f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d

General

Target

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
Size

68KB
MD5

5d0bcf65e99975ba26e26bc3fa9cfb26
SHA1

8367875927c01a3ac8bbaa56d23683550ec8dd81
SHA256

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d
SHA512

0289456e640ae48325b47a325f07dc710fd7907e21d847c0580b694da71cd3e0d2e778d3aef64dbe2602806ea06f629b3bfdf929da2fcc738822a92c73c42629
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8NE:Olg35GTslA5t3/w8NE

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	pvetax-ouved.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41565A43-565a-4d5a-4156-5A43565A4d5a}	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41565A43-565a-4d5a-4156-5A43565A4d5a}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41565A43-565a-4d5a-4156-5A43565A4d5a}\IsInstalled = "1"	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41565A43-565a-4d5a-4156-5A43565A4d5a}\StubPath = "C:\\Windows\\system32\\ubbaneam.exe"	pvetax-ouved.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouhloaboab.exe"	pvetax-ouved.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	pvetax-ouved.exe

Executes dropped EXE 2 IoCs

Processes:

pvetax-ouved.exepvetax-ouved.exe

pid process

4460 pvetax-ouved.exe
1448 pvetax-ouved.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	pvetax-ouved.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	pvetax-ouved.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

pvetax-ouved.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	pvetax-ouved.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ulvevoas-udid.dll"	pvetax-ouved.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	pvetax-ouved.exe

Drops file in System32 directory 9 IoCs

Processes:

pvetax-ouved.exef4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ubbaneam.exe	pvetax-ouved.exe
File created	C:\Windows\SysWOW64\ubbaneam.exe	pvetax-ouved.exe
File created	C:\Windows\SysWOW64\ulvevoas-udid.dll	pvetax-ouved.exe
File opened for modification	C:\Windows\SysWOW64\ulvevoas-udid.dll	pvetax-ouved.exe
File opened for modification	C:\Windows\SysWOW64\pvetax-ouved.exe	pvetax-ouved.exe
File opened for modification	C:\Windows\SysWOW64\pvetax-ouved.exe	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
File created	C:\Windows\SysWOW64\pvetax-ouved.exe	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
File opened for modification	C:\Windows\SysWOW64\ouhloaboab.exe	pvetax-ouved.exe
File created	C:\Windows\SysWOW64\ouhloaboab.exe	pvetax-ouved.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pvetax-ouved.exepvetax-ouved.exe

pid	process
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
1448	pvetax-ouved.exe
1448	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe
4460	pvetax-ouved.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exepvetax-ouved.exe

description	pid	process
Token: SeDebugPrivilege	2036	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
Token: SeDebugPrivilege	4460	pvetax-ouved.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exepvetax-ouved.exe

description	pid	process	target process
PID 2036 wrote to memory of 4460	2036	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe	pvetax-ouved.exe
PID 2036 wrote to memory of 4460	2036	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe	pvetax-ouved.exe
PID 2036 wrote to memory of 4460	2036	f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe	pvetax-ouved.exe
PID 4460 wrote to memory of 616	4460	pvetax-ouved.exe	winlogon.exe
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 1448	4460	pvetax-ouved.exe	pvetax-ouved.exe
PID 4460 wrote to memory of 1448	4460	pvetax-ouved.exe	pvetax-ouved.exe
PID 4460 wrote to memory of 1448	4460	pvetax-ouved.exe	pvetax-ouved.exe
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE
PID 4460 wrote to memory of 3512	4460	pvetax-ouved.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe
"C:\Users\Admin\AppData\Local\Temp\f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\pvetax-ouved.exe
"C:\Windows\system32\pvetax-ouved.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\pvetax-ouved.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ouhloaboab.exe
Filesize
71KB

MD5
ec9611c47f5b2d3e52551e2c63f49c3e

SHA1
905384c69f972f157184f2f815d4a04873873a71

SHA256
1059a5654ca3fb85e5d48cd94d6c9a04cc9f08845d03049eee9fa0ddd42430de

SHA512
9a1a9b7ec38a4cea771207886a5942613801e79de610695bca93263f43388d247c49f917fe5c5961673d3f620d3259e89a89543e6ca9722a1229fa4f12202af3

Download Submit
C:\Windows\SysWOW64\pvetax-ouved.exe
Filesize
68KB

MD5
5d0bcf65e99975ba26e26bc3fa9cfb26

SHA1
8367875927c01a3ac8bbaa56d23683550ec8dd81

SHA256
f4f74a0a3a937876f3d55d9716d20b9d91952bf447faecfdd741546b1a41481d

SHA512
0289456e640ae48325b47a325f07dc710fd7907e21d847c0580b694da71cd3e0d2e778d3aef64dbe2602806ea06f629b3bfdf929da2fcc738822a92c73c42629

Download Submit
C:\Windows\SysWOW64\ubbaneam.exe
Filesize
70KB

MD5
9d009afaaf62906348292337f07e6591

SHA1
8e321bfc51b9465a902a9a7873fb2b7fc3bca521

SHA256
4ff55fa9ba1b2bbb4a250bece715f96d8f9ce5e6a79f879dd5fd7c65549d0406

SHA512
4e1c2a1bbd6cd701686f6a2178e9403787773d53386f31eb87e6ca8d757fe93ffa90540970768e3364c127e2a608e01f3d0d7df511fc70283489c81b938e0589

Download Submit
C:\Windows\SysWOW64\ulvevoas-udid.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
memory/2036-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads