Automated Malware Analysis IOC Report for

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.964732842884367
Filename:	MagicUtilities-Setup-3.1.4.5-Win10.exe
Filesize:	69423208
MD5:	b0a4144c3aeef5d61201706e2f786ff0
SHA1:	224e8360830c2b02e4daef69a2c0d55a98ff0ec4
SHA256:	4150d4963e9283e26e1bbe67f56c733feec94ae4cc42b2e5fc35b40efa92ea8f
SHA512:	aaa65d924e5ca74ec003e059c4bb4a5c6dc568271b95e993712f372c861ee0afa50a29bfcdb8d4233bfff08e68d127ad91f06d35737e1f218a6739265b45208d
SSDEEP:	1572864:fL25J4bR71bbsBcvuGXSSAcH2I2UOoJceLUYU1+SIJ:fkWd5HocGonjJVUYUs
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation	File Deletion
Uses 32bit PE files	Compliance, System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\Program Files (x86)\MagicUtilities\Service\MagicUtilities_Service.exe (copy)
Category:	dropped
Dump:	is-IEGHA.tmp.3.dr
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Overwrites code with unconditional jumps - possibly settings hooks in foreign process	Hooking and other Techniques for Hiding and Protection	Credential API Hooking
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to evade analysis by execution special instruction (VM detection)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery
Creates or modifies windows services	Boot Survival	Windows Service
Tries to load missing DLLs	System Summary	DLL Side-Loading

Details

File:	C:\Program Files (x86)\MagicUtilities\Service\is-5TT39.tmp
Category:	dropped
Dump:	is-5TT39.tmp.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.647903409585529
Encrypted:	false
Size:	3249536
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Generic Downloader	Networking
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\Program Files (x86)\MagicUtilities\Service\BluetoothPairing.exe (copy)
Category:	dropped
Dump:	is-5TT39.tmp.3.dr
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Program Files (x86)\MagicUtilities\Service\is-IEGHA.tmp
Category:	dropped
Dump:	is-IEGHA.tmp.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy:	7.787272168854475
Encrypted:	false
Size:	5947264
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Program Files (x86)\MagicUtilities\Uninstall\unins000.dat
Category:	dropped
Dump:	unins000.dat.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	InnoSetup Log Magic Utilities {C457C829-197E-41EF-AEF2-FF998099E695}, version 0x418, 73928 bytes, 035347\37\user\376\, C:\Program Files (x86)\MagicUtilities\376\
Entropy:	3.940579855232632
Encrypted:	false
Size:	73928
Whitelisted:	false

Details

File:	C:\Program Files (x86)\MagicUtilities\Uninstall\unins000.msg
Category:	dropped
Dump:	unins000.msg.3.dr
ID:	dr_11
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
Entropy:	3.280577818982728
Encrypted:	false
Size:	24593
Whitelisted:	false

Details

File:	C:\ProgramData\MagicUtilities\MagicUtilities.ini
Category:	dropped
Dump:	MagicUtilities.ini.3.dr
ID:	dr_10
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	ASCII text, with CRLF line terminators
Entropy:	4.41910913192781
Encrypted:	false
Size:	52
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Writes ini files	System Summary	File and Directory Discovery

Details

File:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magic Mouse Utilities.lnk
Category:	dropped
Dump:	Magic Mouse Utilities.lnk.3.dr
ID:	dr_8
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 30 04:11:59 2024, mtime=Mon Sep 30 04:11:59 2024, atime=Mon Mar 18 17:23:40 2024, length=16858496, window=hide
Entropy:	4.621116197792826
Encrypted:	false
Size:	1189
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Details

File:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Category:	dropped
Dump:	MagicUtilities-Setup-3.1.4.5-Win10.tmp.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\MagicUtilities-Setup-3.1.4.5-Win10.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.300389626502679
Encrypted:	false
Size:	3403648
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the installation date of Windows	Language, Device and Operating System Detection	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Uses taskkill to terminate processes	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Creates files inside the program directory	System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Reads ini files	System Summary	File and Directory Discovery
Reads the Windows registered organization settings	System Summary	System Owner/User Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Writes ini files	System Summary	File and Directory Discovery
Executable creates window controls seldom found in malware	System Summary
Uses Rich Edit Controls	System Summary
Reads the Windows registered owner settings	System Summary	System Owner/User Discovery

Details

File:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe
Category:	dropped
Dump:	DriverUnInstaller.exe.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.096323082226629
Encrypted:	false
Size:	1404824
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Details

File:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\InfoBefore_Restart.rtf (copy)
Category:	dropped
Dump:	is-DFFA0.tmp.3.dr
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	Rich Text Format data, version 1, ANSI, code page 1252
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\InfoBefore_Update.rtf (copy)
Category:	dropped
Dump:	is-QEU9N.tmp.3.dr
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	Rich Text Format data, version 1, ANSI, code page 1252
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\_isetup\_setup64.tmp
Category:	dropped
Dump:	_setup64.tmp.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	4.720366600008286
Encrypted:	false
Size:	6144
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Details

File:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\is-DFFA0.tmp
Category:	dropped
Dump:	is-DFFA0.tmp.3.dr
ID:	dr_7
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	Rich Text Format data, version 1, ANSI, code page 1252
Entropy:	4.880715430326216
Encrypted:	false
Size:	621
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\is-QEU9N.tmp
Category:	dropped
Dump:	is-QEU9N.tmp.3.dr
ID:	dr_6
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	Rich Text Format data, version 1, ANSI, code page 1252
Entropy:	4.86457165645488
Encrypted:	false
Size:	524
Whitelisted:	false

Details

File:	C:\Users\user\Desktop\Magic Mouse Utilities.lnk
Category:	dropped
Dump:	Magic Mouse Utilities.lnk0.3.dr
ID:	dr_9
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-FVTT9.tmp\MagicUtilities-Setup-3.1.4.5-Win10.tmp
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 30 04:11:59 2024, mtime=Mon Sep 30 04:12:00 2024, atime=Mon Mar 18 17:23:40 2024, length=16858496, window=hide
Entropy:	4.640819794728573
Encrypted:	false
Size:	1177
Whitelisted:	false

Details

File:	C:\Windows\INF\setupapi.dev.log
Category:	dropped
Dump:	setupapi.dev.log0.15.dr
ID:	dr_15
Target ID:	15
Process:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe
Type:	Generic INItialization configuration [BeginLog]
Entropy:	5.223598930678833
Encrypted:	false
Size:	2495606
Whitelisted:	false

Details

File:	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
Category:	modified
Dump:	MpCmdRun.log.24.dr
ID:	dr_16
Target ID:	24
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.2436157012975593
Encrypted:	false
Size:	4926
Whitelisted:	false

Details

File:	C:\Windows\System32\catroot2\dberr.txt
Category:	modified
Dump:	dberr.txt.18.dr
ID:	dr_13
Target ID:	18
Process:	C:\Windows\System32\drvinst.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.390359521990259
Encrypted:	false
Size:	74042
Whitelisted:	false

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.15.dr
ID:	dr_14
Target ID:	15
Process:	C:\Users\user\AppData\Local\Temp\is-NQ6PL.tmp\DriverUnInstaller.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.681020691708262
Encrypted:	false
Size:	129
Whitelisted:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MagicUtilities-Setup-3.1.4.5-Win10.exe

Files

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMagicUtilities-Setup-3.1.4.5-Win10.exe

Files

IPs

IOC Report
MagicUtilities-Setup-3.1.4.5-Win10.exe