c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
Size

342KB
MD5

13167bb4a4963de24a29e492cfd45526
SHA1

3e14131385182a1bf655a470e0971cf671f8b343
SHA256

c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0
SHA512

1bffda55610aa83ef945b11934b75135d2c18e9b3ac86278f7509b315eae8a3cfd40ff9b4f99e538b987688ab11505a29edc520283129183571f157d66909ff2
SSDEEP

6144:ye34ybt4OV75+ZPPfnE2Qyn2FEtt2NB6+sbKRr2phy9jBDW0jHPTDX+kqWr:F7VF+ZPPfnEUnsEWfXsbKop0xBDW0gS

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe

Executes dropped EXE 4 IoCs

pid	Process
2072	ReimageExpress.exe
3724	sqlite3.exe
3720	sqlite3.exe
4940	sqlite3.exe

Loads dropped DLL 28 IoCs

pid	Process
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe
2072	ReimageExpress.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Reimage.ini	ReimageExpress.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1012	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	tasklist.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2072	1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe	87
PID 1576 wrote to memory of 2072	1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe	87
PID 1576 wrote to memory of 2072	1576	c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe	87
PID 2072 wrote to memory of 2584	2072	ReimageExpress.exe	89
PID 2072 wrote to memory of 2584	2072	ReimageExpress.exe	89
PID 2072 wrote to memory of 2584	2072	ReimageExpress.exe	89
PID 2584 wrote to memory of 3724	2584	cmd.exe	91
PID 2584 wrote to memory of 3724	2584	cmd.exe	91
PID 2584 wrote to memory of 3724	2584	cmd.exe	91
PID 2072 wrote to memory of 4564	2072	ReimageExpress.exe	92
PID 2072 wrote to memory of 4564	2072	ReimageExpress.exe	92
PID 2072 wrote to memory of 4564	2072	ReimageExpress.exe	92
PID 4564 wrote to memory of 3720	4564	cmd.exe	94
PID 4564 wrote to memory of 3720	4564	cmd.exe	94
PID 4564 wrote to memory of 3720	4564	cmd.exe	94
PID 2072 wrote to memory of 4412	2072	ReimageExpress.exe	95
PID 2072 wrote to memory of 4412	2072	ReimageExpress.exe	95
PID 2072 wrote to memory of 4412	2072	ReimageExpress.exe	95
PID 4412 wrote to memory of 4940	4412	cmd.exe	97
PID 4412 wrote to memory of 4940	4412	cmd.exe	97
PID 4412 wrote to memory of 4940	4412	cmd.exe	97
PID 2072 wrote to memory of 5116	2072	ReimageExpress.exe	98
PID 2072 wrote to memory of 5116	2072	ReimageExpress.exe	98
PID 2072 wrote to memory of 5116	2072	ReimageExpress.exe	98
PID 5116 wrote to memory of 1012	5116	cmd.exe	100
PID 5116 wrote to memory of 1012	5116	cmd.exe	100
PID 5116 wrote to memory of 1012	5116	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe
"C:\Users\Admin\AppData\Local\Temp\c737ae9061f78064e29880743e165419c652e786d418fd5899cdffb3edcb97f0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\ReimageExpress.exe
  "C:\Users\Admin\AppData\Local\Temp\ReimageExpress.exe" /tracking=0 /campaign=0 /adgroup=0 /ads_name=0 /keyword=0 /toolbar=0 /RunSilent=false
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzqgx44a.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimage-express.com' and name='_trackid_product_3';"
      4⤵
      Executes dropped EXE
      PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzqgx44a.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimage-express.com' and name='_tracking_product_3';"
      4⤵
      Executes dropped EXE
      PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hzqgx44a.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimage-express.com' and name='_campaign_product_3';"
      4⤵
      Executes dropped EXE
      PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq ReiExpressContainer.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq ReiExpressContainer.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReimageExpress.exe

Filesize
577KB

MD5
fc08b6e887f1d41ac54077b77c07c7e2

SHA1
33049b804f6837579ad782694692273ffd43ed17

SHA256
4927db5db98ede64b945417f7acadb3a8a12a5a41a058988351ff5082d561749

SHA512
10c124d2a459b88884423e85dd1a928ef9c3e49f3c4a43264154c98dde905274ba3de75f14b9636977fe4abc67a4e31a65cee17cf6df6a2be70663a6b9ed4186

Download Submit
C:\Users\Admin\AppData\Local\Temp\express_pre.xml

Filesize
575B

MD5
5f883327ba1ec3e78cfbbab76cddc765

SHA1
072bc8112fabfa5481ee9aa7f9f712cf343110d6

SHA256
ae2319748a4d00f1dcec5b891a50323798b1ec1dae3bcc0ffbb3558bd9d00990

SHA512
de41465d2d86de56314a429231db88a55dec32d234d7807098b7a7eafc19a828512c3fb4c8882040c47eba701d69cbd03e6a49857fb63f88372780687b4ec721

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6FC6.tmp

Filesize
263B

MD5
a74e460ce951f9514c4f2d224c563814

SHA1
846ee6307d98bc0196ee9107132597a92f9282b1

SHA256
b942052f16629201c2c73654fb066192b787404bd1274bf4ca436d225789f812

SHA512
cde0f8724c7c9d7183f465f1d4da5f957a8a5ba2cf806b4abb3f5ea3fa75f02a9717893a63a22cb9ff9bbcea7fb23ab8508b85aecbff18a52727a687dd44fe27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A64.tmp\Banner.dll

Filesize
3KB

MD5
e264d0f91103758bc5b088e8547e0ec1

SHA1
24a94ff59668d18b908c78afd2a9563de2819680

SHA256
501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63

SHA512
a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A64.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A64.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A64.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A64.tmp\inetc.dll

Filesize
31KB

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A64.tmp\nsDialogs.dll

Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A64.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\LogEx.dll

Filesize
44KB

MD5
b81d861d63b6cfcd4c973976d52b46c9

SHA1
4ba82a45fcd6e1f38ff4f0d72cc776c7fb18b52f

SHA256
0bc75e5a0b96628a27b3de56711ac4230897f84e09ab20a21bc64f5087d9b09c

SHA512
5b0010b76160ec7a3e11466bafe8bdbff3e5375d60efe0d46e5e0dcee96f6ac99ee7075d94f74161f19f721c10fb7749e8d43d7fcb58cc5ad2e8db353f4d2877

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\MSIBanner.dll

Filesize
6KB

MD5
fea0c85c62e30be8b749a63b96d42ebe

SHA1
e1008e97423ccd76fc648b5bf8cca15aa06a16d7

SHA256
8029b1186348a972ae6ea251a7f31303686d2cfacab69a8ee5108b15c67a6852

SHA512
3c78a842e8983239706ba76a3d322918c65a4560ccd6118291b3cb011d4fc959512bc96e4236f6b9581e19a9e439b470471be488c0ef70a02749a66b45d1f14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\inetc.dll

Filesize
20KB

MD5
02abab104802d8bae10ff32336618f30

SHA1
ef07de246acdb7a247698ec6e1f3bb8fb540f0a9

SHA256
f7fb322eef8b0bc3e92e3bf10071fb76b3a9d597412fc2fb91e2382d9b17022e

SHA512
47e16046ff683d1b2ad6935993571017076897eecb73421ec89f6fd21dd705c5e4aca269bc2650560b6bc8326cbd39851c90591235f056bbbc9494a23494cc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\stack.dll

Filesize
10KB

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\xml.dll

Filesize
118KB

MD5
42df1fbaa87567adf2b4050805a1a545

SHA1
b892a6efbb39b7144248e0c0d79e53da474a9373

SHA256
e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845

SHA512
4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6D45.tmp

Filesize
263B

MD5
6af718a5ef71804e3ec434f068a23ab1

SHA1
81527139510eadfd374172ee8a15a1665aca5e0f

SHA256
5f8023213146c06ee6ade2e8bcaef1310f7fee5598968b9040eb29cfa86a5a9a

SHA512
682e617a3f4a9faeb844a1086d188ac97a0d0cd9d68938651d4433aaecf619c9d0189207c11e8dafd9b55bc3acf5041692fcc412a65cc61fe08b8dba981776cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6AF2.tmp

Filesize
262B

MD5
7e8065b4d37ebafa370606f7021c5638

SHA1
a9326de15e388f1f07e43eef4bdf96afbb0cf6a6

SHA256
9bf7823b8bcf58df06aae8d4be510e7a8d04951e92f8a9c441c15ddba7654463

SHA512
b01dceb5381f57447326e410c3b30f51c828c1ede26863b29009dc3aeb5001af71ae76993e68a7e8c004feaa60673347acab09558702ea22c354b46e6ae8862f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

Filesize
477KB

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
memory/1576-33-0x0000000003520000-0x0000000003541000-memory.dmp

Filesize
132KB

Download
memory/2072-181-0x0000000005B20000-0x0000000005B2B000-memory.dmp

Filesize
44KB

Download
memory/3720-153-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3724-137-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4940-169-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download