e20b66fa897cc5e52c83b3951205f4861f96ac41449001a4651b9991cc12f197

Analysis

max time kernel
97s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 06:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Macrium Reflect Technician 7.3.5672 (x64)/Macrium Reflect.exe
Size

22.1MB
MD5

a6522aa9cb4ac56cabc40dee6f775fc2
SHA1

8804f2104f279357385bd707a79ca799dd41130f
SHA256

c4aad61b17ef29e12e9ad04c985db3bc6b3fa3f79cfb472eb8e1d197bff4f606
SHA512

37fd38b0787167264220cfc6ed1780c4f3f96de16c35c24f80fcd3f4dea6461078ecd35b880d60c04a948bb277a781ef7107b040ace825fe9bbb64e2dac055d4
SSDEEP

393216:/EeCCb3kBl05fCbb1EkHhqZW8s4ky3a70VtVdySAbrxa+aqKvgr/dcL83TzVORhf:cI3kUCbikBWW89a7GVgZbrYTz83TzVO7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4448	reflect.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Macrium Reflect.exe

Loads dropped DLL 5 IoCs

pid	Process
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	reflect.exe
File opened (read-only)	\??\L:	reflect.exe
File opened (read-only)	\??\M:	reflect.exe
File opened (read-only)	\??\W:	reflect.exe
File opened (read-only)	\??\B:	reflect.exe
File opened (read-only)	\??\R:	reflect.exe
File opened (read-only)	\??\S:	reflect.exe
File opened (read-only)	\??\J:	reflect.exe
File opened (read-only)	\??\O:	reflect.exe
File opened (read-only)	\??\P:	reflect.exe
File opened (read-only)	\??\Q:	reflect.exe
File opened (read-only)	\??\D:	reflect.exe
File opened (read-only)	\??\F:	reflect.exe
File opened (read-only)	\??\G:	reflect.exe
File opened (read-only)	\??\H:	reflect.exe
File opened (read-only)	\??\T:	reflect.exe
File opened (read-only)	\??\V:	reflect.exe
File opened (read-only)	\??\X:	reflect.exe
File opened (read-only)	\??\U:	reflect.exe
File opened (read-only)	\??\Y:	reflect.exe
File opened (read-only)	\??\Z:	reflect.exe
File opened (read-only)	\??\A:	reflect.exe
File opened (read-only)	\??\E:	reflect.exe
File opened (read-only)	\??\I:	reflect.exe
File opened (read-only)	\??\N:	reflect.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4448	reflect.exe
Token: SeTakeOwnershipPrivilege	4448	reflect.exe
Token: SeRestorePrivilege	4448	reflect.exe
Token: SeBackupPrivilege	4448	reflect.exe
Token: SeSystemEnvironmentPrivilege	4448	reflect.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4448	reflect.exe
4448	reflect.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe
4448	reflect.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4448	reflect.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 4448	3252	Macrium Reflect.exe	81
PID 3252 wrote to memory of 4448	3252	Macrium Reflect.exe	81
PID 3252 wrote to memory of 4448	3252	Macrium Reflect.exe	81
PID 3252 wrote to memory of 4448	3252	Macrium Reflect.exe	81

C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Macrium Reflect.exe
"C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Macrium Reflect.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\stubexe\0xEC7E9EF5AD987B65\reflect.exe
  "C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\stubexe\0xEC7E9EF5AD987B65\reflect.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\meta\@APPDATALOCAL@\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Win64\reflect.exe.__meta__

Filesize
32B

MD5
dc721c5db2314104f5825dc7fe646c14

SHA1
4c529af69b6fe6fb0ba7b73f82a0844325364468

SHA256
ad9f88aa5429afd1940ee2ee5f0be23c1d4a616036ffdf16b736d714113d9669

SHA512
add5224d85f28c756aad70c9dd438e1bf374cb3d45551f279467849695d0d15705b35c72379e21addbe1c090cbe7308c3cd2be11086b92506112c7dbb9a13ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\modified\@APPDATALOCAL@\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Win64\PrimoBurner64.dll

Filesize
1.8MB

MD5
3082cc915a47ecf2852b127c28a18b8a

SHA1
4ba854934a16011c91d0f880b7c879542c357a26

SHA256
51703b414d58a6f41c7b6be6d1b956dd53e4717c70cfcdd5df502c5fd7057cc4

SHA512
423cfdb6004f0022ec9219c173b6ee1cf1d7a0b7739b24cfa360a7ab2954a8aa506b28b0070eb5a4fcdbad62a40be974c1da46a94816f7ed660373c5f0fa814c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\modified\@APPDATALOCAL@\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Win64\aesdll.dll

Filesize
89KB

MD5
d4347df5fae61671f3fce01cee28d677

SHA1
7b4b14033d768f0a18799be77ea356e6f7f8a2a2

SHA256
177375605a889d4f796543cc263a4377fd60011bb9e9aae142b809d99382d2b7

SHA512
7790fd6d528b8997277239f66ec804acb0f8ee55fc5136e5edec5f3cd1f664f3739d9ccb1574071767a0baa90128f231bf975a36eefcf60916aa3935e3388ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\modified\@APPDATALOCAL@\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Win64\oledlg.dll

Filesize
75KB

MD5
e4b977837712f6e02d12b440f94b4c87

SHA1
1415a7e7673afd9f61294390a1e9ee0e268f77d9

SHA256
745207b0bfe02a7c411b1e569f8169e31c0c8d707a49f99478b105761a0a8833

SHA512
5c68a345ad30417ab92997846e0493a699363bd367f5f71659726415d7be24268eb602ff54aa169dd6c80f698e3b0469a2281b259e91fad31d1763260fa0d7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\modified\@APPDATALOCAL@\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Win64\reflect.exe

Filesize
55.6MB

MD5
656140c416b200fb5d0158299073771b

SHA1
35224a3987049b3f0a47df6f917944bf68d9dd73

SHA256
54bd9b3bc58f0682a5446be017404eb9c2c49ea489e78b561b117fb980e720fb

SHA512
983b58ac393c1cd651d39d6ea1483ebc913431d2c18fcc990a55e0817af82340953908c2b795fc298773977e2be417e5df6efc24f8417502b28c4c64aa27800d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\modified\@APPDATALOCAL@\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Win64\reflect.exe

Filesize
55.6MB

MD5
656140c416b200fb5d0158299073771b

SHA1
35224a3987049b3f0a47df6f917944bf68d9dd73

SHA256
54bd9b3bc58f0682a5446be017404eb9c2c49ea489e78b561b117fb980e720fb

SHA512
983b58ac393c1cd651d39d6ea1483ebc913431d2c18fcc990a55e0817af82340953908c2b795fc298773977e2be417e5df6efc24f8417502b28c4c64aa27800d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\modified\@APPDATALOCAL@\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Win64\vsssvr.dll

Filesize
567KB

MD5
313430c216a088c8b534793c6bee3168

SHA1
0ac26053ba968f3ea6eb9e19bdfd73e3a82b8fab

SHA256
c3a97e40513962fb59c7ecf78a151d31f5f1d9f00dbc605f96a0d4804052a36b

SHA512
7378bed7713dd058c59b76438caad734026f51fabad1d63ae308477c3558ba738647affa4042f74ff8662d1ceb2ce2cf6346e896a09d52be992eb517c76ec5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\local\stubexe\0xEC7E9EF5AD987B65\reflect.exe

Filesize
27KB

MD5
d8ddb0ee3f3a9f3929c4ec66ec1f5cc0

SHA1
e93aee3e40a6764688da07da3e2b6fc48e1de530

SHA256
6db73af498e3526aa5813b994471487990bc9f16f0b2102b7ef75f5a4a7f16d7

SHA512
071c508ceafdf7d07e62d772e4ed9462de3b5f111abcb1f44a6af7c87dee99851143ddb2d2068098acebfeca6272e40edc1ff8003a05cbcfdcf88cd15d8ba797

Download Submit
C:\Users\Admin\AppData\Local\Temp\Macrium Reflect Technician 7.3.5672 (x64)\Data\Macrium Reflect\xsandbox.bin

Filesize
16B

MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x120CE4F1F06562CE\sxs\manifests\PrimoBurner64.dll_0x3082CC915A47ECF2852B127C28A18B8A.2.manifest

Filesize
396B

MD5
f93e0fb6283b5abbbb7335a0559b37e4

SHA1
ead4c3eea9397488519c11743cb80fc252324d20

SHA256
0d3c45d19e5e23832b3a633ccf8628dffe8a5dd9a7cd80bc9fbf4d8993f45374

SHA512
fa235dcfdfe3968b7c1a15e3fab6d164ad10f232e6e628881a02ba4f580c7f94e0465ee271e72ec00212b13ccabfe7888ae10b4cc1e061f33aa8fa5fccb372c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x120CE4F1F06562CE\sxs\manifests\aesdll.dll_0xD4347DF5FAE61671F3FCE01CEE28D677.2.manifest

Filesize
379B

MD5
73102579f0cc3777bdd0ba96bab8d6f4

SHA1
08512e731aed9cdfeebf2e8fdc24a35ea23e3477

SHA256
03c937a5aba7fd7eab8ae959606ea4598e474da06b7ec63701255e7325a9e435

SHA512
e3928e509d852ae8f62b6378f984013345ddff9f5073e77323703acf20ca44bebff1753f09e7343cd948559bcafe766edce38e767efc5e7e7a5fd42c37be2e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x120CE4F1F06562CE\sxs\manifests\oledlg.dll_0xE4B977837712F6E02D12B440F94B4C87.2.manifest

Filesize
379B

MD5
73102579f0cc3777bdd0ba96bab8d6f4

SHA1
08512e731aed9cdfeebf2e8fdc24a35ea23e3477

SHA256
03c937a5aba7fd7eab8ae959606ea4598e474da06b7ec63701255e7325a9e435

SHA512
e3928e509d852ae8f62b6378f984013345ddff9f5073e77323703acf20ca44bebff1753f09e7343cd948559bcafe766edce38e767efc5e7e7a5fd42c37be2e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x120CE4F1F06562CE\sxs\manifests\reflect.exe_0x656140C416B200FB5D0158299073771B.1.manifest

Filesize
2KB

MD5
834852c066ace9b4faaef40170657bb1

SHA1
f762e15f427e5083bd93e31a5cb9e320b1878f0f

SHA256
0da815c6ba2f4d1c6409b636c8c12617cc7a182b812c28bfa9819d8542b8611a

SHA512
0e7964a63f55c20c7758a2aef43c9ae036109fcdb09769eed2f69d258671c866691a200e44436fcb5bf485ed90a24ffd2f82670d806590ca8be391e1787e8468

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x120CE4F1F06562CE\sxs\manifests\vsssvr.dll_0x313430C216A088C8B534793C6BEE3168.2.manifest

Filesize
379B

MD5
73102579f0cc3777bdd0ba96bab8d6f4

SHA1
08512e731aed9cdfeebf2e8fdc24a35ea23e3477

SHA256
03c937a5aba7fd7eab8ae959606ea4598e474da06b7ec63701255e7325a9e435

SHA512
e3928e509d852ae8f62b6378f984013345ddff9f5073e77323703acf20ca44bebff1753f09e7343cd948559bcafe766edce38e767efc5e7e7a5fd42c37be2e13

Download Submit
memory/3252-459-0x0000000000E20000-0x00000000013CB000-memory.dmp

Filesize
5.7MB

Download
memory/3252-144-0x0000000000E20000-0x00000000013CB000-memory.dmp

Filesize
5.7MB

Download
memory/3252-143-0x0000000002CB0000-0x0000000002D6B000-memory.dmp

Filesize
748KB

Download
memory/3252-138-0x0000000002CB0000-0x0000000002D6B000-memory.dmp

Filesize
748KB

Download
memory/3252-132-0x0000000002CB0000-0x0000000002D6B000-memory.dmp

Filesize
748KB

Download
memory/4448-185-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-193-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-172-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-173-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-174-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-177-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-180-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-178-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-179-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-183-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-182-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-184-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-181-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-166-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-176-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-175-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-186-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download
memory/4448-189-0x00007FF83D210000-0x00007FF83D3E8000-memory.dmp

Filesize
1.8MB

Download
memory/4448-169-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-190-0x00007FF83D210000-0x00007FF83D3E8000-memory.dmp

Filesize
1.8MB

Download
memory/4448-168-0x0000000000E80000-0x000000000142B000-memory.dmp

Filesize
5.7MB

Download
memory/4448-191-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-192-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-171-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-194-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-195-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-196-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-197-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-198-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-199-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-200-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-201-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-202-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-203-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-204-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-205-0x00007FF859180000-0x00007FF8595F2000-memory.dmp

Filesize
4.4MB

Download
memory/4448-206-0x00007FF858530000-0x00007FF85857E000-memory.dmp

Filesize
312KB

Download
memory/4448-170-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-167-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-165-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-164-0x00007FF84B8C0000-0x00007FF84B8DD000-memory.dmp

Filesize
116KB

Download
memory/4448-159-0x00000000004D0000-0x000000000058B000-memory.dmp

Filesize
748KB

Download
memory/4448-515-0x0000000000E80000-0x000000000142B000-memory.dmp

Filesize
5.7MB

Download
memory/4448-154-0x00000000004D0000-0x000000000058B000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads