Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Dropbox.exe

"C:\Users\user\Desktop\Dropbox.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6992
Target ID:	0
Parent PID:	4552
Name:	Dropbox.exe
Path:	C:\Users\user\Desktop\Dropbox.exe
Commandline:	"C:\Users\user\Desktop\Dropbox.exe"
Size:	9248136
MD5:	2167FDED6D75ECB3759AF2924818579E
Time:	16:53:04
Date:	28/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff71f440000
Modulesize:	9273344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Detected potential unwanted application	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains sections with non-standard names	Data Obfuscation
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\Dropbox.exe

"C:\Users\user\Desktop\Dropbox.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7052
Target ID:	13
Parent PID:	4552
Name:	Dropbox.exe
Path:	C:\Users\user\Desktop\Dropbox.exe
Commandline:	"C:\Users\user\Desktop\Dropbox.exe"
Size:	9248136
MD5:	2167FDED6D75ECB3759AF2924818579E
Time:	16:53:58
Date:	28/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff71f440000
Modulesize:	9273344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Detected potential unwanted application	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains sections with non-standard names	Data Obfuscation
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\Dropbox.exe

"C:\Users\user\Desktop\Dropbox.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1732
Target ID:	20
Parent PID:	4552
Name:	Dropbox.exe
Path:	C:\Users\user\Desktop\Dropbox.exe
Commandline:	"C:\Users\user\Desktop\Dropbox.exe"
Size:	9248136
MD5:	2167FDED6D75ECB3759AF2924818579E
Time:	16:54:19
Date:	28/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff71f440000
Modulesize:	9273344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Detected potential unwanted application	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains sections with non-standard names	Data Obfuscation
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3888
Target ID:	21
Parent PID:	804
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	16:54:55
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff79e950000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh

Details

Is windows:	true
Is dropped:	false
PID:	388
Target ID:	23
Parent PID:	3712
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	16:54:58
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff79e950000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.dropbox.com/0

unknown

Domains

Name

Malicious

k-9999.k-msedge.net

13.107.18.254

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF71F5C4000

unkown

page readonly

91574FE000

stack

page read and write

7FF71F587000

unkown

page readonly

915715C000

stack

page read and write

7FF71F792000

unkown

page readonly

17BB2E8F000

trusted library allocation

page read and write

7FF71F728000

unkown

page readonly

1D0B17F000

stack

page read and write

7FF71F440000

unkown

page readonly

7FF71F5D4000

unkown

page readonly

1D0AD8E000

stack

page read and write

7FF71FCA6000

unkown

page readonly

7FF71F6A3000

unkown

page readonly

25FAA8CE000

heap

page read and write

17BB30F0000

heap

page read and write

7FF71FC58000

unkown

page readonly

7FF71FC14000

unkown

page readonly

7FF71F82B000

unkown

page readonly

17BB49F0000

heap

page read and write

7FF71F773000

unkown

page readonly

17BB2ED0000

heap

page read and write

7FF71F6EF000

unkown

page readonly

7FF71F60E000

unkown

page readonly

915747E000

stack

page read and write

7FF71F61C000

unkown

page readonly

7FF71F5CD000

unkown

page readonly

7FF71F6DE000

unkown

page readonly

1D0B07E000

stack

page read and write

7FF71F9E7000

unkown

page readonly

7FF71FC4A000

unkown

page readonly

25FAA8C8000

heap

page read and write

7FF71F739000

unkown

page readonly

17BB2E90000

heap

page readonly

7FF71F583000

unkown

page readonly

91571DF000

stack

page read and write

7FF71F747000

unkown

page readonly

7FF71F4D8000

unkown

page readonly

7FF71F80C000

unkown

page readonly

7FF71F441000

unkown

page execute read

25FAAA50000

heap

page read and write

7FF71F743000

unkown

page readonly

7FF71FCB5000

unkown

page readonly

17BB2D50000

heap

page read and write

7FF71F851000

unkown

page readonly

7FF71F4FB000

unkown

page write copy

17BB2F08000

heap

page read and write

25FAAA55000

heap

page read and write

17BB2E30000

heap

page read and write

7FF71FB17000

unkown

page readonly

7FF71F579000

unkown

page readonly

7FF71F7DA000

unkown

page readonly

7FF71F81D000

unkown

page readonly

17BB2E80000

trusted library allocation

page read and write

7FF71FB13000

unkown

page readonly

7FF71F502000

unkown

page readonly

7FF71F7D0000

unkown

page readonly

7FF71F78E000

unkown

page readonly

7FF71F5FD000

unkown

page readonly

7FF71F7DE000

unkown

page readonly

17BB30F5000

heap

page read and write

25FAA8A0000

heap

page read and write

17BB2E50000

heap

page read and write

7FF71F692000

unkown

page readonly

7FF71F5D1000

unkown

page readonly

7FF71F617000

unkown

page readonly

7FF71F666000

unkown

page readonly

25FAC3F0000

heap

page read and write

17BB2F2F000

heap

page read and write

17BB2F0E000

heap

page read and write

7FF71F6AD000

unkown

page readonly

25FAA8C0000

heap

page read and write

7FF71F5B3000

unkown

page readonly

1D0B0FD000

stack

page read and write

25FAA9C0000

heap

page read and write

7FF71FC3B000

unkown

page readonly

7FF71F7BF000

unkown

page readonly

1D0AD0C000

stack

page read and write

17BB2F00000

heap

page read and write

7FF71F83E000

unkown

page readonly

25FAA7C0000

heap

page read and write

7FF71F6B1000

unkown

page readonly

7FF71F647000

unkown

page readonly

7FF71F6FD000

unkown

page readonly

7FF71F568000

unkown

page readonly

7FF71FC67000

unkown

page readonly

7FF71F785000

unkown

page readonly

7FF71F658000

unkown

page readonly

7FF71F826000

unkown

page readonly

7FF71F661000

unkown

page readonly

7FF71F6F8000

unkown

page readonly

There are 80 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Dropbox.exe

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDropbox.exe

Processes

URLs

Domains

Memdumps

IOC Report
Dropbox.exe