eea3f326b0ac6f679db4947202922

SHA512
88a25a91e1077ad2046c361b19ef33a6b66ba9f856999e7d0f41b0e4593d7d6d1a052254f8082623b1b098f0424f19b9b4f21fb989ae60bac855e221c3c1b09e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_es-419.dll

Filesize
34KB

MD5
6f21fdbec64a196fd9bb392e88428775

SHA1
baa928d714957c11613e36746a3cad6f71175021

SHA256
d8decf8a92badf2c9d512dfb16d4af9d6ae45b7eea80890cbf69c79ca3070935

SHA512
a930a346a5006ae20c53ba03c2763e9363a901ce9631edb26caec3697c9c6374bb664228eb5b1493c03379ea52ec50775658ca185c8717c984d768873ba1c34b

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_es.dll

Filesize
34KB

MD5
9cb5bb68af81808db323c3a30533e451

SHA1
e0bd3c40d54a2b8b9283c27d2d455a5afd9ec600

SHA256
c6d0b0916e358b0bd6ed02f3d9cecd7ef5a57fa273ecc164b556f2dd9b879ba1

SHA512
7f82bc54d72de4d2e74da3cde82aa538c16cac7641265599bd4680f6bf7c675e7883282984234eed2ab9b84b0a44164197d1c77fc37f94a2344a48b79aee3c99

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_fr.dll

Filesize
35KB

MD5
54dd28b2eddeec387c2de9b216532153

SHA1
0a163e432d3cc744c4755cf1b2b7bc7bed5de3ab

SHA256
a8034afac342ec89b918da3c466d396401da8cb97e8d7730d1fd7a7ecff125d9

SHA512
af5e976f13bcb3a2ba38b46f4c2df8b04a2b74359d21b299d13d0ea359a3e8791ca815470893aafd79ccb46583c96f046ff27e93c9780819fbc52716e7671ec9

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_id.dll

Filesize
32KB

MD5
192d4311141487c6e5b8e9e53245907a

SHA1
27294bbe84a29f2e5a7e05590a1c13a2bf22b153

SHA256
a151bf2ffca80ecbb38a8cfa3db30002dcb42749e4ff3c768ee3aae2cb9ecedd

SHA512
77a45d7842270d39abbc30bf3301840450fde871a88e29522c6f159bd0e4645aea02c89e7058c8325a922e0a8f5c531403b23254de7caa5324291ecb140a0c6e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_it.dll

Filesize
34KB

MD5
7aa209b91e208c4157a947975f312416

SHA1
ceec1c84d319170ab5eb9d670aa20b6673b80dad

SHA256
4c6fdca461a0caf39110dddfad734f0e1ad3656d8a11b8b1279dbe05594818b8

SHA512
c78afaca62a6e928273be6ed2cac8ebee760eb668f86864821da6ee492546413a2fd29bb0a4980ac6c2f81dffd65689ce5019f7992dc499fd9a750895b6e8ffc

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_ja.dll

Filesize
28KB

MD5
b96eb4559e725359525e82e283ec4779

SHA1
136481b3d4b9feda5a7126af6f15e98cba22e350

SHA256
5d45d00e17e5a0a9d322299bfedb9aaeb17469120f1b9c374f0d3badcd8e0598

SHA512
ae820ea2341065390c5a37d462ebc8f96ef74e5241d4592cc53b94bf20341960200316530a7e77fbe2e0bd7d48f1e102d34be7b2dd248e77f2e9b2879b4be96e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_ko.dll

Filesize
28KB

MD5
2d116334e9d12666417575547433fc70

SHA1
3f824d9b27edfd3086cc1fbd6bf4d04e1a33b132

SHA256
98868e4ed9918de9ab3e2388595235c10defee540999203dd712ad15c8304c99

SHA512
0a4ef8e79243b265cef3dfe0262c48e2739495a032bcd91fa0264a90a1ecf62d2e1d60cb13f4ebf1b3c150c0bc35ac07beab93a6a256978b68f41e7d27f5944a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_ms.dll

Filesize
32KB

MD5
a390231d487ab42345b0c0250ed767b8

SHA1
33bff729a689e7ce1e631b20d53e29d2cf5c3014

SHA256
d3a0a2a7a7cd083645242c224607f3cb66a933c8f433d72771b3693ee88f3c56

SHA512
4987ff6abf27a9789a0bc08fc39fb1f48efc52bf7efc907e35720b3eb3d1937ae0db233b0c7f1a3c0e6c037b60aa0f74d38126c6c0e2a3d8a8cc792950a895a4

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_nl.dll

Filesize
35KB

MD5
eb5c039ed11bbd25008c9ea40534e3cf

SHA1
609683ef8699c6232feb39ace66a28afcdbe8ab2

SHA256
a33e1ca83c2b43014527c687388fada28fe2d940b9e8622c81c635fa093135c1

SHA512
89311f2333ec99fdd44ae04c3610bb5655e877583164d35bd7ef09d396396512f94ad90f7ac7ffb0edb1ce801f269c7c8d271124dadcec9a681ff160f27e4ca6

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_no.dll

Filesize
33KB

MD5
144294e8d5a1feb77b717ecbf7d5e86a

SHA1
f42d6826645f1202243c8f410a42ca2e75ed69c8

SHA256
ea0bee6774f927317c05a0ac7eb036c1bef672249dc8fee390449eb26b40997d

SHA512
6477e500135adc425105c804b517fb527257b2648ec0497c10519f3388aa2394520983bf7de593386ae2c1893d37e0ff9040e6fa0eb0ad3f3845a82eea8d3b93

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_pl.dll

Filesize
34KB

MD5
49e4bb26edf1551a6a75d8f99e7e7c60

SHA1
b3b20d24505b66918b31647701419993ebb67639

SHA256
6b97ece1f16a2f1d99392f0880b99262537b0f7d59897d9a974150a25ec4f335

SHA512
aca6106b463c4218a8de3b78a59c14a28d873b5851d570beab4abec1f9db0a42d1194ace06ea42a4f37a60cf141288d3340e206ed089e0649386c6a9ce229c42

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_pt-BR.dll

Filesize
33KB

MD5
6867ab5d7515e5e2b04ecc9c8c511d68

SHA1
53d829f2a3c868976a691f1bea92a5c5d4657086

SHA256
908f345025c31d766b3189fbcf8457047603b69e2b9e91146d30c0962ce4d801

SHA512
55071ed358a5d64efa6d4797f53ab8b20a3b41e3127e6509a0c6dd6e09a5363bef4c66bd6685a5f89ac4bb6e38c5582264ae97f84c4ec164d30f9bfbed89541a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_ru.dll

Filesize
34KB

MD5
431768cfa5ed3774107aec0cddf23abd

SHA1
eda72761c54fc3e2d426d715b9181609807be468

SHA256
f3d3c07ce75e2be074a28d0201faeac7e858a67b274bc112d414dddf02078c6e

SHA512
f3c7da9d5e661b1efdcf10d99d3e28b30d21fa6a15fd00bb0a75e3fb2fd28d468237534005cda27edae3b488708df7b0fc31c81f92c9ce9b2636c8945cd632ac

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_sv.dll

Filesize
33KB

MD5
f5279d96c1aa2a1feffc82a329864085

SHA1
595bb28ec374961c0c87c85a0a037000d0160d5c

SHA256
5db6737fae50622909f09fc276cc2d47a1e67a5670fe39352bbd1768dc443ae2

SHA512
843eba27c78e52900d78c5624983d941a85b1618785d6125ed5d645f1344f82ea64bd3d4899144f19f06a5bfe86a8321d593e23813df024af91b835c55bead5e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_th.dll

Filesize
32KB

MD5
f12bf39090960bf9dd933a3fbb21cb69

SHA1
f165202357d25c6f5def8911fa43c7f140a15ed3

SHA256
c34d0bdfe4af1b31543327659d5579899c1c63429d7c725a34294c47d97102d0

SHA512
572b24b4489768f09d64f4db172a0a28bb92d2c45051ec5817ab8cfe3879cb33c5ba26b62229a3ccb3459e3806167feabeedc1307277150357b13a5fb2fb077c

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_uk.dll

Filesize
33KB

MD5
488bf1cf2b04d2dd682e1ef0f23f5f3a

SHA1
6fa6b21a4a42855a01c8af26c9ca945494ec039b

SHA256
45f844c94c19257a09573568f96cc1a4aa368d2cc9e9280a6ad267de4c564aa4

SHA512
205a24425da59854e2ccb101813d8522b1032d1d1f6bb61188b47fbd2da1608fc0573eadfdf1dbe6766ed56d860f5777af0ad4665fe86533abaa5cb532a75a4a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_zh-CN.dll

Filesize
26KB

MD5
14d2c6eb631ec1557263d249b1e2e2fb

SHA1
51e3889627cf72398f603f188f0be91ee9925899

SHA256
9b4e3e8bf366562f9b019611ef542e02c45e4fb5659e672a77545e1392083db0

SHA512
82ae111a8cc04dcb45fa10657ff5b5d13192527e42f8b7af58a3769feed713a8f43530cda2daba54d839bf5b14d6817382f585f54dd70521f07039bc252451b8

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\goopdateres_zh-TW.dll

Filesize
26KB

MD5
fb5996aa43ca35aa2785b78dfba27b2d

SHA1
2cef3511e920552d86d055bafe822c7249ab8ec8

SHA256
f185c7b48767aa5757f87ba76a96c9aca200e44e98dfffa7a23a2deb04a315cf

SHA512
53afd7236364e33a90da001993e32aa6f1a95b8ba73eed0cb5dd499acf22406e25937038262cf6697c5e970435e0b5ad11eb7d8b53a6fb6501a3e23fd742438c

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\npDropboxUpdate3.dll

Filesize
274KB

MD5
bed3f629455188556d54e8868cc3705b

SHA1
4ed92e45fc62b6427fecd5d94f2ac1a53d072ac8

SHA256
aaf37e7be50fb5ea738ccdd615c7985b9efdaea43290094c6696ae0f6348051f

SHA512
123a68c0ca8e315d7bb2193ade5f2a57a1bac36ba8d7b8cc542ecc629065067dbfae30683ed1c85cf652b372ce569ea4d3f30692b78bfcd9f030f9d0c449b9fd

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\psmachine.dll

Filesize
212KB

MD5
57250ac3da5cfe80eac551f4231a73f5

SHA1
e075cbfb7590e4702d9a9e4abb693c0b2e8a89ff

SHA256
40b05834d9f30e8f07ee22c1d115a0a95d8d95489b4078aa0b640dee7c6a111c

SHA512
8ea8d7a64cc881a2c73bbb6ed3b60574cf582c4b28570b253b4ca50060cfeff0e8df37cb37837e8a0e52e76cdb6f51e572b8be178704fb3093f07f4bdbbdcb94

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM97DB.tmp\psuser.dll

Filesize
212KB

MD5
0fa0151b62cf23391917784b5adf0e1f

SHA1
89dfe00691d97cd9b2904519c6292ab6b36bfb82

SHA256
bc519e9f04c84a2287e8f274743a23a425995156e9c882c09695f13d4095e196

SHA512
1adc6b20ab17bf462a00b86fbdcadc576c37d3a5752ef0940a33843cb9a1d74081d543e3e2ea28aa3b160b638b07864b943d856933bb29c31bea7067e0975daf

Download Submit
C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job

Filesize
924B

MD5
88103e8c611a8f3290f2cedf224dbeb4

SHA1
2fbab44a7ce59c6d39fad2f84776f7ecff220fc9

SHA256
ca5d42890c036db87cbda2cb4e238a58ac970612f47f67aa84058391861577d1

SHA512
23e2cb3e5ab2daf889355ddfba57ea18cefb3905d0d69fc92235c5aa4b8f546a2d5ac52e2d3b915b2bab29a0c6544b117baa27474bba68537e326e8d612f8b67

Download Submit
memory/432-67-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download