f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d

General

Target

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
Size

68KB
MD5

5d0bcf65e99975ba26e26bc3fa9cfb26
SHA1

8367875927c01a3ac8bbaa56d23683550ec8dd81
SHA256

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d
SHA512

0289456e640ae48325b47a325f07dc710fd7907e21d847c0580b694da71cd3e0d2e778d3aef64dbe2602806ea06f629b3bfdf929da2fcc738822a92c73c42629
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8NE:Olg35GTslA5t3/w8NE

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	pvetax-ouved.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\IsInstalled = "1"	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\StubPath = "C:\\Windows\\system32\\ubbaneam.exe"	pvetax-ouved.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouhloaboab.exe"	pvetax-ouved.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	pvetax-ouved.exe

Executes dropped EXE 2 IoCs

Processes:

pvetax-ouved.exepvetax-ouved.exe

pid process

1240 pvetax-ouved.exe
1208 pvetax-ouved.exe

Loads dropped DLL 3 IoCs

Processes:

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exepvetax-ouved.exe

pid	process
2740	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
2740	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
1240	pvetax-ouved.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	pvetax-ouved.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ulvevoas-udid.dll"	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	pvetax-ouved.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	pvetax-ouved.exe

Drops file in System32 directory 9 IoCs

Processes:

pvetax-ouved.exef4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\pvetax-ouved.exe	pvetax-ouved.exe
File opened for modification	C:\Windows\SysWOW64\pvetax-ouved.exe	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
File created	C:\Windows\SysWOW64\pvetax-ouved.exe	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
File created	C:\Windows\SysWOW64\ouhloaboab.exe	pvetax-ouved.exe
File opened for modification	C:\Windows\SysWOW64\ubbaneam.exe	pvetax-ouved.exe
File created	C:\Windows\SysWOW64\ulvevoas-udid.dll	pvetax-ouved.exe
File opened for modification	C:\Windows\SysWOW64\ouhloaboab.exe	pvetax-ouved.exe
File created	C:\Windows\SysWOW64\ubbaneam.exe	pvetax-ouved.exe
File opened for modification	C:\Windows\SysWOW64\ulvevoas-udid.dll	pvetax-ouved.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pvetax-ouved.exepvetax-ouved.exe

pid	process
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1208	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe
1240	pvetax-ouved.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exepvetax-ouved.exe

description	pid	process
Token: SeDebugPrivilege	2740	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
Token: SeDebugPrivilege	1240	pvetax-ouved.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exepvetax-ouved.exe

description	pid	process	target process
PID 2740 wrote to memory of 1240	2740	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe	pvetax-ouved.exe
PID 2740 wrote to memory of 1240	2740	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe	pvetax-ouved.exe
PID 2740 wrote to memory of 1240	2740	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe	pvetax-ouved.exe
PID 2740 wrote to memory of 1240	2740	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe	pvetax-ouved.exe
PID 1240 wrote to memory of 436	1240	pvetax-ouved.exe	winlogon.exe
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1208	1240	pvetax-ouved.exe	pvetax-ouved.exe
PID 1240 wrote to memory of 1208	1240	pvetax-ouved.exe	pvetax-ouved.exe
PID 1240 wrote to memory of 1208	1240	pvetax-ouved.exe	pvetax-ouved.exe
PID 1240 wrote to memory of 1208	1240	pvetax-ouved.exe	pvetax-ouved.exe
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE
PID 1240 wrote to memory of 1200	1240	pvetax-ouved.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
"C:\Users\Admin\AppData\Local\Temp\f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\pvetax-ouved.exe
"C:\Windows\system32\pvetax-ouved.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\pvetax-ouved.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ouhloaboab.exe
Filesize
71KB

MD5
b01fe8947b4b192d8f592dee3e254245

SHA1
8f59e5170eae49d711659fb3ead36d5ee547aed4

SHA256
3159bfd6035ba1e1424dc063a27e3a75032611e0e8d32243ac85b61624aec6e0

SHA512
f087259853d71c8ca60adb7d9a9c1d6bb2cf1129cc9673b07be5fcf4e22c0ae080a0c171941e83424a2f4af0da1cf998b1c7486a94e685270ef6d1a153040b36

Download Submit
C:\Windows\SysWOW64\ubbaneam.exe
Filesize
70KB

MD5
afedbcf1ca651774aee804233fadbdaa

SHA1
0335ba0311f2d382436cf6e064b8e132403753cc

SHA256
878d96ea603c762a96e616a537fd07bca7ccef39070bfd8f3c4b8d23773b6433

SHA512
6b3f13613c234d73cf04cebfa9f097077b2dd0a192665791b2df66a2e524df17c46a3fc0ea0eb21f7d3fb9d02fcbcc028c79afccbd8f5f10d1ac83db304afa7a

Download Submit
C:\Windows\SysWOW64\ulvevoas-udid.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
\Windows\SysWOW64\pvetax-ouved.exe
Filesize
68KB

MD5
5d0bcf65e99975ba26e26bc3fa9cfb26

SHA1
8367875927c01a3ac8bbaa56d23683550ec8dd81

SHA256
f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d

SHA512
0289456e640ae48325b47a325f07dc710fd7907e21d847c0580b694da71cd3e0d2e778d3aef64dbe2602806ea06f629b3bfdf929da2fcc738822a92c73c42629

Download Submit
memory/1208-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1240-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2740-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads