ICMP Reconnaissance and Network Share Enumeration Fuel DevMan Expansion


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-01-29 15:21:43 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
y9vgen.exe
Type
Win64 Executable (generic)
SHA‑1
76e4cfb5450e8da56f02695b2567e1886026197c
MD5
58c0fcbcae41dbf74116aa418ebffe0a
First Seen
2026-01-29 08:27:26.444103
Last Analysis
2026-01-29 10:11:11.114598
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2026-01-12 19:32:54 UTC First VirusTotal submission
2026-01-29 14:00:34 UTC Latest analysis snapshot 16 days, 18 hours, 27 minutes
2026-01-29 15:21:43 UTC Report generation time 16 days, 19 hours, 48 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 57. Missed: 15. Coverage: 79.2%.

Detected Vendors

  • Xcitium
  • +56 additional vendors (names not provided)

List includes Xcitium plus an additional 56 vendors per the provided summary.

Missed Vendors

  • Acronis
  • ALYac
  • Avira
  • Baidu
  • CAT-QuickHeal
  • ClamAV
  • CMC
  • F-Secure
  • google_safebrowsing
  • Jiangmin
  • TACHYON
  • Xcitium
  • Yandex
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (53.94% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 19339 53.94%
System 9427 26.29%
Process 3431 9.57%
Registry 3266 9.11%
Com 152 0.42%
Services 96 0.27%
Device 61 0.17%
Threading 29 0.08%
Misc 18 0.05%
Synchronization 18 0.05%
Hooking 10 0.03%
Windows 7 0.02%
Crypto 2 0.01%

MITRE ATT&CK Mapping

  • T1082 – query environment variable
  • T1543.003 – delete service
  • T1007 – query service status
  • T1222 – set file attributes
  • T1543.003 – start service
  • T1134 – modify access privileges
  • T1057 – get process heap flags
  • T1082 – get disk information
  • T1129 – parse PE header
  • T1129 – link function at runtime on Windows
  • T1027 – reference Base64 string
  • T1135 – enumerate network shares
  • T1083 – get common file path
  • T1053.002 – schedule task via at
  • T1129 – access PEB ldr_data
  • T1016 – get local IPv4 addresses
  • T1497.001 – reference anti-VM strings targeting VMWare
  • T1070.001 – clear Windows event logs
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1053.005 – schedule task via schtasks
  • T1083 – get file size
  • T1543.003 – stop service
  • T1489 – stop service
  • T1083 – enumerate files on Windows
  • T1033 – get session user name
  • T1087 – get session user name
  • T1490 – delete volume shadow copies
  • T1070.004 – delete volume shadow copies
  • T1027 – encrypt data using Curve25519
  • T1082 – get system information on Windows
  • T1083 – check if file exists
  • T1082 – get hostname
  • T1027.005 – contain obfuscated stackstrings
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1134 – acquire debug privileges
  • T1027 – encode data using XOR
  • T1070.004 – self delete
  • T1006 – Accesses volumes directly
  • T1016 – Reads network adapter information
  • T1016 – Queries a host’s domain name
  • T1057 – Enumerates running processes
  • T1134 – Enables process privileges
  • T1134 – Enables critical process privileges
  • T1486 – Appends new extensions to many filenames
  • T1489 – Tries to disable antivirus software
  • T1489 – Disables a crucial system service
  • T1490 – Modifies Windows automatic backups
  • T1491.001 – Changes the desktop wallpaper
  • T1562.001 – Tries to disable antivirus software
  • T1564.003 – Creates process with hidden window
  • T1547.001 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1222 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1134 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1529 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1112 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1012 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1083 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1082 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1129 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1059 – Detected command line output monitoring
  • T1129 – The process attempted to dynamically load a malicious function
  • T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
  • T1057 – The process searched for a process without success: maybe some not-found process was needed (browser?)
  • T1057 – The process may have looked for a particular process running on the system
  • T1129 – The process tried to load dynamically one or more functions.
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1107 – The process attempted to delete some Shadow Volume Copies (typical in ransomware)
  • T1106 – The process attempted to delete some Shadow Volume Copies (typical in ransomware)
  • T1082 – Queries for the computername
  • T1031 – The process has tried to stop some active services
  • T1107 – The process acted as a ransomware (suspicious behaviours common in ransomwares were detected)
  • T1105 – The process acted as a ransomware (suspicious behaviours common in ransomwares were detected)
  • T1547.001 – Manalize Local SandBox Find Crypto
  • T1222 – Manalize Local SandBox Find Crypto
  • T1134 – Manalize Local SandBox Find Crypto
  • T1529 – Manalize Local SandBox Find Crypto
  • T1112 – Manalize Local SandBox Find Crypto
  • T1012 – Manalize Local SandBox Find Crypto
  • T1083 – Manalize Local SandBox Find Crypto
  • T1082 – Manalize Local SandBox Find Crypto
  • T1129 – Manalize Local SandBox Find Crypto
  • T1547.001 – Manalize Local SandBox Strings
  • T1222 – Manalize Local SandBox Strings
  • T1134 – Manalize Local SandBox Strings
  • T1529 – Manalize Local SandBox Strings
  • T1112 – Manalize Local SandBox Strings
  • T1012 – Manalize Local SandBox Strings
  • T1083 – Manalize Local SandBox Strings
  • T1082 – Manalize Local SandBox Strings
  • T1129 – Manalize Local SandBox Strings
  • T1547.001 – The process wrote a message on disk that could be related to a ransomware activity
  • T1222 – The process wrote a message on disk that could be related to a ransomware activity
  • T1134 – The process wrote a message on disk that could be related to a ransomware activity
  • T1529 – The process wrote a message on disk that could be related to a ransomware activity
  • T1112 – The process wrote a message on disk that could be related to a ransomware activity
  • T1012 – The process wrote a message on disk that could be related to a ransomware activity
  • T1083 – The process wrote a message on disk that could be related to a ransomware activity
  • T1082 – The process wrote a message on disk that could be related to a ransomware activity
  • T1129 – The process wrote a message on disk that could be related to a ransomware activity
  • T1027.009 – Drops interesting files and uses them
  • T1063 – It Tries to detect injection methods

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.219.36.108 United States Akamai Technologies, Inc.
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 13 udp
53 18 udp
3702 2 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 7.568113088607788 udp
192.168.56.13 224.0.0.252 49311 5355 10.08191204071045 udp
192.168.56.13 224.0.0.252 49733 5355 139.39667987823486 udp
192.168.56.13 224.0.0.252 49837 5355 136.63593411445618 udp
192.168.56.13 224.0.0.252 55150 5355 7.485635042190552 udp
192.168.56.13 224.0.0.252 56323 5355 133.98645091056824 udp
192.168.56.13 224.0.0.252 57003 5355 130.91761088371277 udp
192.168.56.13 224.0.0.252 57262 5355 131.34778308868408 udp
192.168.56.13 224.0.0.252 60010 5355 9.770320892333984 udp
192.168.56.13 224.0.0.252 60810 5355 128.7851550579071 udp
192.168.56.13 224.0.0.252 62406 5355 7.492429971694946 udp
192.168.56.13 224.0.0.252 63382 5355 126.22678089141846 udp
192.168.56.13 224.0.0.252 63527 5355 7.678692102432251 udp
192.168.56.13 224.0.0.252 63759 5355 126.3315908908844 udp
192.168.56.13 239.255.255.250 49152 3702 126.11940789222717 udp
192.168.56.13 239.255.255.250 52252 3702 7.497282981872559 udp
192.168.56.13 8.8.4.4 54879 53 12.441373109817505 udp
192.168.56.13 8.8.4.4 54881 53 10.36430311203003 udp
192.168.56.13 8.8.4.4 57310 53 69.45684909820557 udp
192.168.56.13 8.8.4.4 57415 53 83.86302590370178 udp
192.168.56.13 8.8.4.4 58697 53 25.81591796875 udp
192.168.56.13 8.8.4.4 58920 53 102.84717392921448 udp
192.168.56.13 8.8.4.4 60267 53 133.87778401374817 udp
192.168.56.13 8.8.4.4 62493 53 55.05052590370178 udp
192.168.56.13 8.8.4.4 62849 53 40.175501108169556 udp
192.168.56.13 8.8.8.8 54879 53 13.440623998641968 udp
192.168.56.13 8.8.8.8 54881 53 11.363054037094116 udp
192.168.56.13 8.8.8.8 57310 53 68.46753001213074 udp
192.168.56.13 8.8.8.8 57415 53 82.86895298957825 udp
192.168.56.13 8.8.8.8 58697 53 24.821742057800293 udp
192.168.56.13 8.8.8.8 58920 53 101.85353493690491 udp
192.168.56.13 8.8.8.8 60267 53 134.86331391334534 udp
192.168.56.13 8.8.8.8 62493 53 54.05482292175293 udp
192.168.56.13 8.8.8.8 62849 53 39.18023705482483 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

0

Registry Set

8

Services Started

1

Services Opened

0

Registry Opened (Top 25)

Show all (297 total)

Registry Set (Top 25)

Key Value
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WinDefend\Start DWORD (0x00000004)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\wscsvc\Start DWORD (0x00000004)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\MpsSvc\Start DWORD (0x00000004)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\mpsdrv\Start DWORD (0x00000004)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\BFE\Start DWORD (0x00000004)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Start DWORD (0x00000004)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\SNMPTRAP\Start DWORD (0x00000004)
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile Binary Data

Services Started (Top 15)

Service
SNMPTRAP

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top