Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
magicline4nx_setup.exe

Overview

General Information

Sample Name:magicline4nx_setup.exe
Analysis ID:755310
MD5:7cec32c04fdae116ab0f7f4fd8372abd
SHA1:8b87b2536fc29ced5a2a242bf0ae1d9d3b5b2d2b
SHA256:aee4831c12dc0cb1c46544cb2319f018d9f16c7a23592008a580a7a605e7ca1f
Infos:

Detection

GuLoader, UACMe
Score:90
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

Detected unpacking (changes PE section rights)
Yara detected GuLoader
Yara detected UACMe UAC Bypass tool
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to evade debugger and weak emulator (self modifying code)
DLL side loading technique detected
Modifies Internet Explorer zone settings
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Hides threads from debuggers
Overwrites Mozilla Firefox settings
Installs new ROOT certificates
Changes security center settings (notifications, updates, antivirus, firewall)
Modifies the windows firewall
Drops certificate files (DER)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
EXE planting / hijacking vulnerabilities found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Checks for debuggers (devices)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains capabilities to detect virtual machines
Uses taskkill to terminate processes
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64_ra
  • magicline4nx_setup.exe (PID: 5736 cmdline: C:\Users\user\Desktop\magicline4nx_setup.exe MD5: 7CEC32C04FDAE116AB0F7F4FD8372ABD)
    • cmd.exe (PID: 6204 cmdline: "C:\Windows\System32\cmd.exe" /C taskkill /f /im NTSMagicLineNP.exe MD5: 4943BA1A9B41D69643F69685E35B2943)
      • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • taskkill.exe (PID: 6260 cmdline: taskkill /f /im NTSMagicLineNP.exe MD5: 07D18817187E87CFC6AB2A4670061AE0)
    • sc.exe (PID: 6288 cmdline: sc stop MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)
      • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • sc.exe (PID: 6380 cmdline: sc delete MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • cmd.exe (PID: 6436 cmdline: "C:\Windows\System32\cmd.exe" /C taskkill /f /im MagicLine4NX.exe MD5: 4943BA1A9B41D69643F69685E35B2943)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • taskkill.exe (PID: 6484 cmdline: taskkill /f /im MagicLine4NX.exe MD5: 07D18817187E87CFC6AB2A4670061AE0)
    • certmgr.exe (PID: 6512 cmdline: "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certmgr.exe" -add dreamsecurity-rootca.der -c -s -r localMachine Root MD5: 3A73031809C7DC0BB9BCE2F366345101)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • cscript.exe (PID: 6564 cmdline: cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefoxCheck.vbs" "MagicLine4NX MD5: 86EF3CCA8FF54D585BC29699EE1ADC00)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • certutil.exe (PID: 6652 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default" -n "Dreamsecurity ROOT CA MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)
        • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • certutil.exe (PID: 6712 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -L -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release" -n "Dreamsecurity ROOT CA MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)
        • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • cscript.exe (PID: 6820 cmdline: cscript" "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\ImportCAtoFirefox.vbs" "MagicLine4NX MD5: 86EF3CCA8FF54D585BC29699EE1ADC00)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • certutil.exe (PID: 6908 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kc1pur8x.default MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)
        • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • certutil.exe (PID: 7088 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\certutil.exe" -A -n "Dreamsecurity ROOT CA" -i "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\cert\dreamsecurity-rootca.der" -t "CT,c,C" -d sql:"C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\tjbwzv1u.default-release MD5: F2F7AA96E4E4BFCB04643ECADEDB3A14)
        • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • netsh.exe (PID: 6480 cmdline: netsh advfirewall firewall delete rule name="MagicLine4NX" program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" MD5: 718A726FCC5EFCE3529E7A244D87F13F)
      • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • netsh.exe (PID: 6540 cmdline: netsh advfirewall firewall add rule name="MagicLine4NX" dir=in action=allow program="C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe" enable=yes MD5: 718A726FCC5EFCE3529E7A244D87F13F)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • CheckNetIsolation.exe (PID: 6668 cmdline: CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe" MD5: 2FBEB635ADD6F73B226EE4BE660201BB)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • CheckNetIsolation.exe (PID: 6732 cmdline: CheckNetIsolation LoopbackExempt -a -n="Microsoft.Windows.Spartan_cw5n1h2txyewy" MD5: 2FBEB635ADD6F73B226EE4BE660201BB)
      • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • MagicLine4NX.exe (PID: 5700 cmdline: C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NX.exe MD5: A98F6351876129FED4A6CA7DB7CBD721)
    • MagicLine4NXServices.exe (PID: 6760 cmdline: "C:\Program Files (x86)\DreamSecurity\MagicLine4NX\MagicLine4NXServices.exe" -install MD5: 877F2A6FC5DA85AA4C9B38943EF21EAE)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • sc.exe (PID: 1156 cmdline: sc start MagicLine4NXSVC MD5: 3A070609B1569EDEBABDC6466E8FA36C)
      • conhost.exe (PID: 1392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
  • svchost.exe (PID: 5992 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc MD5: 9520A99E77D6196D0D09833146424113)
  • svchost.exe (PID: 6936 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc MD5: 9520A99E77D6196D0D09833146424113)
  • svchost.exe (PID: 6996 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 9520A99E77D6196D0D09833146424113)