Token Duplication and Service Control Abuse Enable DevMan Ransomware Staging


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-01-29 15:20:18 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
ntdll.dll
Type
Win64 Executable (generic)
SHA‑1
8cfc6432b92df8a89743937281a744c2351eac2a
MD5
3407cbcb6d54ec7f4a1693ffd962cf68
First Seen
2026-01-29 08:27:09.071383
Last Analysis
2026-01-29 10:11:11.012946
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2026-01-05 14:03:15 UTC First VirusTotal submission
2026-01-29 14:00:39 UTC Latest analysis snapshot 23 days, 23 hours, 57 minutes
2026-01-29 15:20:18 UTC Report generation time 24 days, 1 hours, 17 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 59. Missed: 14. Coverage: 80.8%.

Detected Vendors

  • Xcitium
  • +58 additional vendors (names not provided)

List includes Xcitium plus an additional 58 vendors per the provided summary.

Missed Vendors

  • Acronis
  • ALYac
  • Avira
  • Baidu
  • CAT-QuickHeal
  • ClamAV
  • CMC
  • F-Secure
  • Gridinsoft
  • Jiangmin
  • TACHYON
  • Xcitium
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (47.45% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 13347 47.45%
System 7829 27.83%
Process 3324 11.82%
Registry 3249 11.55%
Com 154 0.55%
Services 96 0.34%
Device 61 0.22%
Threading 29 0.10%
Synchronization 18 0.06%
Hooking 7 0.02%
Windows 7 0.02%
Misc 6 0.02%
Crypto 2 0.01%

MITRE ATT&CK Mapping

  • T1027 – encode data using XOR
  • T1490 – delete volume shadow copies
  • T1070.004 – delete volume shadow copies
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1070.001 – clear Windows event logs
  • T1082 – get hostname
  • T1027 – reference Base64 string
  • T1129 – link function at runtime on Windows
  • T1033 – get session user name
  • T1087 – get session user name
  • T1057 – get process heap flags
  • T1135 – enumerate network shares
  • T1543.003 – start service
  • T1082 – query environment variable
  • T1083 – get common file path
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1083 – check if file exists
  • T1070.004 – self delete
  • T1082 – get disk information
  • T1129 – access PEB ldr_data
  • T1222 – set file attributes
  • T1027.005 – contain obfuscated stackstrings
  • T1027 – encrypt data using Curve25519
  • T1016 – get local IPv4 addresses
  • T1497.001 – reference anti-VM strings targeting VMWare
  • T1053.002 – schedule task via at
  • T1134 – modify access privileges
  • T1053.005 – schedule task via schtasks
  • T1543.003 – delete service
  • T1083 – enumerate files on Windows
  • T1007 – query service status
  • T1082 – get system information on Windows
  • T1134 – acquire debug privileges
  • T1129 – parse PE header
  • T1083 – get file size
  • T1543.003 – stop service
  • T1489 – stop service
  • T1006 – Accesses volumes directly
  • T1016 – Reads network adapter information
  • T1016 – Queries a host’s domain name
  • T1057 – Enumerates running processes
  • T1134 – Enables process privileges
  • T1134 – Enables critical process privileges
  • T1486 – Appends new extensions to many filenames
  • T1489 – Tries to disable antivirus software
  • T1489 – Disables a crucial system service
  • T1490 – Modifies Windows automatic backups
  • T1491.001 – Changes the desktop wallpaper
  • T1562.001 – Tries to disable antivirus software
  • T1564.003 – Creates process with hidden window
  • T1129 – The process attempted to dynamically load a malicious function
  • T1059 – Detected command line output monitoring
  • T1057 – The process may have looked for a particular process running on the system
  • T1057 – The process searched for a process without success: maybe some not-found process was needed (browser?)
  • T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
  • T1129 – The process tried to load dynamically one or more functions.
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1222 – set file attributes
  • T1027 – encrypt data using Curve25519
  • T1027 – encode data using XOR
  • T1129 – access PEB ldr_data
  • T1057 – get process heap flags
  • T1134 – acquire debug privileges
  • T1083 – enumerate files on Windows
  • T1083 – check if file exists
  • T1083 – get file size
  • T1082 – get system information on Windows
  • T1082 – get disk information
  • T1053.002 – schedule task via at
  • T1135 – enumerate network shares
  • T1082 – get hostname
  • T1016 – get local IPv4 addresses
  • T1082 – query environment variable
  • T1129 – parse PE header
  • T1129 – link function at runtime on Windows
  • T1134 – modify access privileges
  • T1007 – query service status
  • T1543.003 – start service
  • T1543.003 – delete service
  • T1083 – get common file path
  • T1053.005 – schedule task via schtasks
  • T1027 – reference Base64 string
  • T1106 – The process attempted to delete some Shadow Volume Copies (typical in ransomware)
  • T1107 – The process attempted to delete some Shadow Volume Copies (typical in ransomware)
  • T1105 – The process acted as a ransomware (suspicious behaviours common in ransomwares were detected)
  • T1107 – The process acted as a ransomware (suspicious behaviours common in ransomwares were detected)
  • T1031 – The process has tried to stop some active services
  • T1082 – Queries for the computername
  • T1027.005 – contain obfuscated stackstrings
  • T1070.004 – self delete
  • T1070.001 – clear Windows event logs
  • T1490 – delete volume shadow copies
  • T1070.004 – delete volume shadow copies
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1543.003 – stop service
  • T1489 – stop service
  • T1033 – get session user name
  • T1087 – get session user name
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1497.001 – reference anti-VM strings targeting VMWare
  • T1027.009 – Drops interesting files and uses them
  • T1063 – It Tries to detect injection methods

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.219.36.108 United States Akamai Technologies, Inc.
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
www.msftncsi.com A
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 11 udp
53 19 udp
3702 2 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 3.244462013244629 udp
192.168.56.11 224.0.0.252 49563 5355 3.1762940883636475 udp
192.168.56.11 224.0.0.252 52260 5355 132.03262090682983 udp
192.168.56.11 224.0.0.252 53975 5355 139.89373803138733 udp
192.168.56.11 224.0.0.252 54037 5355 134.60709309577942 udp
192.168.56.11 224.0.0.252 54650 5355 3.17815899848938 udp
192.168.56.11 224.0.0.252 54756 5355 130.4714539051056 udp
192.168.56.11 224.0.0.252 55601 5355 4.834207057952881 udp
192.168.56.11 224.0.0.252 60134 5355 137.28045105934143 udp
192.168.56.11 224.0.0.252 60205 5355 3.185228109359741 udp
192.168.56.11 224.0.0.252 61899 5355 134.71985292434692 udp
192.168.56.11 224.0.0.252 62798 5355 5.733815908432007 udp
192.168.56.11 239.255.255.250 62184 3702 3.187613010406494 udp
192.168.56.11 239.255.255.250 65033 3702 129.9545021057129 udp
192.168.56.11 8.8.4.4 51300 53 137.28406691551208 udp
192.168.56.11 8.8.4.4 51690 53 7.403942108154297 udp
192.168.56.11 8.8.4.4 51899 53 5.744373083114624 udp
192.168.56.11 8.8.4.4 56213 53 37.18161606788635 udp
192.168.56.11 8.8.4.4 56473 53 99.04097390174866 udp
192.168.56.11 8.8.4.4 58917 53 80.6669569015503 udp
192.168.56.11 8.8.4.4 59770 53 51.837651014328 udp
192.168.56.11 8.8.4.4 62329 53 66.2603280544281 udp
192.168.56.11 8.8.4.4 63439 53 22.822272062301636 udp
192.168.56.11 8.8.8.8 51300 53 138.27525091171265 udp
192.168.56.11 8.8.8.8 51628 53 110.31903100013733 udp
192.168.56.11 8.8.8.8 51690 53 8.400609970092773 udp
192.168.56.11 8.8.8.8 51899 53 6.74454402923584 udp
192.168.56.11 8.8.8.8 56213 53 36.19383001327515 udp
192.168.56.11 8.8.8.8 56473 53 98.04150891304016 udp
192.168.56.11 8.8.8.8 58917 53 79.66684794425964 udp
192.168.56.11 8.8.8.8 59770 53 50.839009046554565 udp
192.168.56.11 8.8.8.8 62329 53 65.27206110954285 udp
192.168.56.11 8.8.8.8 63439 53 21.83490800857544 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

0

Registry Set

0

Services Started

1

Services Opened

0

Registry Opened (Top 25)

Show all (297 total)

Registry Set (Top 25)

Services Started (Top 15)

Service
SNMPTRAP

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top