Edit tour
Windows
Analysis Report
magicline4nx_setup.exe
Overview
General Information
| Sample Name: | magicline4nx_setup.exe |
| Analysis ID: | 755310 |
| MD5: | 7cec32c04fdae116ab0f7f4fd8372abd |
| SHA1: | 8b87b2536fc29ced5a2a242bf0ae1d9d3b5b2d2b |
| SHA256: | aee4831c12dc0cb1c46544cb2319f018d9f16c7a23592008a580a7a605e7ca1f |
| Infos: |  |
 | |
Detection
GuLoader, UACMe
| Score: | 90 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 33 |
| Range: | 0 - 100 |
Signatures
Detected unpacking (changes PE section rights)
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to evade debugger and weak emulator (self modifying code)
DLL side loading technique detected
Modifies Internet Explorer zone settings
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Hides threads from debuggers
Overwrites Mozilla Firefox settings
Installs new ROOT certificates
Changes security center settings (notifications, updates, antivirus, firewall)
Modifies the windows firewall
Drops certificate files (DER)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
EXE planting / hijacking vulnerabilities found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Checks for debuggers (devices)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains capabilities to detect virtual machines
Uses taskkill to terminate processes
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64_ra
magicline4nx_setup.exe (PID: 5736 cmdline: C:\Users\u ser\Deskto p\magiclin e4nx_setup .exe MD5: 7CEC32C04FDAE116AB0F7F4FD8372ABD) 
cmd.exe (PID: 6204 cmdline: "C:\Window s\System32 \cmd.exe" /C taskkil l /f /im N TSMagicLin eNP.exe MD5: 4943BA1A9B41D69643F69685E35B2943) - conhost.exe (PID: 6212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) 
taskkill.exe (PID: 6260 cmdline: taskkill / f /im NTSM agicLineNP .exe MD5: 07D18817187E87CFC6AB2A4670061AE0) - sc.exe (PID: 6288 cmdline:
sc stop Ma gicLine4NX SVC MD5: 3A070609B1569EDEBABDC6466E8FA36C) - conhost.exe (PID: 6296 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - sc.exe (PID: 6380 cmdline:
sc delete MagicLine4 NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C) - conhost.exe (PID: 6392 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - cmd.exe (PID: 6436 cmdline:
"C:\Window s\System32 \cmd.exe" /C taskkil l /f /im M agicLine4N X.exe MD5: 4943BA1A9B41D69643F69685E35B2943) - conhost.exe (PID: 6444 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - taskkill.exe (PID: 6484 cmdline:
taskkill / f /im Magi cLine4NX.e xe MD5: 07D18817187E87CFC6AB2A4670061AE0) 
certmgr.exe (PID: 6512 cmdline: "C:\Progra m Files (x 86)\DreamS ecurity\Ma gicLine4NX \cert\cert mgr.exe" - add dreams ecurity-ro otca.der - c -s -r lo calMachine Root MD5: 3A73031809C7DC0BB9BCE2F366345101) - conhost.exe (PID: 6520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) 
cscript.exe (PID: 6564 cmdline: cscript" " C:\Program Files (x8 6)\DreamSe curity\Mag icLine4NX\ cert\Impor tCAtoFiref oxCheck.vb s" "MagicL ine4NX MD5: 86EF3CCA8FF54D585BC29699EE1ADC00) - conhost.exe (PID: 6572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - certutil.exe (PID: 6652 cmdline:
C:\Program Files (x8 6)\DreamSe curity\Mag icLine4NX\ cert\certu til.exe" - L -d "C:\U sers\user\ AppData\Ro aming\Mozi lla\Firefo x\Profiles \kc1pur8x. default" - n "Dreamse curity ROO T CA MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14) - conhost.exe (PID: 6660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - certutil.exe (PID: 6712 cmdline:
C:\Program Files (x8 6)\DreamSe curity\Mag icLine4NX\ cert\certu til.exe" - L -d sql:" C:\Users\u ser\AppDat a\Roaming\ Mozilla\Fi refox\Prof iles\tjbwz v1u.defaul t-release" -n "Dream security R OOT CA MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14) - conhost.exe (PID: 6720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - cscript.exe (PID: 6820 cmdline:
cscript" " C:\Program Files (x8 6)\DreamSe curity\Mag icLine4NX\ cert\Impor tCAtoFiref ox.vbs" "M agicLine4N X MD5: 86EF3CCA8FF54D585BC29699EE1ADC00) - conhost.exe (PID: 6828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - certutil.exe (PID: 6908 cmdline:
C:\Program Files (x8 6)\DreamSe curity\Mag icLine4NX\ cert\certu til.exe" - A -n "Drea msecurity ROOT CA" - i "C:\Prog ram Files (x86)\Drea mSecurity\ MagicLine4 NX\cert\dr eamsecurit y-rootca.d er" -t "CT ,c,C" -d " C:\Users\u ser\AppDat a\Roaming\ Mozilla\Fi refox\Prof iles\kc1pu r8x.defaul t MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14) - conhost.exe (PID: 6916 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - certutil.exe (PID: 7088 cmdline:
C:\Program Files (x8 6)\DreamSe curity\Mag icLine4NX\ cert\certu til.exe" - A -n "Drea msecurity ROOT CA" - i "C:\Prog ram Files (x86)\Drea mSecurity\ MagicLine4 NX\cert\dr eamsecurit y-rootca.d er" -t "CT ,c,C" -d s ql:"C:\Use rs\user\Ap pData\Roam ing\Mozill a\Firefox\ Profiles\t jbwzv1u.de fault-rele ase MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14) - conhost.exe (PID: 7108 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - netsh.exe (PID: 6480 cmdline:
netsh advf irewall fi rewall del ete rule n ame="Magic Line4NX" p rogram="C: \Program F iles (x86) \DreamSecu rity\Magic Line4NX\Ma gicLine4NX .exe" MD5: 718A726FCC5EFCE3529E7A244D87F13F) - conhost.exe (PID: 6440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - netsh.exe (PID: 6540 cmdline:
netsh advf irewall fi rewall add rule name ="MagicLin e4NX" dir= in action= allow prog ram="C:\Pr ogram File s (x86)\Dr eamSecurit y\MagicLin e4NX\Magic Line4NX.ex e" enable= yes MD5: 718A726FCC5EFCE3529E7A244D87F13F) - conhost.exe (PID: 6544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - CheckNetIsolation.exe (PID: 6668 cmdline:
CheckNetIs olation Lo opbackExem pt -a -n=" Microsoft. MicrosoftE dge_8wekyb 3d8bbwe" MD5: 2FBEB635ADD6F73B226EE4BE660201BB) - conhost.exe (PID: 6664 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - CheckNetIsolation.exe (PID: 6732 cmdline:
CheckNetIs olation Lo opbackExem pt -a -n=" Microsoft. Windows.Sp artan_cw5n 1h2txyewy" MD5: 2FBEB635ADD6F73B226EE4BE660201BB) - conhost.exe (PID: 5772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - MagicLine4NX.exe (PID: 5700 cmdline:
C:\Program Files (x8 6)\DreamSe curity\Mag icLine4NX\ MagicLine4 NX.exe MD5: A98F6351876129FED4A6CA7DB7CBD721) - MagicLine4NXServices.exe (PID: 6760 cmdline:
"C:\Progra m Files (x 86)\DreamS ecurity\Ma gicLine4NX \MagicLine 4NXService s.exe" -in stall MD5: 877F2A6FC5DA85AA4C9B38943EF21EAE) - conhost.exe (PID: 6620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - sc.exe (PID: 1156 cmdline:
sc start M agicLine4N XSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C) - conhost.exe (PID: 1392 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
- svchost.exe (PID: 5992 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s CDPSvc MD5: 9520A99E77D6196D0D09833146424113)
- svchost.exe (PID: 6936 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s DoSv c MD5: 9520A99E77D6196D0D09833146424113)
- svchost.exe (PID: 6996 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: 9520A99E77D6196D0D09833146424113)