f3fe24347e391385c79e5167b19be7f3a7db1d9a


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-09-09 10:31:09 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
DEPRESSED_SHOFAR.exe
Type
Win32 EXE
SHA‑1
f3fe24347e391385c79e5167b19be7f3a7db1d9a
MD5
efe89f77f2833998d4e890e3e606dc66
First Seen
2025-09-05 15:36:51.894551
Last Analysis
2025-09-05 16:41:57.878604
Dwell Time
0 days, 1 hours, 5 minutes

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-08-21 13:01:00 UTC First VirusTotal submission
2025-09-09 07:39:53 UTC Latest analysis snapshot 18 days, 18 hours, 38 minutes
2025-09-09 10:31:09 UTC Report generation time 18 days, 21 hours, 30 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 57. Missed: 16. Coverage: 78.1%.

Detected Vendors

  • Xcitium
  • +56 additional vendors (names not provided)

List includes Xcitium plus an additional 56 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • DrWeb
  • Jiangmin
  • Kingsoft
  • NANO-Antivirus
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • ViRobot
  • Webroot
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (56.44% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 482 56.44%
Device 127 14.87%
Registry 108 12.65%
Network 73 8.55%
File System 45 5.27%
Threading 9 1.05%
Process 8 0.94%
Misc 2 0.23%

MITRE ATT&CK Mapping

  • T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1016 – Queries a host’s domain name
  • T1027.002 – Resolves API functions dynamically
  • T1095 – Connects to remote host
  • T1095 – Sets up server that accepts incoming connections
  • T1497.001 – Tries to detect application sandbox
  • T1497.003 – Delays execution
  • T1622 – Tries to detect debugger
  • T1129 – The process attempted to dynamically load a malicious function
  • T1129 – The process tried to load dynamically one or more functions.
  • T1140 – Detected an attempt to pull out some data from the binary image
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1071 – Detected one or more anomalous HTTP requests
  • T1071 – Detected HTTP requests to some non white-listed domains
  • T1057 – The process attempted to detect a running debugger using common APIs
  • T1071 – Some process has originated direct HTTPS traffic with one or more hosts.
  • T1497 – May sleep (evasive loops) to hinder dynamic analysis
  • T1082 – Sample reads itself and does not show any behavior, likely it performs some host environment checks and compares to an embedded key
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1573 – Uses HTTPS
  • T1095 – Downloads files from webservers via HTTP
  • T1095 – Posts data to webserver
  • T1095 – Downloads compressed data via HTTP
  • T1071 – Downloads files from webservers via HTTP
  • T1071 – Posts data to webserver
  • T1071 – Uses HTTPS
  • T1071 – Downloads compressed data via HTTP
  • T1071 – Uses a known web browser user agent for HTTP communication
  • T1105 – Downloads files from webservers via HTTP
  • T1105 – Downloads compressed data via HTTP

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.
www.msftncsi.com 23.200.3.18 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
3.81.209.231 United States Amazon Technologies Inc.

DNS Queries

Request Type
www.msftncsi.com A
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
3.81.209.231 United States Amazon Technologies Inc.

Port Distribution

Port Count Protocols
137 1 udp
5355 13 udp
53 50 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 3.2419660091400146 udp
192.168.56.11 224.0.0.252 49299 5355 351.84168696403503 udp
192.168.56.11 224.0.0.252 49563 5355 3.1716558933258057 udp
192.168.56.11 224.0.0.252 51569 5355 328.2066230773926 udp
192.168.56.11 224.0.0.252 51690 5355 6.5191490650177 udp
192.168.56.11 224.0.0.252 54650 5355 3.1868720054626465 udp
192.168.56.11 224.0.0.252 55601 5355 4.9981489181518555 udp
192.168.56.11 224.0.0.252 58800 5355 244.58074307441711 udp
192.168.56.11 224.0.0.252 59770 5355 30.125766038894653 udp
192.168.56.11 224.0.0.252 60205 5355 3.200406074523926 udp
192.168.56.11 224.0.0.252 62120 5355 113.71953511238098 udp
192.168.56.11 224.0.0.252 62798 5355 5.7486560344696045 udp
192.168.56.11 224.0.0.252 63550 5355 137.33633494377136 udp
192.168.56.11 224.0.0.252 64563 5355 220.96852087974548 udp
192.168.56.11 239.255.255.250 62184 3702 3.1946280002593994 udp
192.168.56.11 8.8.4.4 50586 53 254.13216090202332 udp
192.168.56.11 8.8.4.4 51628 53 80.58501100540161 udp
192.168.56.11 8.8.4.4 51663 53 127.55411291122437 udp
192.168.56.11 8.8.4.4 51880 53 145.80469799041748 udp
192.168.56.11 8.8.4.4 51899 53 5.758023023605347 udp
192.168.56.11 8.8.4.4 52464 53 239.75781989097595 udp
192.168.56.11 8.8.4.4 53480 53 174.52313899993896 udp
192.168.56.11 8.8.4.4 54684 53 221.49201703071594 udp
192.168.56.11 8.8.4.4 54823 53 301.10121393203735 udp
192.168.56.11 8.8.4.4 55183 53 268.4916989803314 udp
192.168.56.11 8.8.4.4 56007 53 315.4610960483551 udp
192.168.56.11 8.8.4.4 56213 53 22.92915987968445 udp
192.168.56.11 8.8.4.4 56473 53 66.22589993476868 udp
192.168.56.11 8.8.4.4 56666 53 160.1639220714569 udp
192.168.56.11 8.8.4.4 58090 53 207.1325650215149 udp
192.168.56.11 8.8.4.4 58917 53 51.86653208732605 udp
192.168.56.11 8.8.4.4 59945 53 329.7419250011444 udp
192.168.56.11 8.8.4.4 60054 53 192.7731740474701 udp
192.168.56.11 8.8.4.4 60141 53 344.10158109664917 udp
192.168.56.11 8.8.4.4 60334 53 98.835196018219 udp
192.168.56.11 8.8.4.4 61332 53 358.4764680862427 udp
192.168.56.11 8.8.4.4 61467 53 286.7421019077301 udp
192.168.56.11 8.8.4.4 61507 53 113.19444799423218 udp
192.168.56.11 8.8.4.4 62329 53 37.28853702545166 udp
192.168.56.11 8.8.4.4 63439 53 7.578460931777954 udp
192.168.56.11 8.8.8.8 50586 53 253.1335849761963 udp
192.168.56.11 8.8.8.8 51628 53 79.58613204956055 udp
192.168.56.11 8.8.8.8 51663 53 126.55440402030945 udp
192.168.56.11 8.8.8.8 51880 53 144.80733394622803 udp
192.168.56.11 8.8.8.8 51899 53 6.757108926773071 udp
192.168.56.11 8.8.8.8 52464 53 238.7587080001831 udp
192.168.56.11 8.8.8.8 53480 53 173.52416110038757 udp
192.168.56.11 8.8.8.8 54684 53 220.49354696273804 udp
192.168.56.11 8.8.8.8 54823 53 300.1016490459442 udp
192.168.56.11 8.8.8.8 55183 53 267.4936730861664 udp
192.168.56.11 8.8.8.8 56007 53 314.4617989063263 udp
192.168.56.11 8.8.8.8 56213 53 21.929768085479736 udp
192.168.56.11 8.8.8.8 56473 53 65.22651600837708 udp
192.168.56.11 8.8.8.8 56666 53 159.1646659374237 udp
192.168.56.11 8.8.8.8 58090 53 206.13342595100403 udp
192.168.56.11 8.8.8.8 58917 53 50.867238998413086 udp
192.168.56.11 8.8.8.8 59945 53 328.74198389053345 udp
192.168.56.11 8.8.8.8 60054 53 191.77839708328247 udp
192.168.56.11 8.8.8.8 60141 53 343.1027228832245 udp
192.168.56.11 8.8.8.8 60334 53 97.8357560634613 udp
192.168.56.11 8.8.8.8 61332 53 357.4775791168213 udp
192.168.56.11 8.8.8.8 61467 53 285.7432789802551 udp
192.168.56.11 8.8.8.8 61507 53 112.19497489929199 udp
192.168.56.11 8.8.8.8 62329 53 36.288909912109375 udp
192.168.56.11 8.8.8.8 63439 53 8.569721937179565 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

57

Registry Set

0

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\LastConfig
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\PolicyExtensions\TenantRestrictionsPlugin.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e87602b6-fe02-11ef-83b3-806e6f6e6963}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Containers
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\dnscache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1070296143-2877979003-364783958-1001
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\PolicyExtensions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_LOCAL_MACHINE\System\Setup
\REGISTRY\USER
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Show all (57 total)
Key
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap

Registry Set (Top 25)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top