Trojanized Screenshot Tool Captures Desktop and Steals Data

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

cca_windows_screenshotter.bin

Type

PE32+ executable (console) x86-64, for MS Windows

SHA‑1

70c7f01f46dccc8b4a4ac2f62035774dfb978af9

MD5

d94c67d5b7a28329037dd076896287f8

First Seen

2025-09-14 13:44:05.233669

Last Analysis

2025-09-15 07:15:20.719068

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2025-09-12 11:46:31 UTC	First VirusTotal submission	—
2025-09-19 06:44:07 UTC	Latest analysis snapshot	6 days, 18 hours, 57 minutes
2025-10-27 10:21:49 UTC	Report generation time	44 days, 22 hours, 35 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 45. Missed: 28. Coverage: 61.6%.

Detected Vendors

Xcitium
+44 additional vendors (names not provided)

List includes Xcitium plus an additional 44 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
APEX
Baidu
ClamAV
CMC
CrowdStrike
Cylance
Fortinet
google_safebrowsing
Gridinsoft
huorong
Jiangmin
K7AntiVirus
K7GW
Kingsoft
NANO-Antivirus
SentinelOne
SUPERAntiSpyware
TACHYON
tehtris
Trapmine
ViRobot
Webroot
Yandex
Zillya
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (63.64% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
System	231	63.64%
File System	74	20.39%
Misc	56	15.43%
Threading	1	0.28%
Hooking	1	0.28%

MITRE ATT&CK Mapping

T1113 – capture screenshot
T1083 – get common file path
T1129 – link function at runtime on Windows
T1129 – link many functions at runtime
T1497.002 – check for foreground window switch
T1010 – Monitors user input
T1027.002 – Resolves API functions dynamically
T1056 – Combination of other detections shows multiple input capture behaviors
T1056.002 – Monitors user input
T1113 – Takes screenshot
T1119 – Combination of other detections shows multiple input capture behaviors
T1497.003 – Delays execution
T1497.001 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
T1083 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
T1560.002 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
T1222 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
T1082 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
T1083 – get common file path
T1113 – capture screenshot
T1129 – link function at runtime on Windows
T1129 – link many functions at runtime
T1497.002 – check for foreground window switch
T1027.009 – Drops interesting files and uses them
T1063 – It Tries to detect injection methods
T1036 – Creates files inside the user directory
T1497 – May sleep (evasive loops) to hinder dynamic analysis

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
138	1	udp
5355	4	udp
53	12	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	3.088050127029419	udp
192.168.56.14	192.168.56.255	138	138	9.078731060028076	udp
192.168.56.14	224.0.0.252	51209	5355	3.0202929973602295	udp
192.168.56.14	224.0.0.252	53401	5355	4.849430084228516	udp
192.168.56.14	224.0.0.252	55094	5355	5.578999042510986	udp
192.168.56.14	224.0.0.252	55848	5355	3.02052903175354	udp
192.168.56.14	8.8.4.4	50710	53	66.09434914588928	udp
192.168.56.14	8.8.4.4	52815	53	7.4255311489105225	udp
192.168.56.14	8.8.4.4	54579	53	51.73445415496826	udp
192.168.56.14	8.8.4.4	60117	53	80.4531660079956	udp
192.168.56.14	8.8.4.4	62112	53	37.14102792739868	udp
192.168.56.14	8.8.4.4	65148	53	22.781901121139526	udp
192.168.56.14	8.8.8.8	50710	53	65.09478807449341	udp
192.168.56.14	8.8.8.8	52815	53	8.421833038330078	udp
192.168.56.14	8.8.8.8	54579	53	50.73536705970764	udp
192.168.56.14	8.8.8.8	60117	53	79.45362210273743	udp
192.168.56.14	8.8.8.8	62112	53	36.14113998413086	udp
192.168.56.14	8.8.8.8	65148	53	21.782417058944702	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\executable.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Show all (29 total)

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report