flash

magicline4nx_setup.exe

Status: finished
Submission Time: 2022-11-28 15:21:57 +01:00
Malicious
Phishing
Trojan
Spyware
Exploiter
Evader
GuLoader, UACMe

Comments

Tags

Details

  • Analysis ID:
    755310
  • API (Web) ID:
    1122586
  • Analysis Started:
    2022-11-28 15:21:58 +01:00
  • Analysis Finished:
    2022-11-28 15:34:09 +01:00
  • MD5:
    7cec32c04fdae116ab0f7f4fd8372abd
  • SHA1:
    8b87b2536fc29ced5a2a242bf0ae1d9d3b5b2d2b
  • SHA256:
    aee4831c12dc0cb1c46544cb2319f018d9f16c7a23592008a580a7a605e7ca1f
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 91, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)

malicious
90/100

URLs

Name Detection
https://dynamic.t
https://dev.virtualearth.net/REST/v1/Transit/Stops/
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Click to see the 61 hidden entries
http://crl.rootca1.amazontrust.com/rootca1.crl0
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
http://ocsp.rootca1.amazontrust.com0:
http://nsis.sf.net/NSIS_ErrorError
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
https://%s.xboxlive.com
https://dev.virtualearth.net/REST/v1/Locations
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
https://dev.virtualearth.net/mapcontrol/logging.ashx
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
http://nsis.sf.net/NSIS_Error
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
https://www.thawte.com/cps0/
http://www.ubikey.co.kr/infovine/download.html
https://www.thawte.com/repository0W
https://dev.virtualearth.net/REST/v1/Routes/Transit
http://crt.rootca1.amazontrust.com/rootca1.cer0?
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
https://dev.ditu.live.com/REST/v1/Transit/Schedules/
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
https://activity.windows.com
https://dev.ditu.live.com/REST/v1/Locations
http://pcro.mobilesign.net/mini_cert_install.html679865F99D3C364AE1795B826BF546FAB3AC7343
https://%s.dnet.xboxlive.com
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
https://dev.ditu.live.com/REST/v1/Routes/
http://rootca.kisa.or.kr/kor/hsm/hsm.jsp
https://dev.virtualearth.net/REST/v1/Routes/Driving
http://www.openssl.org/V
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
https://t0.tiles.ditu.live.com/tiles/gen
https://dev.virtualearth.net/REST/v1/Routes/Walking
https://mobi.yessign.or.kr/mobisignInstall.htm
http://ids.smartcert.kr
http://www.openssl.org/support/faq.html
https://dev.ditu.live.com/mapcontrol/logging.ashx
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
http://pcro.mobilesign.net/mini_cert_install.html
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
http://crl.thawte.com/ThawteTimestampingCA.crl0
https://activity.windows.comds
http://www.ubikey.co.kr/infovine/download.html1.4.0.2609100003www.dreamsecurity.comcenter.smartcert.
https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
http://www.bingmapsportal.com
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
http://cps.root-x1.letsencrypt.org0
http://rootca.kisa.or.kr/kor/hsm/hsm.jspPKCS#11.DriverDriver
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
https://mobi.yessign.or.kr/mobisignInstall.htmsiteCode6070059serviceOptubikeyUbikeylParamUbikeyWPara
https://dev.ditu.live.com/REST/v1/Transit/Stops/
http://ocsp.thawte.com0
https://dev.virtualearth.net/REST/v1/Routes/
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\cert8.db
Berkeley DB 1.85 (Hash, version 2, native byte-order)
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\CertManager.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
Click to see the 54 hidden entries
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db-journal
SQLite Rollback Journal
#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\key4.db
SQLite 3.x database, last written using SQLite version 3010002, page size 32768, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db-journal
SQLite Rollback Journal
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe.hmac
data
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release\cert9.db
SQLite 3.x database, last written using SQLite version 3010002, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\secmod.db
Berkeley DB 1.85 (Hash, version 2, native byte-order)
#
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default\key3.db
Berkeley DB 1.85 (Hash, version 2, native byte-order)
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\DreamSecurity\MagicLine4NX\logs\install-202211281523.log
ISO-8859 text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\NsisUtil.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\DumpLog.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\KillProcDLL.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\libeay32.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ssleay32.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\nsldap32v50.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\mlnp_dreamsecurity_com.ca-bundle
PEM certificate
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\smime3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsExec.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\nsProcess.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\nst78C0.tmp\version.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\MagicLine4NX.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Mar 29 10:06:58 2021, mtime=Mon Nov 28 13:22:36 2022, atime=Mon Mar 29 10:06:58 2021, length=3753952, (…)
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MagicLine4NX\Uninstall.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Nov 28 13:22:36 2022, mtime=Mon Nov 28 13:22:36 2022, atime=Mon Nov 28 13:22:36 2022, length=113488, (…)
#
C:\Windows\Logs\waasmedic\waasmedic.20221128_142248_759.etl
data
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp
Unicode text, UTF-8 (with BOM) text
#
C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\L.user.cdp
Unicode text, UTF-8 (with BOM) text
#
\Device\ConDrv
ASCII text, with CRLF line terminators
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\DSCToolkitV30-v3.4.2.20.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\ENG.ini
ISO-8859 text, with CRLF line terminators
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\Images\Logo.bmp
PC bitmap, Windows 3.x format, 369 x 73 x 16, image size 54022, resolution 3779 x 3779 px/m, cbSize 54076, bits offset 54
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid.conf
ISO-8859 text, with CRLF line terminators
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\IssuerOid_Eng.conf
ASCII text
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\KOR.ini
Generic INItialization configuration [Message]
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicCrypto32V21.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX_Uninstall.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs
ASCII text, with CRLF line terminators
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs
ASCII text, with CRLF line terminators
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der
Certificate, Version=3 Certificate, Version=01
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity.com.der
Certificate, Version=3, Serial=009e5343085f93b442, not-valid-before=2015-09-03 04:11:52 GMT, not-valid-after=2035-08-28 04:11:52 GMT
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\httptx.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libnspr4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplc4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\libplds4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nspr4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssdbm3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\nssutil3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plc4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\plds4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\sqlite3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#