Malicious Word Executable Embeds Upatre Dropper and Overlay Resource


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-12 22:14:31 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
2w8w8t1.exe
Type
PE32 executable (GUI) Intel 80386, for MS Windows
SHA‑1
e43cfcee0cce2484d727ff8f853534cb488fa738
MD5
033c2302be4836b510560552fc85e589
First Seen
2025-10-06 10:06:50.808797
Last Analysis
2025-10-06 15:05:42.740982
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 4+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-10-06 09:29:10 UTC First VirusTotal submission
2025-10-08 14:26:24 UTC Latest analysis snapshot 2 days, 4 hours, 57 minutes
2025-11-12 22:14:31 UTC Report generation time 29 days, 21 hours, 46 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 69. Missed: 3. Coverage: 95.8%.

Detected Vendors

  • Xcitium
  • +68 additional vendors (names not provided)

List includes Xcitium plus an additional 68 vendors per the provided summary.

Missed Vendors

  • CMC
  • Paloalto
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (66.67% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 10088 66.67%
File System 1552 10.26%
Process 776 5.13%
Misc 582 3.85%
Threading 388 2.56%
Device 388 2.56%
Registry 388 2.56%
Services 388 2.56%
Hooking 194 1.28%
Windows 194 1.28%
Crypto 194 1.28%

MITRE ATT&CK Mapping

  • T1129 – access PEB ldr_data
  • T1033 – get token membership
  • T1083 – get common file path
  • T1027 – encrypt data using RC4 KSA
  • T1129 – link function at runtime on Windows
  • T1057 – get process heap flags
  • T1053.005 – schedule task via ITaskScheduler
  • T1222 – set file attributes
  • T1027 – manually build AES constants
  • T1543.003 – start service
  • T1083 – check if file exists
  • T1497 – check for VM using instruction VPCEXT
  • T1083 – get file size
  • T1027 – encode data using XOR
  • T1082 – get hostname
  • T1543.003 – modify service
  • T1569.002 – modify service
  • T1012 – query or enumerate registry value
  • T1033 – get session user name
  • T1087 – get session user name
  • T1129 – link many functions at runtime

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.
www.msftncsi.com 2.18.67.72 Europe Akamai Technologies

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 38 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 7.8067381381988525 udp
192.168.56.13 224.0.0.252 49311 5355 10.386121988296509 udp
192.168.56.13 224.0.0.252 55150 5355 7.735147953033447 udp
192.168.56.13 224.0.0.252 60010 5355 10.055395126342773 udp
192.168.56.13 224.0.0.252 62406 5355 7.74043607711792 udp
192.168.56.13 239.255.255.250 52252 3702 7.744931936264038 udp
192.168.56.13 8.8.4.4 50554 53 168.18100309371948 udp
192.168.56.13 8.8.4.4 53518 53 269.22775197029114 udp
192.168.56.13 8.8.4.4 54879 53 22.337033987045288 udp
192.168.56.13 8.8.4.4 54881 53 12.725965976715088 udp
192.168.56.13 8.8.4.4 55551 53 203.61850500106812 udp
192.168.56.13 8.8.4.4 56197 53 182.66557693481445 udp
192.168.56.13 8.8.4.4 57065 53 284.5718650817871 udp
192.168.56.13 8.8.4.4 57310 53 84.9000289440155 udp
192.168.56.13 8.8.4.4 57415 53 103.1964819431305 udp
192.168.56.13 8.8.4.4 58697 53 37.682157039642334 udp
192.168.56.13 8.8.4.4 58920 53 117.5563280582428 udp
192.168.56.13 8.8.4.4 60543 53 254.86872601509094 udp
192.168.56.13 8.8.4.4 60910 53 133.65015411376953 udp
192.168.56.13 8.8.4.4 61004 53 220.71248602867126 udp
192.168.56.13 8.8.4.4 62493 53 70.30652809143066 udp
192.168.56.13 8.8.4.4 62849 53 55.93076801300049 udp
192.168.56.13 8.8.4.4 63527 53 7.909893035888672 udp
192.168.56.13 8.8.4.4 64533 53 236.05603504180908 udp
192.168.56.13 8.8.4.4 64801 53 153.71284413337708 udp
192.168.56.13 8.8.8.8 50554 53 167.18697714805603 udp
192.168.56.13 8.8.8.8 53518 53 268.2383761405945 udp
192.168.56.13 8.8.8.8 54879 53 23.321521043777466 udp
192.168.56.13 8.8.8.8 54881 53 13.712334156036377 udp
192.168.56.13 8.8.8.8 55551 53 202.632709980011 udp
192.168.56.13 8.8.8.8 56197 53 181.67534494400024 udp
192.168.56.13 8.8.8.8 57065 53 283.58161306381226 udp
192.168.56.13 8.8.8.8 57310 53 83.90780711174011 udp
192.168.56.13 8.8.8.8 57415 53 102.20537304878235 udp
192.168.56.13 8.8.8.8 58697 53 36.682446002960205 udp
192.168.56.13 8.8.8.8 58920 53 116.55827212333679 udp
192.168.56.13 8.8.8.8 60543 53 253.87068700790405 udp
192.168.56.13 8.8.8.8 60910 53 132.66513395309448 udp
192.168.56.13 8.8.8.8 61004 53 219.72380304336548 udp
192.168.56.13 8.8.8.8 62493 53 69.3173439502716 udp
192.168.56.13 8.8.8.8 62849 53 54.944069147109985 udp
192.168.56.13 8.8.8.8 63527 53 8.89963698387146 udp
192.168.56.13 8.8.8.8 64533 53 235.06229615211487 udp
192.168.56.13 8.8.8.8 64801 53 152.72204899787903 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top