Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 13:21
Static task
static1
Behavioral task
behavioral1
Sample
c5f9d9794e1cf3f40ef45f0e2a0ced13.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c5f9d9794e1cf3f40ef45f0e2a0ced13.exe
Resource
win10v2004-20240226-en
General
-
Target
c5f9d9794e1cf3f40ef45f0e2a0ced13.exe
-
Size
428KB
-
MD5
c5f9d9794e1cf3f40ef45f0e2a0ced13
-
SHA1
b23a6498477ef463837382312512fe6254997155
-
SHA256
773e809ac4a9f0279eb2c258cb77288b14550b4e7ff646a9d82d888d11e6e225
-
SHA512
058f7f5e5ccb4d75014da8251291748013be87b71e0c443bd5e8da83754f77ba8b999bef0ba55d36f6dcbcd07ea7a1e22dd9d253223dc7319f3179403bba73bd
-
SSDEEP
12288:b9ZRLce1FpBL/Yf60nJRV57oTnbRpx3Qz:bDFLvph/YfZJv5cTn1
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" wcntfysvc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wcntfysvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wcntfysvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wcntfysvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wcntfysvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wcntfysvc.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools c5f9d9794e1cf3f40ef45f0e2a0ced13.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools wcntfysvc.exe -
Deletes itself 1 IoCs
pid Process 2596 wcntfysvc.exe -
Executes dropped EXE 1 IoCs
pid Process 2596 wcntfysvc.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine c5f9d9794e1cf3f40ef45f0e2a0ced13.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wcntfysvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wcntfysvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wcntfysvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wcntfysvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wcntfysvc.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat wcntfysvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\wcntfysvc.exe c5f9d9794e1cf3f40ef45f0e2a0ced13.exe File created C:\Windows\system\wcntfysvc.exe c5f9d9794e1cf3f40ef45f0e2a0ced13.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings wcntfysvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wcntfysvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wcntfysvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings wcntfysvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" wcntfysvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wcntfysvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5f9d9794e1cf3f40ef45f0e2a0ced13.exe"C:\Users\Admin\AppData\Local\Temp\c5f9d9794e1cf3f40ef45f0e2a0ced13.exe"1⤵
- Looks for VMWare Tools registry key
- Identifies Wine through registry keys
- Drops file in Windows directory
PID:624
-
C:\Windows\system\wcntfysvc.exe"C:\Windows\system\wcntfysvc.exe"1⤵
- Modifies security service
- Windows security bypass
- Looks for VMWare Tools registry key
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
MD5c5f9d9794e1cf3f40ef45f0e2a0ced13
SHA1b23a6498477ef463837382312512fe6254997155
SHA256773e809ac4a9f0279eb2c258cb77288b14550b4e7ff646a9d82d888d11e6e225
SHA512058f7f5e5ccb4d75014da8251291748013be87b71e0c443bd5e8da83754f77ba8b999bef0ba55d36f6dcbcd07ea7a1e22dd9d253223dc7319f3179403bba73bd