Windows Analysis Report
Dropbox.exe

Overview

General Information

Sample name: Dropbox.exe
Analysis ID: 1544131
MD5: 2167fded6d75ecb3759af2924818579e
SHA1: 56dc718db938dc55c79762ef3a248239d1e91a34
SHA256: 6cea8e16c32afa802e049580c3a34d4caa3686efe9d57277abed64cca05c8239
Infos:

Detection

Score: 16
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected potential unwanted application
Binary contains a suspicious time stamp
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Source: Dropbox.exe Static PE information: certificate valid
Source: Dropbox.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Dropbox.pdbg source: Dropbox.exe
Source: Binary string: Dropbox.pdb source: Dropbox.exe
Source: Dropbox.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Dropbox.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Dropbox.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Dropbox.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Dropbox.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Dropbox.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Dropbox.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Dropbox.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Dropbox.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Dropbox.exe String found in binary or memory: http://ocsp.digicert.com0
Source: Dropbox.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Dropbox.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Dropbox.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: Dropbox.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Dropbox.exe String found in binary or memory: https://www.dropbox.com/0

System Summary
barindex
Detected potential unwanted application
Source: Dropbox.exe PE Siganture Subject Chain: CN="Dropbox, Inc", O="Dropbox, Inc", L=San Francisco, S=California, C=US
Source: Dropbox.exe Binary string: sbox_alternate_desktop_local_winstation_0x%X\Device\\/?/?\**~*
Source: Dropbox.exe Binary string: ntdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolumentdll.dll
Source: classification engine Classification label: clean16.winEXE@5/0@0/0
Source: Dropbox.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Users\user\Desktop\Dropbox.exe "C:\Users\user\Desktop\Dropbox.exe"
Source: unknown Process created: C:\Users\user\Desktop\Dropbox.exe "C:\Users\user\Desktop\Dropbox.exe"
Source: unknown Process created: C:\Users\user\Desktop\Dropbox.exe "C:\Users\user\Desktop\Dropbox.exe"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh
Source: Dropbox.exe Static PE information: certificate valid
Source: Dropbox.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Dropbox.exe Static file information: File size 9248136 > 1048576
Source: Dropbox.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x80ba00
Source: Dropbox.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Dropbox.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Dropbox.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Dropbox.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Dropbox.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Dropbox.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Dropbox.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Dropbox.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Dropbox.pdbg source: Dropbox.exe
Source: Binary string: Dropbox.pdb source: Dropbox.exe
Source: Dropbox.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Dropbox.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Dropbox.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Dropbox.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Dropbox.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: Dropbox.exe Static PE information: 0xB4C7EDCF [Wed Feb 10 04:23:43 2066 UTC]
PE file contains sections with non-standard names
Source: Dropbox.exe Static PE information: section name: _RDATA
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544131 Sample: Dropbox.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 16 13 Detected potential unwanted application 2->13 5 rundll32.exe 2->5         started        7 rundll32.exe 2->7         started        9 Dropbox.exe 2->9         started        11 2 other processes 2->11 process3
No contacted IP infos

Contacted Domains

Name IP Active
k-9999.k-msedge.net 13.107.18.254 true