04af2dc3a7cf21b03c1dce2b64f3ec27d8030d3f

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

C:\Windows\2logi.exe

Type

Win32 DLL

SHA‑1

04af2dc3a7cf21b03c1dce2b64f3ec27d8030d3f

MD5

bc28c61264087162383612874f23c992

First Seen

2025-08-19 09:08:36 10:28:16

Last Analysis

2025-08-29 09:07:48

Dwell Time

9 days 23 hours

Extended Dwell Time Impact

For 9+ days, this malware remained undetected — an unusually long window that granted the adversary the ability to persist, recon, and potentially exfiltrate data with zero alerts.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case doubles that benchmark, highlighting a severe detection gap.

Timeline

Date	Event	Elapsed
—	Compilation of binary	—
2025-08-19	First VirusTotal submission	—
2025-08-29	Latest analysis snapshot	+9 days since submission

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

Detections tell a story. As of the latest snapshot, 53 vendors detect this threat while 19 vendors miss it entirely — that’s 26.4% of your potential defense surface blind to the sample.

Detected Vendors

Xcitium
+52 additional vendors (names not provided)

List includes Xcitium plus an additional 52 vendors per the provided summary.

Missed Vendors

Acronis (Static ML)
Baidu
ClamAV
CMC
DrWeb
Huorong
Jiangmin
NANO-Antivirus
SecureAge
SentinelOne (Static ML)
SUPERAntiSpyware
TACHYON
TEHTRIS
Trapmine
VBA32
VirIT
ViRobot
Yandex
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

File written: C:\Users\user\AppData\Local\Temp\04af2dc3a7cf21b03c1dce2b64f3ec27d8030d3f.dll
File written: C:\Users\user\AppData\Local\Temp\04af2dc3a7cf21b03c1dce2b64f3ec27d8030d3f.dll.123.Manifest
File written: C:\Users\user\AppData\Local\Temp\04af2dc3a7cf21b03c1dce2b64f3ec27d8030d3f.dll.124.Manifest
File written: C:\Users\user\AppData\Local\Temp\04af2dc3a7cf21b03c1dce2b64f3ec27d8030d3f.dll.2.Manifest
File written: C:\Windows\sysnative\rundll32.exe
File written: C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
File written: C:\Windows\Fonts\staticcache.dat
File written: \Device\KsecDD
File written: C:\Windows\Globalization\Sorting\sortdefault.nls
Mutex: CicLoadWinStaWinSta0
Mutex: Local\MSCTF.CtfMonitorInstMutexDefault1
Contacted domain: {“domain_name”: “”}
Contacted domain: www.msftncsi.com
Contacted IP: 224.0.0.252
Contacted IP: 239.255.255.250
Contacted IP: 8.8.4.4
Contacted IP: 8.8.8.8
DNS query: 5isohu.com
DNS query: www.msftncsi.com

This threat blends evasive checks with data collection and outbound communications. Behavior tags point to sandbox detection, prolonged sleeps, registry reconnaissance, and encrypted egress — a classic quiet‑then‑talk pattern.

MITRE ATT&CK Mapping

Technique ID	Description
T1129	Execute payloads by loading shared modules (e.g., DLLs) into processes.
T1027	Obfuscate/encode/encrypt files or content to hinder analysis and detection.
T1542.003	Use a bootkit to modify boot sectors so code runs before the OS for persistence.
T1548	Abuse elevation controls (e.g., UAC/privilege mechanisms) to gain higher privileges.
T1497	Detect and evade sandboxes/virtualization using system, user-activity, or time checks.
T1218.011	Proxy execute code via rundll32.exe to run DLL payloads and bypass defenses.
T1518.001	Enumerate installed security software, tools, and sensors on the system/cloud.

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN
www.msftncsi.com	23.200.3.27	United States	Akamai Technologies, Inc.

Observed IPs

IP	Country	ASN
224.0.0.252
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type	Time	Answers
5isohu.com	A	14.417697191238403
www.msftncsi.com	A	15.83948302268982

Contacted IPs

IP	Country	ASN
224.0.0.252
239.255.255.250
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	4	udp
53	4	udp
3702	1	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.13	192.168.56.255	137	137	6.98107123374939	udp
192.168.56.13	224.0.0.252	55150	5355	6.9094061851501465	udp
192.168.56.13	224.0.0.252	60010	5355	9.530630111694336	udp
192.168.56.13	224.0.0.252	62406	5355	6.913902997970581	udp
192.168.56.13	224.0.0.252	63527	5355	9.169745206832886	udp
192.168.56.13	239.255.255.250	52252	3702	6.917468070983887	udp
192.168.56.13	8.8.4.4	49311	53	10.41943907737732	udp
192.168.56.13	8.8.4.4	54881	53	11.83974814414978	udp
192.168.56.13	8.8.8.8	49311	53	11.417683124542236	udp
192.168.56.13	8.8.8.8	54881	53	12.840164184570312	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Transport & Telemetry — TLS, HTTP, IP, IDS

The sample leans on encrypted transport and benign‑looking hosts, but the patterns still betray it: JA3/JA4 hints, cert chains, and IDS metadata are enough to anchor hunting queries.

TLS Sessions

Subject CN	Issuer CN	Serial	TLS	SNI	JA3	JA4
ipwho.is	GoGetSSL ECC DV CA	68cc9ded8945f97bd499e7c58b3ca6c2	TLS 1.2	ipwho.is	3b5074b1b5d032e5620f69f9f700ff0e	t12d210700_76e208dd3e22_2dae41c691ec
cojkor grway	cojkor grway	00db2acbe81874557b8180eaae48b518d4b293dd95	TLS 1.2		c12f54a3f91dc7bafd92cb59fe009a35	t12i210600_76e208dd3e22_2dae41c691ec
cojkor grway	cojkor grway	00db2acbe81874557b8180eaae48b518d4b293dd95	TLS 1.2		43016d7f7f9336b17c884650d0d2545d	t12i180600_4b22cbed5bed_2dae41c691ec
ipwho.is	GoGetSSL ECC DV CA	68cc9ded8945f97bd499e7c58b3ca6c2	TLS 1.2	ipwho.is	6a5d235ee78c6aede6a61448b4e9ff1e	t12d180700_4b22cbed5bed_2dae41c691ec

IP Traffic

Source IP	Dest IP	Sport	Dport	Proto	Time
192.168.56.13	192.168.56.255	137	137	udp	6.98107123374939
192.168.56.13	224.0.0.252	55150	5355	udp	6.9094061851501465
192.168.56.13	224.0.0.252	60010	5355	udp	9.530630111694336
192.168.56.13	224.0.0.252	62406	5355	udp	6.913902997970581
192.168.56.13	224.0.0.252	63527	5355	udp	9.169745206832886
192.168.56.13	239.255.255.250	52252	3702	udp	6.917468070983887
192.168.56.13	8.8.4.4	49311	53	udp	10.41943907737732
192.168.56.13	8.8.4.4	54881	53	udp	11.83974814414978
192.168.56.13	8.8.8.8	49311	53	udp	11.417683124542236
192.168.56.13	8.8.8.8	54881	53	udp	12.840164184570312

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report