9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe
Size

160KB
MD5

42a9eca65137a229e60a9c650c3ba63d
SHA1

c157a1667da99251226bd52e6a21d19efec6b654
SHA256

9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d
SHA512

bdab7d17f5dae52289f04177892f9fb957a168bc663d43d0519d64b0d57ba2ba15a58446389fcdcc2109cc7c51c79c57b3e85297ac7bfed971418b2ef34b1cd6
SSDEEP

768:HtXL+uSmH793RwVR7hoJ0h4h2hQJVNjDkp57xXp5Rmg5Fh4hqhxOhDhzhnhvhzhH:HxqORqzJh4h2hON6x5puwVT0h

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3060	jauge.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe
2924	9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /C"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /I"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /l"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /v"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /A"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /N"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /y"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /L"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /M"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /F"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /f"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /T"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /X"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /E"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /r"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /d"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /P"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /b"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /z"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /p"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /Y"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /n"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /U"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /S"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /R"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /D"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /w"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /c"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /j"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /s"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /q"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /J"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /x"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /k"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /m"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /G"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /g"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /Z"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /V"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /u"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /B"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /i"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /W"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /a"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /Q"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /K"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /H"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /o"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /e"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /O"	jauge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jauge = "C:\\Users\\Admin\\jauge.exe /h"	jauge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe
3060	jauge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe
3060	jauge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3060	2924	9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe	28
PID 2924 wrote to memory of 3060	2924	9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe	28
PID 2924 wrote to memory of 3060	2924	9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe	28
PID 2924 wrote to memory of 3060	2924	9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe	28
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27
PID 3060 wrote to memory of 2924	3060	jauge.exe	27

C:\Users\Admin\AppData\Local\Temp\9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe
"C:\Users\Admin\AppData\Local\Temp\9c70c93e0a97b71e5907cfc2c926b454ff94cda2c24c98a8dc0d25291305734d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\jauge.exe
  "C:\Users\Admin\jauge.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\jauge.exe

Filesize
160KB

MD5
3b349d4792003cac62c7ef47d1f69514

SHA1
5e518d4a3df4b7eadfc59ffb1e5e129e17e2a92c

SHA256
ec9dec3ce57c9d385fcb3eccf9d2fbff5bfac51f17a08c5a078f4a4c4f5623ea

SHA512
4713fedaee018c884b28fab2ef348ba25d826abd49ab110208fa738367db19d86a7c29f2651a6eb63a137eed558e1a7e8b623df5b4436a3c8def91a31ee8904a

Download Submit