3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8

Analysis

max time kernel
127s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 17:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
Size

783KB
MD5

dfe97db425caa43e73f3bff1096cb564
SHA1

2012c51ca11a50b15e994c859e891c09faf27a32
SHA256

3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8
SHA512

02f24ebc77b97b997f5576b22ab149b6c17a723b2ff0dbf261c1780695ad9de7cc05526f0c1035a4f919c65cbe568b810a2dc9b53382d8e6d2d308b88fd0401c
SSDEEP

12288:C761wOyrC4dtJHekiIPlHB1GzVoFB6UCBmdquf0qyoOCJUp+1EwOjo4snLM9TxBu:C7M1iJHJT1DGh9idqu8HoHUp+JUsLau

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DropboxUpdate.exe

Executes dropped EXE 6 IoCs

pid	Process
1172	DropboxUpdate.exe
2356	DropboxUpdate.exe
4688	DropboxUpdate.exe
2392	DropboxUpdate.exe
928	DropboxUpdate.exe
2932	DropboxUpdate.exe

Loads dropped DLL 12 IoCs

pid	Process
1172	DropboxUpdate.exe
2356	DropboxUpdate.exe
4688	DropboxUpdate.exe
4688	DropboxUpdate.exe
4688	DropboxUpdate.exe
4688	DropboxUpdate.exe
1172	DropboxUpdate.exe
2392	DropboxUpdate.exe
928	DropboxUpdate.exe
2932	DropboxUpdate.exe
2932	DropboxUpdate.exe
928	DropboxUpdate.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	5112	msiexec.exe
7	5112	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751	DropboxUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_ko.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\npDropboxUpdate3.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_it.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_th.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_de.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_id.dll	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Temp\GUT958A.tmp	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_zh-TW.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_nl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\@PaxHeader	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdate.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_nl.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_th.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_zh-TW.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_pl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxCleanup.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_uk.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_it.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_zh-CN.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateOnDemand.exe	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\@PaxHeader	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdateBroker.exe	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\psmachine.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\psuser.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_es-419.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_no.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_en.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ko.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_no.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_de.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_ru.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxCleanup.exe	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_da.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_fr.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\npDropboxUpdate3.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdateOnDemand.exe	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_da.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_fr.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_es-419.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ru.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_en.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_ms.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_pt-BR.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_sv.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateHelper.msi	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_es.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_id.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_sv.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_zh-CN.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdate.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_es.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdate.exe	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxCrashHandler.exe	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_ja.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ja.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\psuser.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateBroker.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_pl.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\psmachine.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdateHelper.msi	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_pt-BR.dll	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdate.exe	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdate.exe	DropboxUpdate.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9ED0.tmp	msiexec.exe
File created	C:\Windows\Installer\e579c25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579c21.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{099218A5-A723-43DC-8DB5-6173656A1E94}	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File created	C:\Windows\Installer\e579c21.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2392	DropboxUpdate.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassSvc\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E38012B-D35D-4278-BBFD-E5AC871D3E60}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine.1.0\ = "DropboxUpdate CredentialDialog"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DE7C611-9E6D-468F-8AA2-26C08DB4A687}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\LocalizedString = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.911.1\\goopdate.dll,-3000"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE504B1C-2666-4039-831D-655FAA0FB97B}\InProcServer32\ThreadingModel = "Both"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\AppID = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FC341DB-67D8-4D7B-A8EB-432E55CD0D13}\InprocHandler32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine\CurVer\ = "DropboxUpdate.OnDemandCOMClassMachine.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.911.1\\DropboxUpdateBroker.exe\""	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\ProgID\ = "DropboxUpdate.CoreMachineClass.1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService.1.0\CLSID\ = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F84F5221-63AA-431E-A57C-D7D03649E3E6}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine\ = "Dropbox.OneClickProcessLauncher"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\NumMethods\ = "24"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.911.1\\DropboxUpdateBroker.exe\""	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\VersionIndependentProgID\ = "DropboxUpdate.Update3WebMachineFallback"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine.1.0\CLSID\ = "{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\ = "CoCreateAsync"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D412914-1C4F-447D-80D2-E7F9BB302B05}\NumMethods\ = "4"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\LocalizedString = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.911.1\\goopdate.dll,-3000"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\Elevation\Enabled = "1"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine\CurVer\ = "Dropbox.OneClickProcessLauncherMachine.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService\CurVer\ = "DropboxUpdate.Update3COMClassService.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\PackageCode = "AAD5A1E37177D6F48B98728BE09D687D"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine.1.0\ = "Dropbox Update Broker Class Factory"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine\ = "Dropbox Update Broker Class Factory"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\ = "IAppBundle"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}\ProxyStubClsid32\ = "{FE504B1C-2666-4039-831D-655FAA0FB97B}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}\ProxyStubClsid32\ = "{FE504B1C-2666-4039-831D-655FAA0FB97B}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\CLSID\ = "{A496C5D9-84FE-4E84-9D20-7481589E1C23}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0\CLSID\ = "{A496C5D9-84FE-4E84-9D20-7481589E1C23}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.911.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\CLSID\ = "{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass.1\CLSID\ = "{3A337332-37E4-4063-B4F3-6416846C8A33}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A812990327ACD34D85B163756A6E149	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0\ = "CoCreateAsync"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\ProxyStubClsid32	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1172	DropboxUpdate.exe
1172	DropboxUpdate.exe
5112	msiexec.exe
5112	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	DropboxUpdate.exe
Token: SeShutdownPrivilege	1172	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	1172	DropboxUpdate.exe
Token: SeSecurityPrivilege	5112	msiexec.exe
Token: SeCreateTokenPrivilege	1172	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	1172	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	1172	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	1172	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	1172	DropboxUpdate.exe
Token: SeTcbPrivilege	1172	DropboxUpdate.exe
Token: SeSecurityPrivilege	1172	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	1172	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	1172	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	1172	DropboxUpdate.exe
Token: SeSystemtimePrivilege	1172	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	1172	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	1172	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	1172	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	1172	DropboxUpdate.exe
Token: SeBackupPrivilege	1172	DropboxUpdate.exe
Token: SeRestorePrivilege	1172	DropboxUpdate.exe
Token: SeShutdownPrivilege	1172	DropboxUpdate.exe
Token: SeDebugPrivilege	1172	DropboxUpdate.exe
Token: SeAuditPrivilege	1172	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	1172	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	1172	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	1172	DropboxUpdate.exe
Token: SeUndockPrivilege	1172	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	1172	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	1172	DropboxUpdate.exe
Token: SeManageVolumePrivilege	1172	DropboxUpdate.exe
Token: SeImpersonatePrivilege	1172	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	1172	DropboxUpdate.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1172	1812	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe	84
PID 1812 wrote to memory of 1172	1812	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe	84
PID 1812 wrote to memory of 1172	1812	3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe	84
PID 1172 wrote to memory of 2356	1172	DropboxUpdate.exe	87
PID 1172 wrote to memory of 2356	1172	DropboxUpdate.exe	87
PID 1172 wrote to memory of 2356	1172	DropboxUpdate.exe	87
PID 1172 wrote to memory of 4688	1172	DropboxUpdate.exe	90
PID 1172 wrote to memory of 4688	1172	DropboxUpdate.exe	90
PID 1172 wrote to memory of 4688	1172	DropboxUpdate.exe	90
PID 1172 wrote to memory of 2392	1172	DropboxUpdate.exe	91
PID 1172 wrote to memory of 2392	1172	DropboxUpdate.exe	91
PID 1172 wrote to memory of 2392	1172	DropboxUpdate.exe	91
PID 1172 wrote to memory of 928	1172	DropboxUpdate.exe	92
PID 1172 wrote to memory of 928	1172	DropboxUpdate.exe	92
PID 1172 wrote to memory of 928	1172	DropboxUpdate.exe	92

C:\Users\Admin\AppData\Local\Temp\3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe
"C:\Users\Admin\AppData\Local\Temp\3a80092ea472b92439e0c6ded4af5af65d1eafc43462449ec4c6ca46281d83e8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdate.exe" /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpmaXJlZm94OjplSndOeThzS2drQVVBTkJma1ZtSHpIM00zTG50YXJSVmk0aWdwVmdLV3FESVRDQkVfNTdiQS1kcjJrOGVtanlfLThuc0MxTUZqbjVkRnJqVTZ5T2Y0N043SFhLRS1uWV9YZWxvMnhJRVhkQkFpR1pYbU5Tbk5NNVRNM1piQm1FaVliRVMwS09LT3JzUk8wYXZQcUE2SUlfdy13TzhMeDlDQE1FVEEifQ"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2356
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4688
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVJFSlFVa1ZCVlZSSU9qcG1hWEpsWm05NE9qcGxTbmRPZVRoelMyZHJRVlZCVGtKbWExWnRTSHBJTTAwelRHNTBZWEpTVm1rMGFXZHdWbWRMVjNGRVNWUkRRa1ZmTlRkaVFTMWtjakpyT0dWdGFubGZMVGh1YzBNeFRVWnFialZrUm5KcVZUWjVUMlkwTjA0M1NGaExSUzF1V1Y5WVpXeHZNbmhKUlZoa1FrRnBSMXBZYlU1VGJrNU5OVlJOTTFwaVFtMUZhVmxpUlZNd1MwOUxUM0p6VWs4d1lYWlFjVUUyU1VsZmR5MTNUemhNZURsRFFFMUZWRUVpZlEiIHByb3RvY29sPSIzLjAiIHZlcnNpb249IjEuMy45MTEuMSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9Ins3QzVERDBEQi01MjA1LTRBN0QtODE4RS1FQTdFNTY5ODk1QUN9IiB1c2VyaWQ9InsyN0M3RUVERC1DMjU2LTQzRDMtQjMzMC0yREI3OTk2QjY0RDR9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7NzFFMjFERjktQkYwOC00NDI5LUFCMzgtMUZBRUZCOTg0MDhCfSI-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0ie0Q4OTY4RkYyLUUwQjEtNEExMy1BM0UyLUM5RjI5OTVGM0JDNn0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy45MTEuMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2392
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpmaXJlZm94OjplSndOeThzS2drQVVBTkJma1ZtSHpIM00zTG50YXJSVmk0aWdwVmdLV3FESVRDQkVfNTdiQS1kcjJrOGVtanlfLThuc0MxTUZqbjVkRnJqVTZ5T2Y0N043SFhLRS1uWV9YZWxvMnhJRVhkQkFpR1pYbU5Tbk5NNVRNM1piQm1FaVliRVMwS09LT3JzUk8wYXZQcUE2SUlfdy13TzhMeDlDQE1FVEEifQ&nolaunch=0" /installsource taggedmi /sessionid "{7C5DD0DB-5205-4A7D-818E-EA7E569895AC}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579c24.rbs

Filesize
7KB

MD5
32d44cf99484e6dcef52840fbe2ab16e

SHA1
7ec1f5810b70e0e5fd64c5e9ad2af08613d4e66e

SHA256
1a93f7daa710990fe9a3d2713527f2936cfa74b2187ea5745421f79acfd90133

SHA512
d1a8c3a66c090c55db59baee8fd6d81c73667980c4c5710d4e90c91a6a6c8815549c4db52f4d3e1c3d3f9771a49f52f1ea6d68db5070c730fb41eefc76f102f2

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\@PaxHeader

Filesize
28B

MD5
1f9e5e66bf7a1e1e22a9c0699433214b

SHA1
466ba97c2a0557e977307b6a3f7ab7cbd2b8d2e8

SHA256
6585f952fc255f686d7d48ee1ecd092d1d0b18ff09140f62e336541a178d83d4

SHA512
a8233a774bece2ff38a41c7245e2e717a32a049284e4facbb54f5e541747021cb8f2426ebc879d98c6f83d36f85dbd7b28fdf66db6069c7446664b8b57f2fb30

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\@PaxHeader

Filesize
28B

MD5
7af59b86473d246ce7f7124c46820014

SHA1
b520a1003d03e2f83a003db0d8a9229662d9d118

SHA256
6a72c38dff4d7acfcfe7edd72c56b3f85cc16e9249df967efac84db03052dd45

SHA512
b5f106d3aa9a202f973e0f62cd74feb55bd53a2fc2e5671a2311f7ea2d2bb862a3e15c3a7f3e6018fc3ec2edcf0380f0643d8dfa2bcd92d7ce8c3bef95f4199f

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxCleanup.exe

Filesize
323KB

MD5
a00bde016bdb87f3a975fc5e92dcee17

SHA1
664cbe91e0628cb3780b1666d568c2d1ab77d294

SHA256
5b2bcbf5bdebbba87cf3adc3830351861b7152ab5b9923560836ab865f10504a

SHA512
331e80a6e40e6a47cac247e1d64d612eaeb4980a91034449b4736bc13f82d5cc4db61875b05abe3eb9639b8bd2f52043051d7cb9545d11831fb8be88834de556

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdate.exe

Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdateBroker.exe

Filesize
76KB

MD5
0cd7fddf34527ffbc563277cea3f575b

SHA1
cb83cd412163c3e89789e2cf3054a4110b72b998

SHA256
f4d066ce16ca47b19f5acec41155906ba08e0a6a565108ea77ae6c8f1136a55c

SHA512
fb50ddccd59a5bd9989f0eb5e44fcaa074e023328587d90d3dee740888b7b67b9f84270a55acaa4a6a523987c5edaab99ed39dedc7b1ca9c88aed87ffc9e600a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\DropboxUpdateOnDemand.exe

Filesize
76KB

MD5
2ecab51764bc64fa9472eea19cba6ed0

SHA1
3412685e6d900c028e2818e99fe6ed1566a54830

SHA256
22729f1b9b966c1adfa268a806856b22e1769a5ff6e56475b0d286b9bf507314

SHA512
bf5914f482265dcaab858b457dc032893c49073f081a858b51e7575212d11fe4603e90da538a521a6b4817115d7b71783b985de083476a78e4649fcf94410744

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdate.dll

Filesize
1.1MB

MD5
eefc49f19dc8e732750b382e13cee819

SHA1
315a225ac014b3f8e8ed77c8fd5f7f7f75e8352a

SHA256
b0a29239fe624adb271a557409727eea317702f65f34f1ed84c55de6bc77cb25

SHA512
e8c5a7c30552b6688ba716d3f565abda7334f3ec2026ea8482eacf3d7b9396bf13fe76263a911002fc752d492f98303fd8dd3d8b478fe1fd5219e2e1835d1f00

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_da.dll

Filesize
33KB

MD5
126ce0740c8eae19471301f903c27108

SHA1
9a6e94d91f3e0c72df906b5f386a90c061aeebf7

SHA256
a315a0732a38934cddeddc8b403104dc10bd97f66d70ae1a60ef72fd4230beee

SHA512
1512d98f7d721c66c50a9dd799749366c64d9856e8bec788dde46eaf91c3459bbea08fe67cd6aeb851001d6b047e0db82002cb69e56e16a2fff551575fcf332b

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_de.dll

Filesize
36KB

MD5
e0991c448cd818500f6c8f7509a84a40

SHA1
8f02d704805158e19c4b135bd3a9d5bd86e405e1

SHA256
c5212e357b3cba3564f357df0133735d9b5d482dc3e3ab70810bd72a62f3ca4d

SHA512
39ac38bc3679b54d500019d9014b4c78636f0fd23afa89605517939b164bed4efe7e38af1ab74cea5a9fcbbaa2548780c1037d570553c1d33c0d9b99cdfb4380

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_en.dll

Filesize
32KB

MD5
094b3376219215b2fea6acc3a9103b25

SHA1
20879bf11c9ab154616068adf70832a3c3e0d26f

SHA256
a4f9ef601bdf067426c30827957a2097653eea3f326b0ac6f679db4947202922

SHA512
88a25a91e1077ad2046c361b19ef33a6b66ba9f856999e7d0f41b0e4593d7d6d1a052254f8082623b1b098f0424f19b9b4f21fb989ae60bac855e221c3c1b09e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_es-419.dll

Filesize
34KB

MD5
6f21fdbec64a196fd9bb392e88428775

SHA1
baa928d714957c11613e36746a3cad6f71175021

SHA256
d8decf8a92badf2c9d512dfb16d4af9d6ae45b7eea80890cbf69c79ca3070935

SHA512
a930a346a5006ae20c53ba03c2763e9363a901ce9631edb26caec3697c9c6374bb664228eb5b1493c03379ea52ec50775658ca185c8717c984d768873ba1c34b

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_es.dll

Filesize
34KB

MD5
9cb5bb68af81808db323c3a30533e451

SHA1
e0bd3c40d54a2b8b9283c27d2d455a5afd9ec600

SHA256
c6d0b0916e358b0bd6ed02f3d9cecd7ef5a57fa273ecc164b556f2dd9b879ba1

SHA512
7f82bc54d72de4d2e74da3cde82aa538c16cac7641265599bd4680f6bf7c675e7883282984234eed2ab9b84b0a44164197d1c77fc37f94a2344a48b79aee3c99

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_fr.dll

Filesize
35KB

MD5
54dd28b2eddeec387c2de9b216532153

SHA1
0a163e432d3cc744c4755cf1b2b7bc7bed5de3ab

SHA256
a8034afac342ec89b918da3c466d396401da8cb97e8d7730d1fd7a7ecff125d9

SHA512
af5e976f13bcb3a2ba38b46f4c2df8b04a2b74359d21b299d13d0ea359a3e8791ca815470893aafd79ccb46583c96f046ff27e93c9780819fbc52716e7671ec9

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_id.dll

Filesize
32KB

MD5
192d4311141487c6e5b8e9e53245907a

SHA1
27294bbe84a29f2e5a7e05590a1c13a2bf22b153

SHA256
a151bf2ffca80ecbb38a8cfa3db30002dcb42749e4ff3c768ee3aae2cb9ecedd

SHA512
77a45d7842270d39abbc30bf3301840450fde871a88e29522c6f159bd0e4645aea02c89e7058c8325a922e0a8f5c531403b23254de7caa5324291ecb140a0c6e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_it.dll

Filesize
34KB

MD5
7aa209b91e208c4157a947975f312416

SHA1
ceec1c84d319170ab5eb9d670aa20b6673b80dad

SHA256
4c6fdca461a0caf39110dddfad734f0e1ad3656d8a11b8b1279dbe05594818b8

SHA512
c78afaca62a6e928273be6ed2cac8ebee760eb668f86864821da6ee492546413a2fd29bb0a4980ac6c2f81dffd65689ce5019f7992dc499fd9a750895b6e8ffc

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_ja.dll

Filesize
28KB

MD5
b96eb4559e725359525e82e283ec4779

SHA1
136481b3d4b9feda5a7126af6f15e98cba22e350

SHA256
5d45d00e17e5a0a9d322299bfedb9aaeb17469120f1b9c374f0d3badcd8e0598

SHA512
ae820ea2341065390c5a37d462ebc8f96ef74e5241d4592cc53b94bf20341960200316530a7e77fbe2e0bd7d48f1e102d34be7b2dd248e77f2e9b2879b4be96e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_ko.dll

Filesize
28KB

MD5
2d116334e9d12666417575547433fc70

SHA1
3f824d9b27edfd3086cc1fbd6bf4d04e1a33b132

SHA256
98868e4ed9918de9ab3e2388595235c10defee540999203dd712ad15c8304c99

SHA512
0a4ef8e79243b265cef3dfe0262c48e2739495a032bcd91fa0264a90a1ecf62d2e1d60cb13f4ebf1b3c150c0bc35ac07beab93a6a256978b68f41e7d27f5944a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_ms.dll

Filesize
32KB

MD5
a390231d487ab42345b0c0250ed767b8

SHA1
33bff729a689e7ce1e631b20d53e29d2cf5c3014

SHA256
d3a0a2a7a7cd083645242c224607f3cb66a933c8f433d72771b3693ee88f3c56

SHA512
4987ff6abf27a9789a0bc08fc39fb1f48efc52bf7efc907e35720b3eb3d1937ae0db233b0c7f1a3c0e6c037b60aa0f74d38126c6c0e2a3d8a8cc792950a895a4

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_nl.dll

Filesize
35KB

MD5
eb5c039ed11bbd25008c9ea40534e3cf

SHA1
609683ef8699c6232feb39ace66a28afcdbe8ab2

SHA256
a33e1ca83c2b43014527c687388fada28fe2d940b9e8622c81c635fa093135c1

SHA512
89311f2333ec99fdd44ae04c3610bb5655e877583164d35bd7ef09d396396512f94ad90f7ac7ffb0edb1ce801f269c7c8d271124dadcec9a681ff160f27e4ca6

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_no.dll

Filesize
33KB

MD5
144294e8d5a1feb77b717ecbf7d5e86a

SHA1
f42d6826645f1202243c8f410a42ca2e75ed69c8

SHA256
ea0bee6774f927317c05a0ac7eb036c1bef672249dc8fee390449eb26b40997d

SHA512
6477e500135adc425105c804b517fb527257b2648ec0497c10519f3388aa2394520983bf7de593386ae2c1893d37e0ff9040e6fa0eb0ad3f3845a82eea8d3b93

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_pl.dll

Filesize
34KB

MD5
49e4bb26edf1551a6a75d8f99e7e7c60

SHA1
b3b20d24505b66918b31647701419993ebb67639

SHA256
6b97ece1f16a2f1d99392f0880b99262537b0f7d59897d9a974150a25ec4f335

SHA512
aca6106b463c4218a8de3b78a59c14a28d873b5851d570beab4abec1f9db0a42d1194ace06ea42a4f37a60cf141288d3340e206ed089e0649386c6a9ce229c42

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_pt-BR.dll

Filesize
33KB

MD5
6867ab5d7515e5e2b04ecc9c8c511d68

SHA1
53d829f2a3c868976a691f1bea92a5c5d4657086

SHA256
908f345025c31d766b3189fbcf8457047603b69e2b9e91146d30c0962ce4d801

SHA512
55071ed358a5d64efa6d4797f53ab8b20a3b41e3127e6509a0c6dd6e09a5363bef4c66bd6685a5f89ac4bb6e38c5582264ae97f84c4ec164d30f9bfbed89541a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_ru.dll

Filesize
34KB

MD5
431768cfa5ed3774107aec0cddf23abd

SHA1
eda72761c54fc3e2d426d715b9181609807be468

SHA256
f3d3c07ce75e2be074a28d0201faeac7e858a67b274bc112d414dddf02078c6e

SHA512
f3c7da9d5e661b1efdcf10d99d3e28b30d21fa6a15fd00bb0a75e3fb2fd28d468237534005cda27edae3b488708df7b0fc31c81f92c9ce9b2636c8945cd632ac

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_sv.dll

Filesize
33KB

MD5
f5279d96c1aa2a1feffc82a329864085

SHA1
595bb28ec374961c0c87c85a0a037000d0160d5c

SHA256
5db6737fae50622909f09fc276cc2d47a1e67a5670fe39352bbd1768dc443ae2

SHA512
843eba27c78e52900d78c5624983d941a85b1618785d6125ed5d645f1344f82ea64bd3d4899144f19f06a5bfe86a8321d593e23813df024af91b835c55bead5e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_th.dll

Filesize
32KB

MD5
f12bf39090960bf9dd933a3fbb21cb69

SHA1
f165202357d25c6f5def8911fa43c7f140a15ed3

SHA256
c34d0bdfe4af1b31543327659d5579899c1c63429d7c725a34294c47d97102d0

SHA512
572b24b4489768f09d64f4db172a0a28bb92d2c45051ec5817ab8cfe3879cb33c5ba26b62229a3ccb3459e3806167feabeedc1307277150357b13a5fb2fb077c

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_uk.dll

Filesize
33KB

MD5
488bf1cf2b04d2dd682e1ef0f23f5f3a

SHA1
6fa6b21a4a42855a01c8af26c9ca945494ec039b

SHA256
45f844c94c19257a09573568f96cc1a4aa368d2cc9e9280a6ad267de4c564aa4

SHA512
205a24425da59854e2ccb101813d8522b1032d1d1f6bb61188b47fbd2da1608fc0573eadfdf1dbe6766ed56d860f5777af0ad4665fe86533abaa5cb532a75a4a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_zh-CN.dll

Filesize
26KB

MD5
14d2c6eb631ec1557263d249b1e2e2fb

SHA1
51e3889627cf72398f603f188f0be91ee9925899

SHA256
9b4e3e8bf366562f9b019611ef542e02c45e4fb5659e672a77545e1392083db0

SHA512
82ae111a8cc04dcb45fa10657ff5b5d13192527e42f8b7af58a3769feed713a8f43530cda2daba54d839bf5b14d6817382f585f54dd70521f07039bc252451b8

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\goopdateres_zh-TW.dll

Filesize
26KB

MD5
fb5996aa43ca35aa2785b78dfba27b2d

SHA1
2cef3511e920552d86d055bafe822c7249ab8ec8

SHA256
f185c7b48767aa5757f87ba76a96c9aca200e44e98dfffa7a23a2deb04a315cf

SHA512
53afd7236364e33a90da001993e32aa6f1a95b8ba73eed0cb5dd499acf22406e25937038262cf6697c5e970435e0b5ad11eb7d8b53a6fb6501a3e23fd742438c

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\npDropboxUpdate3.dll

Filesize
274KB

MD5
bed3f629455188556d54e8868cc3705b

SHA1
4ed92e45fc62b6427fecd5d94f2ac1a53d072ac8

SHA256
aaf37e7be50fb5ea738ccdd615c7985b9efdaea43290094c6696ae0f6348051f

SHA512
123a68c0ca8e315d7bb2193ade5f2a57a1bac36ba8d7b8cc542ecc629065067dbfae30683ed1c85cf652b372ce569ea4d3f30692b78bfcd9f030f9d0c449b9fd

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM9589.tmp\psmachine.dll

Filesize
212KB

MD5
57250ac3da5cfe80eac551f4231a73f5

SHA1
e075cbfb7590e4702d9a9e4abb693c0b2e8a89ff

SHA256
40b05834d9f30e8f07ee22c1d115a0a95d8d95489b4078aa0b640dee7c6a111c

SHA512
8ea8d7a64cc881a2c73bbb6ed3b60574cf582c4b28570b253b4ca50060cfeff0e8df37cb37837e8a0e52e76cdb6f51e572b8be178704fb3093f07f4bdbbdcb94

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxCrashHandler.exe

Filesize
130KB

MD5
3b607e9ae169797c5112736dd445db25

SHA1
076e59938996baf436888e2ecb536353071e0adf

SHA256
e7141aeb22ea3165a4f7fb8c4d210151575f1b95ef545e0978a2174598a08265

SHA512
1a80b6ed790d3325c365de14d7bdd4d98473c2cfd8a4eb5d97f99d9383946e6c9e892820e54182b06359f495cc42f261e455e3097413c605f0f208d7b6e3c2cd

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateHelper.msi

Filesize
44KB

MD5
9ab89a05f39ef9f354de6d4074bf105b

SHA1
19cb4715f2f24b70a41a7cd33193a48f79a2fe93

SHA256
df7c8bcdbcf6247c25abdc09d332858b01450225a4ebb29ac6df4f713691b399

SHA512
ff5c51a2d11fac17d829d63fe7b43edf9fbd5acabdbc668d4eec495ef6edc5079cd9fd8b4d39902f4881920f61494966f8464009db4542a13c284da1cd6c8341

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.911.1\psuser.dll

Filesize
212KB

MD5
0fa0151b62cf23391917784b5adf0e1f

SHA1
89dfe00691d97cd9b2904519c6292ab6b36bfb82

SHA256
bc519e9f04c84a2287e8f274743a23a425995156e9c882c09695f13d4095e196

SHA512
1adc6b20ab17bf462a00b86fbdcadc576c37d3a5752ef0940a33843cb9a1d74081d543e3e2ea28aa3b160b638b07864b943d856933bb29c31bea7067e0975daf

Download Submit
C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job

Filesize
924B

MD5
3a4bf52c8415b0ecfb1cc65eb9c3ef3a

SHA1
0ab3b469d309e58aa5f58675cb69446238d541da

SHA256
8ee0d45cec1ab9fa043df49aa8b0cef387895b6387de3f76341e357b6a0e7691

SHA512
3924daeb0326cd79e6771c9dc9543524cc5d2c0d887418539ac0d0951b8cc5b1d5fb13e4883d7c70b6e8ac0e1b9d4c3e41eeb75112bad382c2f1f5d2d508b651

Download Submit
memory/1172-70-0x00007FF9A85D0000-0x00007FF9A87C5000-memory.dmp

Filesize
2.0MB

Download
memory/1172-396-0x00007FF9A85D0000-0x00007FF9A87C5000-memory.dmp

Filesize
2.0MB

Download