Edit tour
Windows
Analysis Report
DropboxInstaller.exe
Overview
General Information
| Sample name: | DropboxInstaller.exe |
| Analysis ID: | 1637348 |
| MD5: | 07aef25c0592fce08a72187335c8e479 |
| SHA1: | eadf78b7cb7833efd4008e4471689003f021a34d |
| SHA256: | 3a53eed141a3e2059218e24bc93ba5ac2cf7112fef11517861469013ad6279b1 |
| Infos: |  |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Compliance
| Score: | 48 |
| Range: | 0 - 100 |
Signatures
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Detected potential unwanted application
Found evasive API chain checking for user administrative privileges
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Changes image file execution options
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Disables exception chain validation (SEHOP)
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
DropboxInstaller.exe (PID: 6764 cmdline: "C:\Users\ user\Deskt op\Dropbox Installer. exe" MD5: 07AEF25C0592FCE08A72187335C8E479) - DropboxUpdate.exe (PID: 372 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Temp\GUM 67BF.tmp\D ropboxUpda te.exe" /i nstallsour ce taggedm i /install "appguid= {CC46080E- 4C33-4981- 859A-BBA2F 780F31E}&a ppname=Dro pbox&needs admin=Pref ers&experi ments=buil did%3Dmain %7CThu%2C% 2031%20Dec %202099%20 23%3A59%3A 59%20GMT&d ropbox_dat a=eyJUQUdT IjoiREJQUk VBVVRIOjpl ZGdlOjplSn lyVmtvc0xj bUlMOG5QVH MxVHNsSlFN clEwREk5d2 pUUnl5akUz U0RRMENMWn dDUXVxTEhQ TlNvbktkak 92S0FuU016 UTNNYlF3TT djd01sWFNV VkFxVGkwdX pzelBpODlN QVdvMk5EST JNRFF5TlRJ eUFTb0Frb2 FteGtERlJo YkdCcWJtQm thbWxvWVdK aGFtNXFhMU FMeDNIemN- QE1FVEEifQ " MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxUpdate.exe (PID: 7244 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /r egsvc MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxUpdate.exe (PID: 7404 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /r egserver MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxUpdate.exe (PID: 7428 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /p ing PD94bW wgdmVyc2lv bj0iMS4wIi BlbmNvZGlu Zz0iVVRGLT giPz48cmVx dWVzdCBkcm 9wYm94X2Rh dGE9ImV5Sl VRVWRUSWpv aVJFSlFVa1 ZCVlZSSU9q cGxaR2RsT2 pwbFNubHlW bXR2YzB4am JVbE1PRzVR VkhNeFZITn NTbEZOY2xF d1JFazVkMn BVVW5sNWFr VXpVMFJSTU VOTVduZERV WFZ4VEVoUV RsTnZia3Rr YWs5MlMwRn VVMDE2VVRO TllsRjNUVG RqZDAxc1dG TlZWa0Z4Vk drd2RYcHpl bEJwT0RsTl FWZHZNazVF U1RKTlJGRj VUbFJKZVVG VGIwRnJiMk Z0ZUd0RVJs Sm9Za2RDY1 dKdFFtdGhi V3h2V1ZkS2 FHRnROWEZo TVVGTWVETk llbU4tUUUx RlZFRWlmUS IgcHJvdG9j b2w9IjMuMC IgdmVyc2lv bj0iMS4zLj k4My4xIiBp c21hY2hpbm U9IjEiIHNl c3Npb25pZD 0iezVDNkIz RkVCLTUyRD ItNDJGRS1C NTUwLTlEQk VBRUFDQ0Q0 NX0iIHVzZX JpZD0iezU5 RjkxNzk3LT lFRDMtNEYy Ni04NjgzLT cxNThFQzc2 OENDNX0iIG luc3RhbGxz b3VyY2U9In RhZ2dlZG1p IiByZXF1ZX N0aWQ9IntB Q0VDRTQ5Mi 1DRTI2LTRE RDMtOUQ0My 0yRDI4MTI2 MjgwQTJ9Ij 48b3MgcGxh dGZvcm09In dpbiIgdmVy c2lvbj0iMT AuMC4xOTA0 NS4yMDA2Ii BzcD0iIiBh cmNoPSJ4Nj QiLz48YXBw IGFwcGlkPS J7RDg5NjhG RjItRTBCMS 00QTEzLUEz RTItQzlGMj k5NUYzQkM2 fSIgdmVyc2 lvbj0iIiBu ZXh0dmVyc2 lvbj0iMS4z Ljk4My4xIi BsYW5nPSIi IGJyYW5kPS IiIGNsaWVu dD0iIj48ZX ZlbnQgZXZl bnR0eXBlPS IyIiBldmVu dHJlc3VsdD 0iMSIgZXJy b3Jjb2RlPS IwIiBleHRy YWNvZGUxPS IwIi8-PC9h cHA-PC9yZX F1ZXN0Pg MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxUpdate.exe (PID: 7452 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /h andoff "ap pguid={CC4 6080E-4C33 -4981-859A -BBA2F780F 31E}&appna me=Dropbox &needsadmi n=Prefers& experiment s=buildid% 3Dmain%7CT hu%2C%2031 %20Dec%202 099%2023%3 A59%3A59%2 0GMT&dropb ox_data=ey JUQUdTIjoi REJQUkVBVV RIOjplZGdl OjplSnlyVm tvc0xjbUlM OG5QVHMxVH NsSlFNclEw REk5d2pUUn l5akUzU0RR MENMWndDUX VxTEhQTlNv bktkak92S0 FuU016UTNN YlF3TTdjd0 1sWFNVVkFx VGkwdXpzel BpODlNQVdv Mk5ESTJNRF F5TlRJeUFT b0Frb2FteG tERlJoYkdC cWJtQmthbW xvWVdKaGFt NXFhMUFMeD NIemN-QE1F VEEifQ&nol aunch=0" / installsou rce tagged mi /sessio nid "{5C6B 3FEB-52D2- 42FE-B550- 9DBEAEACCD 45}" MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxUpdate.exe (PID: 7984 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /u nregserver MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxUpdate.exe (PID: 8012 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Temp\GUM 67BF.tmp\D ropboxUpda te.exe" /u nregsvc MD5: 8AD76E0B347BB690697535CE95B1C656)
svchost.exe (PID: 3012 cmdline: C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- SgrmBroker.exe (PID: 1556 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
- svchost.exe (PID: 2084 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 60 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 644 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) 
MpCmdRun.exe (PID: 8184 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: B3676839B2EE96983F9ED735CD044159) 
conhost.exe (PID: 7224 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
msiexec.exe (PID: 7340 cmdline: C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077)
- DropboxUpdate.exe (PID: 7444 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /c MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxUpdate.exe (PID: 7532 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /c r MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxCrashHandler.exe (PID: 7584 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\1 .3.983.1\D ropboxCras hHandler.e xe" /crash handler MD5: 6593CBE28B4DDDF760595AE90A0EEC2E)
- DropboxUpdate.exe (PID: 7508 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /u a /install source sch eduler MD5: 8AD76E0B347BB690697535CE95B1C656) 
DropboxCleanup.exe (PID: 7600 cmdline: "C:\Progra m Files (x 86)\Dropbo x\Update\1 .3.983.1\D ropboxClea nup.exe" / InstallTyp e:MACHINE MD5: A00BDE016BDB87F3A975FC5E92DCEE17) - DropboxUpdate.exe (PID: 7936 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /u ninstall MD5: 8AD76E0B347BB690697535CE95B1C656)
- DropboxUpdate.exe (PID: 7516 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /s vc MD5: 8AD76E0B347BB690697535CE95B1C656) - DropboxUpdate.exe (PID: 7736 cmdline:
"C:\Progra m Files (x 86)\Dropbo x\Update\D ropboxUpda te.exe" /p ing PD94bW wgdmVyc2lv bj0iMS4wIi BlbmNvZGlu Zz0iVVRGLT giPz48cmVx dWVzdCBkcm 9wYm94X2Rh dGE9ImV5Sl VRVWRUSWpv aVJFSlFVa1 ZCVlZSSU9q cGxaR2RsT2 pwbFNubHlW bXR2YzB4am JVbE1PRzVR VkhNeFZITn NTbEZOY2xF d1JFazVkMn BVVW5sNWFr VXpVMFJSTU VOTVduZERV WFZ4VEVoUV RsTnZia3Rr YWs5MlMwRn VVMDE2VVRO TllsRjNUVG RqZDAxc1dG TlZWa0Z4Vk drd2RYcHpl bEJwT0RsTl FWZHZNazVF U1RKTlJGRj VUbFJKZVVG VGIwRnJiMk Z0ZUd0RVJs Sm9Za2RDY1 dKdFFtdGhi V3h2V1ZkS2 FHRnROWEZo TVVGTWVETk llbU4tUUUx RlZFRWlMQ0 p5WlhGMVpY TjBYM05sY1 hWbGJtTmxJ am93ZlEiIH Byb3RvY29s PSIzLjAiIH ZlcnNpb249 IjEuMy45OD MuMSIgaXNt YWNoaW5lPS IxIiBzZXNz aW9uaWQ9In s1QzZCM0ZF Qi01MkQyLT QyRkUtQjU1 MC05REJFQU VBQ0NENDV9 IiB1c2VyaW Q9Ins1OUY5 MTc5Ny05RU QzLTRGMjYt ODY4My03MT U4RUM3NjhD QzV9IiBpbn N0YWxsc291 cmNlPSJ0YW dnZWRtaSIg cmVxdWVzdG lkPSJ7NkMz MDFGMDYtQT Y3Mi00QzdB LThDRDktQj lDRjQxN0ZF QUI3fSI-PG 9zIHBsYXRm b3JtPSJ3aW 4iIHZlcnNp b249IjEwLj AuMTkwNDUu MjAwNiIgc3 A9IiIgYXJj aD0ieDY0Ii 8-PGFwcCBh cHBpZD0ie0 NDNDYwODBF LTRDMzMtND k4MS04NTlB LUJCQTJGNz gwRjMxRX0i IHZlcnNpb2 49IiIgbmV4 dHZlcnNpb2 49IiIgbGFu Zz0iIiBicm FuZD0iIiBj bGllbnQ9Ii IgZXhwZXJp bWVudHM9Im J1aWxkaWQ9 bWFpbnxUaH UsIDMxIERl YyAyMDk5ID IzOjU5OjU5 IEdNVCIgaW 5zdGFsbGFn ZT0iLTEiPj xldmVudCBl dmVudHR5cG U9IjIiIGV2 ZW50cmVzdW x0PSI0IiBl cnJvcmNvZG U9Ii0yMTQ3 MjE5NDQwIi BleHRyYWNv ZGUxPSIyNj g0MzU0NTki Lz48L2FwcD 48L3JlcXVl c3Q- MD5: 8AD76E0B347BB690697535CE95B1C656)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: vburov: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-13T14:55:15.387966+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49695 | 162.125.66.13 | 443 | TCP |
| 2025-03-13T14:55:17.412377+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49698 | 162.125.66.13 | 443 | TCP |
| 2025-03-13T14:55:24.118198+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49705 | 162.125.66.13 | 443 | TCP |
| 2025-03-13T14:55:26.068554+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49707 | 162.125.66.13 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
| Source: | Code function: | 2_2_00601FA1 | |
| Source: | Code function: | 14_2_6C375C52 | |
| Source: | Code function: | 14_2_6C37DBB0 | |
| Source: | Code function: | 14_2_6C3F6A2B | |
| Source: | Code function: | 14_2_6C388B59 | |
| Source: | Code function: | 14_2_6C3F64AF | |
| Source: | Code function: | 14_2_6C3C84A1 | |
| Source: | Code function: | 14_2_6C3C84F8 | |
| Source: | Code function: | 14_2_6C38850C | |
| Source: | Code function: | 14_2_6C3C8779 | |
| Source: | Code function: | 14_2_6C3F67EB | |
| Source: | Code function: | 14_2_6C3887C3 | |
| Source: | Code function: | 14_2_6C3F6313 | |
| Source: | Code function: | 14_2_6C3CA36B | |
| Source: | Code function: | 14_2_6C3F6366 | |
| Source: | Code function: | 14_2_6C3CA3F9 | |
| Source: | Code function: | 14_2_6C3F63D3 | |
| Source: | Code function: | 14_2_6C3C529D | |
| Source: | Code function: | 15_2_6C2BCCAB | |
| Source: | Code function: | 15_2_6C2B8DED | |
| Source: | Code function: | 15_2_6C2BAE1F | |
| Source: | Code function: | 15_2_6C2BC65E | |
| Source: | Code function: | 15_2_6C2BC915 | |
Compliance | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||