DevMan Ransomware Leverages Credential Impersonation for Early Control


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-01-29 15:19:37 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
ntdll.dll
Type
Win64 Executable (generic)
SHA‑1
1e8cf0c70db6ec1a96e5687fb8edfe930b338677
MD5
f4ea89031ff750e457c309b849b2b278
First Seen
2026-01-29 08:27:21.717332
Last Analysis
2026-01-29 10:11:10.828811
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2026-01-05 14:01:32 UTC First VirusTotal submission
2026-01-29 13:59:44 UTC Latest analysis snapshot 23 days, 23 hours, 58 minutes
2026-01-29 15:19:37 UTC Report generation time 24 days, 1 hours, 18 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 71. Detected as malicious: 57. Missed: 14. Coverage: 80.3%.

Detected Vendors

  • Xcitium
  • +56 additional vendors (names not provided)

List includes Xcitium plus an additional 56 vendors per the provided summary.

Missed Vendors

  • Acronis
  • ALYac
  • Avira
  • Baidu
  • CAT-QuickHeal
  • ClamAV
  • CMC
  • F-Secure
  • Gridinsoft
  • Jiangmin
  • TACHYON
  • Xcitium
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (48.22% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 115536 48.22%
Synchronization 93070 38.84%
System 14719 6.14%
Registry 9191 3.84%
Process 3655 1.53%
Misc 2301 0.96%
Com 422 0.18%
Device 282 0.12%
Threading 187 0.08%
Services 177 0.07%
Crypto 30 0.01%
Hooking 14 0.01%
Windows 11 0.00%
Network 3 0.00%

MITRE ATT&CK Mapping

  • T1083 – get file size
  • T1027.005 – contain obfuscated stackstrings
  • T1134 – acquire debug privileges
  • T1070.004 – self delete
  • T1016 – get local IPv4 addresses
  • T1134 – modify access privileges
  • T1057 – get process heap flags
  • T1497.001 – reference anti-VM strings targeting VMWare
  • T1027 – encrypt data using Curve25519
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1033 – get session user name
  • T1087 – get session user name
  • T1053.005 – schedule task via schtasks
  • T1129 – access PEB ldr_data
  • T1490 – delete volume shadow copies
  • T1070.004 – delete volume shadow copies
  • T1053.002 – schedule task via at
  • T1083 – check if file exists
  • T1027 – encode data using XOR
  • T1082 – get disk information
  • T1129 – link function at runtime on Windows
  • T1543.003 – stop service
  • T1489 – stop service
  • T1070.001 – clear Windows event logs
  • T1082 – query environment variable
  • T1135 – enumerate network shares
  • T1222 – set file attributes
  • T1027 – reference Base64 string
  • T1082 – get hostname
  • T1129 – parse PE header
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1007 – query service status
  • T1083 – get common file path
  • T1082 – get system information on Windows
  • T1543.003 – start service
  • T1543.003 – delete service
  • T1083 – enumerate files on Windows
  • T1006 – Accesses volumes directly
  • T1016 – Reads network adapter information
  • T1016 – Queries a host’s domain name
  • T1057 – Enumerates running processes
  • T1134 – Enables process privileges
  • T1134 – Enables critical process privileges
  • T1486 – Appends new extensions to many filenames
  • T1489 – Tries to disable antivirus software
  • T1489 – Disables a crucial system service
  • T1490 – Modifies Windows automatic backups
  • T1491.001 – Changes the desktop wallpaper
  • T1562.001 – Tries to disable antivirus software
  • T1564.003 – Creates process with hidden window
  • T1059 – Detected command line output monitoring
  • T1129 – The process attempted to dynamically load a malicious function
  • T1129 – The process tried to load dynamically one or more functions.
  • T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
  • T1057 – The process may have looked for a particular process running on the system
  • T1057 – The process searched for a process without success: maybe some not-found process was needed (browser?)
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1107 – The process attempted to delete some Shadow Volume Copies (typical in ransomware)
  • T1106 – The process attempted to delete some Shadow Volume Copies (typical in ransomware)
  • T1082 – Queries for the computername
  • T1031 – The process has tried to stop some active services
  • T1107 – The process acted as a ransomware (suspicious behaviours common in ransomwares were detected)
  • T1105 – The process acted as a ransomware (suspicious behaviours common in ransomwares were detected)
  • T1027.009 – Drops interesting files and uses them
  • T1063 – It Tries to detect injection methods

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 54 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 7.068439960479736 udp
192.168.56.14 224.0.0.252 51209 5355 6.996989965438843 udp
192.168.56.14 224.0.0.252 53401 5355 8.18228793144226 udp
192.168.56.14 224.0.0.252 55094 5355 9.673857927322388 udp
192.168.56.14 224.0.0.252 55848 5355 7.00320291519165 udp
192.168.56.14 8.8.4.4 49916 53 103.22099184989929 udp
192.168.56.14 8.8.4.4 50180 53 150.5957899093628 udp
192.168.56.14 8.8.4.4 50710 53 69.92363691329956 udp
192.168.56.14 8.8.4.4 50870 53 331.92350602149963 udp
192.168.56.14 8.8.4.4 50914 53 256.23605704307556 udp
192.168.56.14 8.8.4.4 51262 53 317.5644359588623 udp
192.168.56.14 8.8.4.4 51614 53 528.98659491539 udp
192.168.56.14 8.8.4.4 52556 53 514.6265180110931 udp
192.168.56.14 8.8.4.4 52815 53 11.081475019454956 udp
192.168.56.14 8.8.4.4 53449 53 361.9547920227051 udp
192.168.56.14 8.8.4.4 54579 53 55.56505298614502 udp
192.168.56.14 8.8.4.4 54683 53 209.27721691131592 udp
192.168.56.14 8.8.4.4 55827 53 270.59562706947327 udp
192.168.56.14 8.8.4.4 55914 53 132.08136105537415 udp
192.168.56.14 8.8.4.4 56399 53 179.70477890968323 udp
192.168.56.14 8.8.4.4 57742 53 380.37640500068665 udp
192.168.56.14 8.8.4.4 59068 53 347.5957889556885 udp
192.168.56.14 8.8.4.4 60117 53 84.36156988143921 udp
192.168.56.14 8.8.4.4 60713 53 284.95479702949524 udp
192.168.56.14 8.8.4.4 62022 53 165.14274501800537 udp
192.168.56.14 8.8.4.4 62112 53 40.86084294319153 udp
192.168.56.14 8.8.4.4 62548 53 237.98669600486755 udp
192.168.56.14 8.8.4.4 62800 53 303.2046568393707 udp
192.168.56.14 8.8.4.4 63205 53 223.62641501426697 udp
192.168.56.14 8.8.4.4 64452 53 545.2830748558044 udp
192.168.56.14 8.8.4.4 64753 53 117.5960750579834 udp
192.168.56.14 8.8.4.4 65148 53 26.486340045928955 udp
192.168.56.14 8.8.8.8 49916 53 102.22157192230225 udp
192.168.56.14 8.8.8.8 50180 53 149.59882402420044 udp
192.168.56.14 8.8.8.8 50710 53 68.93515801429749 udp
192.168.56.14 8.8.8.8 50870 53 330.92426896095276 udp
192.168.56.14 8.8.8.8 50914 53 255.2379789352417 udp
192.168.56.14 8.8.8.8 51262 53 316.56508803367615 udp
192.168.56.14 8.8.8.8 51614 53 527.9864389896393 udp
192.168.56.14 8.8.8.8 52556 53 513.6293108463287 udp
192.168.56.14 8.8.8.8 52815 53 12.080817937850952 udp
192.168.56.14 8.8.8.8 53449 53 360.95540499687195 udp
192.168.56.14 8.8.8.8 54579 53 54.56592392921448 udp
192.168.56.14 8.8.8.8 54683 53 208.27854990959167 udp
192.168.56.14 8.8.8.8 55827 53 269.59626293182373 udp
192.168.56.14 8.8.8.8 55914 53 131.0812590122223 udp
192.168.56.14 8.8.8.8 56399 53 178.71139097213745 udp
192.168.56.14 8.8.8.8 57742 53 379.37744092941284 udp
192.168.56.14 8.8.8.8 59068 53 346.6013400554657 udp
192.168.56.14 8.8.8.8 60117 53 83.35354495048523 udp
192.168.56.14 8.8.8.8 60713 53 283.9554190635681 udp
192.168.56.14 8.8.8.8 62022 53 164.1432330608368 udp
192.168.56.14 8.8.8.8 62112 53 39.866031885147095 udp
192.168.56.14 8.8.8.8 62548 53 236.98663091659546 udp
192.168.56.14 8.8.8.8 62800 53 302.20546197891235 udp
192.168.56.14 8.8.8.8 63205 53 222.62770795822144 udp
192.168.56.14 8.8.8.8 64452 53 544.2871389389038 udp
192.168.56.14 8.8.8.8 64753 53 116.59780287742615 udp
192.168.56.14 8.8.8.8 65148 53 25.499621868133545 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

0

Registry Set

0

Services Started

1

Services Opened

0

Registry Opened (Top 25)

Show all (297 total)

Registry Set (Top 25)

Services Started (Top 15)

Service
SNMPTRAP

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top