d081165a2b369387a4161ff1be291cb532797dd16044e4b0994614e97bf9bd4f

Sharing

Copy URL Twitter E-mail

General

Target

Macrium.Reflect.8.1.7847.x64.rar
Size

396.3MB
Sample

240305-tl3krabg78
MD5

16a519722418432f876497d04dfb9803
SHA1

7e82381293d01038ffc41c6123b48616ebb5d383
SHA256

d081165a2b369387a4161ff1be291cb532797dd16044e4b0994614e97bf9bd4f
SHA512

c843baa2f3611299124edd888860e67433a205b0a06573f4125d15532e4dd7824df09c80e2c0634286fe18389f7b8677db50a8f8ed484b297d6cf815399885f1
SSDEEP

12582912:ctXkytOHasjp0ngZT94PhLeMiRkbDi2Pgw0:YXbOHzj8gELmWD7q

Score

10^/10

persistence upx

Malware Config

Targets

- Target
  
  Macrium.Reflect.8.1.7847.x64.rar
- Size
  
  396.3MB
- MD5
  
  16a519722418432f876497d04dfb9803
- SHA1
  
  7e82381293d01038ffc41c6123b48616ebb5d383
- SHA256
  
  d081165a2b369387a4161ff1be291cb532797dd16044e4b0994614e97bf9bd4f
- SHA512
  
  c843baa2f3611299124edd888860e67433a205b0a06573f4125d15532e4dd7824df09c80e2c0634286fe18389f7b8677db50a8f8ed484b297d6cf815399885f1
- SSDEEP
  
  12582912:ctXkytOHasjp0ngZT94PhLeMiRkbDi2Pgw0:YXbOHzj8gELmWD7q
Score

10^/10

persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1
- Target
  
  Macrium.Reflect.8.1.7847.x64/Macrium.Reflect-Cleaner-hawk007.rar
- Size
  
  1.2MB
- MD5
  
  4daaf336395d622e3bfee309d0a457a2
- SHA1
  
  e4ebc7e6332127a1c991d30fa74e2a4f0a54bcd3
- SHA256
  
  05e657223f226008280358ea1338fea588a288b992ed7a5d78169266830d205f
- SHA512
  
  fc70c5b8d0f7f00c16028efd4dc6e81e48d4acfb84f68061213095375b8884dee83e12cc4f6757078e8116370ecd7ec8397408a3656736d02756ca911ef4b0dd
- SSDEEP
  
  24576:PVmAImcwkayuf3px9rKwAFvspmelsHsthUHHqiMpQyKdQ33fZNSH6RlJ40BIPf6G:Pgmc1aff3p/Ktt8meiHsrUHH/sbHRQHf
Score

3^/10
behavioral2
- Target
  
  Cleaner.exe
- Size
  
  1.2MB
- MD5
  
  4730239db03a288f88b2fcdba98ccd8c
- SHA1
  
  90a332972128f91adece2e613f8ef6b19d984b8d
- SHA256
  
  56b43a9f785921257e1e93a32f32ac8774d9218f3c475123cea577700ac37fe0
- SHA512
  
  eeb342399a82d571e0f54829189dfc42a448d186ca4ad56d211ad906ee55f2545f4452a6e391531ef810a8d24d3d0b5949ebb8d43a2b86e08994b1a656b3e0ca
- SSDEEP
  
  24576:j4GHnhIzOa51kAMI+i3zgK946teJzrfm+b/MYEK7cVsAZRD:8shdaKjik9fd/MZKgVs
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral3
- Target
  
  out.upx
- Size
  
  1.7MB
- MD5
  
  69fded9b3f6de7f54c9ce807ddbd65c0
- SHA1
  
  8406ca642836f459613161dee7a46d095b65c217
- SHA256
  
  c155eec04a9ddf3f2fbb9689602942624acd703ac50502e2c9bd9386e8dfe7d2
- SHA512
  
  d9d602b19f90511b15965bbdde8e00dbfe9fc08e5ea30846352cd980b3884f53f0940c27e6d04ba1ffbf70af23367f82b4b6c5159d047397baf5c222ca9b53eb
- SSDEEP
  
  24576:7Cdxte/80jYLT3U1jfwv1kAMI+i3zgK946teJzrfm+b/MYEK7cVsAZRD:Sw80cTsjYojik9fd/MZKgVs
Score

3^/10
behavioral4
- Target
  
  Readme.txt
- Size
  
  411B
- MD5
  
  df5cc126cd18cef657a34451c01bd106
- SHA1
  
  a3bd5ac8be44003173cf790ebecd637fdf0b68f8
- SHA256
  
  b6200fb4513de7f42aa5e52b0e0d09c0ceab0f7958f878e6263fd55a71fd00bb
- SHA512
  
  59fbdce3ab27af4af9310b22e92dbb02a6830995e453aaacdd9fd605df95c39cd7887b47316a6b4a163a9ff07e5b8a04c86f88cd9b5692cae142022d4fef94e8
Score

3^/10
behavioral5
- Target
  
  Macrium.Reflect.8.1.7847.x64/Macrium.Reflect-Cleaner-hawk007/Cleaner.exe
- Size
  
  1.2MB
- MD5
  
  4730239db03a288f88b2fcdba98ccd8c
- SHA1
  
  90a332972128f91adece2e613f8ef6b19d984b8d
- SHA256
  
  56b43a9f785921257e1e93a32f32ac8774d9218f3c475123cea577700ac37fe0
- SHA512
  
  eeb342399a82d571e0f54829189dfc42a448d186ca4ad56d211ad906ee55f2545f4452a6e391531ef810a8d24d3d0b5949ebb8d43a2b86e08994b1a656b3e0ca
- SSDEEP
  
  24576:j4GHnhIzOa51kAMI+i3zgK946teJzrfm+b/MYEK7cVsAZRD:8shdaKjik9fd/MZKgVs
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral6
- Target
  
  out.upx
- Size
  
  1.7MB
- MD5
  
  69fded9b3f6de7f54c9ce807ddbd65c0
- SHA1
  
  8406ca642836f459613161dee7a46d095b65c217
- SHA256
  
  c155eec04a9ddf3f2fbb9689602942624acd703ac50502e2c9bd9386e8dfe7d2
- SHA512
  
  d9d602b19f90511b15965bbdde8e00dbfe9fc08e5ea30846352cd980b3884f53f0940c27e6d04ba1ffbf70af23367f82b4b6c5159d047397baf5c222ca9b53eb
- SSDEEP
  
  24576:7Cdxte/80jYLT3U1jfwv1kAMI+i3zgK946teJzrfm+b/MYEK7cVsAZRD:Sw80cTsjYojik9fd/MZKgVs
Score

3^/10
behavioral7
- Target
  
  Macrium.Reflect.8.1.7847.x64/Macrium.Reflect-Cleaner-hawk007/Readme.txt
- Size
  
  411B
- MD5
  
  df5cc126cd18cef657a34451c01bd106
- SHA1
  
  a3bd5ac8be44003173cf790ebecd637fdf0b68f8
- SHA256
  
  b6200fb4513de7f42aa5e52b0e0d09c0ceab0f7958f878e6263fd55a71fd00bb
- SHA512
  
  59fbdce3ab27af4af9310b22e92dbb02a6830995e453aaacdd9fd605df95c39cd7887b47316a6b4a163a9ff07e5b8a04c86f88cd9b5692cae142022d4fef94e8
Score

3^/10
behavioral8
- Target
  
  Macrium.Reflect.8.1.7847.x64/Macrium_Reflect-7.x_8.x-patch.zip
- Size
  
  62KB
- MD5
  
  b68797124dd5f49fecdf52db59b25955
- SHA1
  
  7c92b9f2189e370cfecda89502607a6f37ae4922
- SHA256
  
  45f36a1392dc6e4d8c3f03dcd1861b7a105f2549c14dfcea0431ecc3aba0c32c
- SHA512
  
  a4d63bb61804320abe0af64dc1dc4dd3324a98932e60c2a69919254abe360f23ebfe7cf2e45ac69e8b8c102aa8dd181b2a8e5ab026c83b5d378a108b50432ffb
- SSDEEP
  
  1536:pjRg+10B0u02/nQlpvGNSlTGBF8y4GWbLj0xMDp/Fn6Z+x1SR:9K+1eNC+N0SX8y4zcg+zR
Score

1^/10
behavioral9
- Target
  
  Macrium_Reflect-7.x_8.x-patch.exe
- Size
  
  66KB
- MD5
  
  60f7348c6f666071e3969d16a278711e
- SHA1
  
  5ec5f17e237c1d9991c4aae56f093372421771b0
- SHA256
  
  e4152620b9c4b5ebb73678d6c8aedddd784a41f80412dcd1d89527e3160f756a
- SHA512
  
  1d4027b7bb8bb68d21497293fb611d9a499cb192e0abc2c10690eb86f498e424ea206ee207354297c952fef093f6656d98720e1bd4bea982d447a869cbba4b2c
- SSDEEP
  
  1536:6TL5Kt5xaXJ/pvGNSlTGBF8y4GubLj03uxfbnxDLv5j:6T4WR+N0SX8y4RdFbnhR
Score

7^/10
- Loads dropped DLL
behavioral10
- Target
  
  Macrium.Reflect.8.1.7847.x64/Macrium_Reflect-7.x_8.x-patch/Macrium_Reflect-7.x_8.x-patch.exe
- Size
  
  66KB
- MD5
  
  60f7348c6f666071e3969d16a278711e
- SHA1
  
  5ec5f17e237c1d9991c4aae56f093372421771b0
- SHA256
  
  e4152620b9c4b5ebb73678d6c8aedddd784a41f80412dcd1d89527e3160f756a
- SHA512
  
  1d4027b7bb8bb68d21497293fb611d9a499cb192e0abc2c10690eb86f498e424ea206ee207354297c952fef093f6656d98720e1bd4bea982d447a869cbba4b2c
- SSDEEP
  
  1536:6TL5Kt5xaXJ/pvGNSlTGBF8y4GubLj03uxfbnxDLv5j:6T4WR+N0SX8y4RdFbnhR
Score

7^/10
- Loads dropped DLL
behavioral11
- Target
  
  Macrium.Reflect.8.1.7847.x64/XML/KaraPCImageBackup.xml
- Size
  
  10KB
- MD5
  
  ddb2544cacee1e664c9e4fdb6d9428af
- SHA1
  
  0059c5a351a9b2bd8510d4d4d52e5569933bd109
- SHA256
  
  e0d6018e4cc62a71afdcc08e6d583a617454ca7671251f864282e89a90526abb
- SHA512
  
  59ce3cfbf476b05ab5bf84cf12f18ba5db17efd24525140362e49dfdec60b002c367565b99320cc70560a58793532abff2b7b898e3abce2023e51df4d7846bdc
- SSDEEP
  
  96:MIsY5LzaVKf0+/NxxR0kHwPaLUT3dQ0F0kBVvMOzPlVIrBe/KNa07:MUHasfv/NJfMza0F0kBVEOLl6rBe/8aq
Score

1^/10
behavioral12
- Target
  
  Macrium.Reflect.8.1.7847.x64/XML/Tails.xml
- Size
  
  10KB
- MD5
  
  a69d40f12272d1283d0c29f180624c77
- SHA1
  
  9317a83646933ff7790ecabec4d12a23975bebd5
- SHA256
  
  8226b950836d21147dd7b0253d5a35713021b521d153944b614624bb2b75ab1f
- SHA512
  
  a87c7bcf327a98b5ba4f88ca3936da360558d8be405793ec398344b5b163cd45955eb2dde68bc778a9bb53e0f8fb065333402e4c677e075d5b2f6e6a4056dafa
- SSDEEP
  
  96:MIsY5LP71VKf0+/NWxS0kHwPaLUT3dOOqOkBObDOfdPAsIrBe/KNI0G:MUz71sfv/NdfMzkOqOkBOPOtCrBe/8Ip
Score

1^/10
behavioral13
- Target
  
  Macrium.Reflect.8.1.7847.x64/XML/sync.ffs_db
- Size
  
  137B
- MD5
  
  a19340fdb9835672dc4aea058f32ce13
- SHA1
  
  69b2c87f8a29c17a4bcb4ed2abd0441012379bd7
- SHA256
  
  dc1689d45e3ebdcb9e9e8b31b040f1820a6e462eee81b7cd7ca1cf8cad04b5f0
- SHA512
  
  d0f79e24f7dc6bb95aec85f4e43db7ba7e0b649e5aa5cf096ae4a27a2b04185ab956e8fbf40f01805b9eca009ea21635858841135d422c1566e10856c3e29ff8
Score

3^/10
behavioral14
- Target
  
  Macrium.Reflect.8.1.7847.x64/readme.txt
- Size
  
  70B
- MD5
  
  1cc1260cf1d109094dc92cd811db4fbe
- SHA1
  
  ccbe7c3deb9bde2698c36c4b250bbeacff4fb532
- SHA256
  
  9db9b76bea53d6275623ba8ad84552210670eb8dad11a3e834a11ef70ff70ae1
- SHA512
  
  919c9ebdcd7d0ede4a45bf84783ccbcc45dd6813e571299897cda66922745ee6f4b5be53aed8e0446b610a405b2108a9b9710bb4b168e9419d36146c9a3bf53d
Score

3^/10
behavioral15
- Target
  
  Macrium.Reflect.8.1.7847.x64/reflect_server_plus_setup_x64.exe
- Size
  
  237.5MB
- MD5
  
  696e1740a635d0ce9f2e2e4a4bca874f
- SHA1
  
  fe1e19c811a1dc58be6c442c164f5dbdebd78855
- SHA256
  
  5fcfe49689365334a9ebfd15252616fabe031eaaf335625c7911e6e771c0a176
- SHA512
  
  8d428a32d07c6f7c36bf5c1169551409a6a40d20d2bb497550a1fc4cbc38e311215b7c33d0a43145bd504ea5ddf2bd420774a49c773f548dd623c475c58c1a96
- SSDEEP
  
  3145728:DtGtn+6bYkCezYlqOCAFuXc2qRi9EzXM0NwR6QAJAYxuXJWdIzbyzsBQTceZuGuz:WlCaYl1uERi9Ew0+MxkkIeg66HGT8
Score

1^/10
behavioral16
- Target
  
  Macrium.Reflect.8.1.7847.x64/reflect_wkstn_setup_x64_3.exe
- Size
  
  210.4MB
- MD5
  
  83785a7969bf98ce679d3d62fba2fb2d
- SHA1
  
  0855ad21f5592122b8e3a9a9d5842479dbade182
- SHA256
  
  714140c31422f438970af22fb12e5b71f86fa147ee92d172af9945c1eac4cc78
- SHA512
  
  6a532c2854cac877e7966525b599db877ddac85268a117634f302e50cdb7b81446759234d19ffb161c127309ae726a4b38a58aa6c595d2bc73cdcecddc18527c
- SSDEEP
  
  3145728:bt6zycfI+qGXlyoAlnLzfASvIC06DLlirenqv9O+S6FRMEAuKxQBcvO3JQU9c6wq:YZTqGalnHGX8linEZMRXXEkRuUvt
Score

1^/10
behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Sets service image path in registry

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Adds Run key to start application

Enumerates connected drives

UPX packed file

AutoIT Executable

UPX packed file

AutoIT Executable

Loads dropped DLL

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17