773e809ac4a9f0279eb2c258cb77288b14550b4e7ff646a9d82d888d11e6e225

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	c5f9d9794e1cf3f40ef45f0e2a0ced13.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	wcntfysvc.exe

Deletes itself 1 IoCs

pid	Process
2596	wcntfysvc.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	wcntfysvc.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	c5f9d9794e1cf3f40ef45f0e2a0ced13.exe

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wcntfysvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wcntfysvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wcntfysvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wcntfysvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wcntfysvc.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wcntfysvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\wcntfysvc.exe	c5f9d9794e1cf3f40ef45f0e2a0ced13.exe
File created	C:\Windows\system\wcntfysvc.exe	c5f9d9794e1cf3f40ef45f0e2a0ced13.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wcntfysvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wcntfysvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wcntfysvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wcntfysvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wcntfysvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wcntfysvc.exe

C:\Users\Admin\AppData\Local\Temp\c5f9d9794e1cf3f40ef45f0e2a0ced13.exe
"C:\Users\Admin\AppData\Local\Temp\c5f9d9794e1cf3f40ef45f0e2a0ced13.exe"
1⤵
- Looks for VMWare Tools registry key
- Identifies Wine through registry keys
- Drops file in Windows directory
PID:624

C:\Windows\system\wcntfysvc.exe
"C:\Windows\system\wcntfysvc.exe"
1⤵
- Modifies security service
- Windows security bypass
- Looks for VMWare Tools registry key
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion