Qilin Uses Privileged Service Manipulation and Hardened AES/RSA Filecoder Engine


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-20 08:31:13 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
decryptor.exe
Type
Win32 Executable MS Visual C++ (generic)
SHA‑1
96fad0f920746a5e137965b4b474c3cae3e3877f
MD5
e53da097f370175511c2a8c7734cfd37
First Seen
2025-11-14 19:32:30.236467
Last Analysis
2025-11-15 20:48:17.825619
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.

Timeline

Time (UTC) Event Elapsed
2025-10-26 16:35:57 UTC First VirusTotal submission
2025-11-19 12:47:15 UTC Latest analysis snapshot 23 days, 20 hours, 11 minutes
2025-11-20 08:31:13 UTC Report generation time 24 days, 15 hours, 55 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 57. Missed: 16. Coverage: 78.1%.

Detected Vendors

  • Xcitium
  • +56 additional vendors (names not provided)

List includes Xcitium plus an additional 56 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • ClamAV
  • CMC
  • google_safebrowsing
  • Jiangmin
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • VBA32
  • VirIT
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (50.03% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 304083 50.03%
System 303584 49.95%
Device 65 0.01%
Misc 17 0.00%
Process 10 0.00%
Threading 9 0.00%
Hooking 1 0.00%

MITRE ATT&CK Mapping

  • T1083 – get common file path
  • T1033 – get session user name
  • T1087 – get session user name
  • T1082 – get disk information
  • T1007 – enumerate services
  • T1059 – accept command line arguments
  • T1082 – get system information on Windows
  • T1027 – encrypt data using Salsa20 or ChaCha
  • T1027.005 – contain obfuscated stackstrings
  • T1129 – link function at runtime on Windows
  • T1135 – enumerate network shares
  • T1027 – encrypt data using RC4 PRGA
  • T1082 – enumerate disk volumes
  • T1027 – encode data using Base64
  • T1083 – check if file exists
  • T1497.001 – reference anti-VM strings
  • T1057 – enumerate process modules
  • T1082 – query environment variable
  • T1007 – query service status
  • T1027 – encrypt data using speck
  • T1543.003 – stop service
  • T1489 – stop service
  • T1129 – link many functions at runtime
  • T1027 – encrypt data using AES via x86 extensions
  • T1543.003 – modify service
  • T1569.002 – modify service
  • T1027 – encode data using XOR
  • T1129 – parse PE header
  • T1222 – set file attributes
  • T1036 – A file was accessed within the Public folder.
  • T1055 – Contains .tls (Thread Local Storage) section
  • T1548 – A file was accessed within the Public folder.
  • T1071 – Yara detections observed in process dumps, payloads or dropped files
  • T1071 – Binary file triggered YARA rule
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1497 – Queries disk information (often used to detect virtual machines)
  • T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
  • T1518.001 – Queries disk information (often used to detect virtual machines)
  • T1082 – Queries disk information (often used to detect virtual machines)
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1090 – Found Tor onion address

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 27 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 3.080165147781372 udp
192.168.56.14 224.0.0.252 51209 5355 3.010899066925049 udp
192.168.56.14 224.0.0.252 53401 5355 5.348159074783325 udp
192.168.56.14 224.0.0.252 55094 5355 5.563730001449585 udp
192.168.56.14 224.0.0.252 55848 5355 3.0112202167510986 udp
192.168.56.14 8.8.4.4 49916 53 99.21932721138 udp
192.168.56.14 8.8.4.4 50180 53 146.18775510787964 udp
192.168.56.14 8.8.4.4 50710 53 66.61062908172607 udp
192.168.56.14 8.8.4.4 52815 53 7.9579291343688965 udp
192.168.56.14 8.8.4.4 54579 53 52.25182008743286 udp
192.168.56.14 8.8.4.4 54683 53 193.15631818771362 udp
192.168.56.14 8.8.4.4 55914 53 127.93816113471985 udp
192.168.56.14 8.8.4.4 56399 53 174.90641617774963 udp
192.168.56.14 8.8.4.4 60117 53 80.96896314620972 udp
192.168.56.14 8.8.4.4 62022 53 160.5473940372467 udp
192.168.56.14 8.8.4.4 62112 53 37.67355012893677 udp
192.168.56.14 8.8.4.4 64753 53 113.57909107208252 udp
192.168.56.14 8.8.4.4 65148 53 23.313326120376587 udp
192.168.56.14 8.8.8.8 49916 53 98.23264813423157 udp
192.168.56.14 8.8.8.8 50180 53 145.20201206207275 udp
192.168.56.14 8.8.8.8 50710 53 65.61211109161377 udp
192.168.56.14 8.8.8.8 52815 53 8.953214168548584 udp
192.168.56.14 8.8.8.8 54579 53 51.254916191101074 udp
192.168.56.14 8.8.8.8 54683 53 192.16208720207214 udp
192.168.56.14 8.8.8.8 55914 53 126.9426600933075 udp
192.168.56.14 8.8.8.8 56399 53 173.91139221191406 udp
192.168.56.14 8.8.8.8 60117 53 79.97410917282104 udp
192.168.56.14 8.8.8.8 62022 53 159.5518660545349 udp
192.168.56.14 8.8.8.8 62112 53 36.67404103279114 udp
192.168.56.14 8.8.8.8 63205 53 206.51770520210266 udp
192.168.56.14 8.8.8.8 64753 53 112.5808641910553 udp
192.168.56.14 8.8.8.8 65148 53 22.318825006484985 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

34

Registry Set

1

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SYSTEM\Setup\PnpSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\RestartManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
Show all (34 total)

Registry Set (Top 25)

Key Value
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile Binary Data

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top