478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c

General

Target

478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe
Size

164KB
MD5

601957ad3967f7c2456a619bb4772bc0
SHA1

03a52842abd2f7126308642541fafdef5200559f
SHA256

478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c
SHA512

35a024475095573edc8d5cbd0127a3f47ad92958ec81b5183a93897fbc9ee18a9acac385f2b7acd6eafa7250778e4b9de0c6f295b02362db18c3814b5be3bf77
SSDEEP

3072:hsUaAUAatoYj3Bc8T828UAw1XiazCgaN8L2YAgt4oQZiE0O:gAxNaxc8Y28I1XiUq8sg/Wn

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exekauvin.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kauvin.exe

Executes dropped EXE 1 IoCs

Processes:

kauvin.exe

pid process

1988 kauvin.exe

pid	process
1988	kauvin.exe

Loads dropped DLL 2 IoCs

Processes:

478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe

pid	process
900	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe
900	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kauvin.exe478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /l"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /r"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /D"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /Q"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /p"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /A"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /j"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /y"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /x"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /e"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /q"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /G"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /C"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /W"	kauvin.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /d"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /T"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /w"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /f"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /Y"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /X"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /Z"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /m"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /R"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /k"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /c"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /F"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /L"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /i"	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /s"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /B"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /z"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /v"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /o"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /V"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /u"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /O"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /N"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /P"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /h"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /E"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /K"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /M"	kauvin.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /a"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /S"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /I"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /i"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /J"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /g"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /U"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /b"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /H"	kauvin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\kauvin = "C:\\Users\\Admin\\kauvin.exe /t"	kauvin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exekauvin.exe

pid	process
900	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe
1988	kauvin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exekauvin.exe

pid process

900 478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe
1988 kauvin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe

description	pid	process	target process
PID 900 wrote to memory of 1988	900	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe	kauvin.exe
PID 900 wrote to memory of 1988	900	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe	kauvin.exe
PID 900 wrote to memory of 1988	900	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe	kauvin.exe
PID 900 wrote to memory of 1988	900	478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe	kauvin.exe

C:\Users\Admin\AppData\Local\Temp\478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe
"C:\Users\Admin\AppData\Local\Temp\478c0fef9ae3f24eb10a7efb98f3eee21a0ea0fd0c01a78c14d6703e737c469c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\kauvin.exe
"C:\Users\Admin\kauvin.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kauvin.exe
Filesize
164KB

MD5
c04f2340f0f542c19c4d1617e616bfc5

SHA1
b7b2adc00dd0a95cfce019110630cd13b5164357

SHA256
8aed1bda2f7128a090111c8b283d6bdbf15ff6123a8004ce90c2fc61991e4060

SHA512
b59ef7f08617e389542361e265c9f76cc2b9a0ba1d5679c4de4a6e327988f2843340cbce6c347a5a3c89bbb43a4db7d25a5f8f515f49c1a2fe10376f92155982

Download Submit
C:\Users\Admin\kauvin.exe
Filesize
164KB

MD5
c04f2340f0f542c19c4d1617e616bfc5

SHA1
b7b2adc00dd0a95cfce019110630cd13b5164357

SHA256
8aed1bda2f7128a090111c8b283d6bdbf15ff6123a8004ce90c2fc61991e4060

SHA512
b59ef7f08617e389542361e265c9f76cc2b9a0ba1d5679c4de4a6e327988f2843340cbce6c347a5a3c89bbb43a4db7d25a5f8f515f49c1a2fe10376f92155982

Download Submit
\Users\Admin\kauvin.exe
Filesize
164KB

MD5
c04f2340f0f542c19c4d1617e616bfc5

SHA1
b7b2adc00dd0a95cfce019110630cd13b5164357

SHA256
8aed1bda2f7128a090111c8b283d6bdbf15ff6123a8004ce90c2fc61991e4060

SHA512
b59ef7f08617e389542361e265c9f76cc2b9a0ba1d5679c4de4a6e327988f2843340cbce6c347a5a3c89bbb43a4db7d25a5f8f515f49c1a2fe10376f92155982

Download Submit
\Users\Admin\kauvin.exe
Filesize
164KB

MD5
c04f2340f0f542c19c4d1617e616bfc5

SHA1
b7b2adc00dd0a95cfce019110630cd13b5164357

SHA256
8aed1bda2f7128a090111c8b283d6bdbf15ff6123a8004ce90c2fc61991e4060

SHA512
b59ef7f08617e389542361e265c9f76cc2b9a0ba1d5679c4de4a6e327988f2843340cbce6c347a5a3c89bbb43a4db7d25a5f8f515f49c1a2fe10376f92155982

Download Submit
memory/900-56-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1988-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads