Ransomware Payload Creating RunKey Persistence And Clearing Event Logs


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-12-04 08:32:11 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
7x78k83y.exe
Type
Win32 Executable MS Visual C++ (generic)
SHA‑1
ca8becb3fd4e92a7976315ae3e36b86bc334d687
MD5
531170b3682d51a38a5f79b43d41596e
First Seen
2025-12-01 14:09:01.368896
Last Analysis
2025-12-01 21:28:47.842816
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 7+ hours, this malware remained undetected — a several-hour window that allowed the adversary to complete initial compromise and begin early-stage persistence establishment.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-11-13 09:57:11 UTC First VirusTotal submission
2025-12-03 21:12:15 UTC Latest analysis snapshot 20 days, 11 hours, 15 minutes
2025-12-04 08:32:11 UTC Report generation time 20 days, 22 hours, 35 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 65. Missed: 8. Coverage: 89.0%.

Detected Vendors

  • Xcitium
  • +64 additional vendors (names not provided)

List includes Xcitium plus an additional 64 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Baidu
  • CMC
  • google_safebrowsing
  • SUPERAntiSpyware
  • TACHYON
  • VirIT
  • Yandex

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (52.39% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 301299 52.39%
Synchronization 172149 29.93%
System 88400 15.37%
Registry 8538 1.48%
Network 2532 0.44%
Threading 871 0.15%
Process 414 0.07%
Com 381 0.07%
Device 340 0.06%
Services 111 0.02%
Misc 87 0.02%
Hooking 16 0.00%
Windows 8 0.00%
Crypto 5 0.00%

MITRE ATT&CK Mapping

  • T1027 – encode data using Base64 via WinAPI
  • T1543.003 – stop service
  • T1489 – stop service
  • T1033 – get token membership
  • T1007 – query service status
  • T1083 – get common file path
  • T1083 – enumerate files on Windows
  • T1027 – reference AES constants
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1222 – set file attributes
  • T1112 – delete registry value
  • T1059 – accept command line arguments
  • T1497.001 – reference anti-VM strings targeting VMWare
  • T1007 – enumerate services
  • T1548.002 – bypass UAC via ICMLuaUtil
  • T1016 – get socket status
  • T1027.005 – contain obfuscated stackstrings
  • T1129 – parse PE header
  • T1135 – enumerate network shares
  • T1082 – get disk size
  • T1082 – get disk information
  • T1564.003 – hide graphical window
  • T1083 – check if file exists
  • T1082 – check OS version
  • T1129 – link function at runtime on Windows
  • T1083 – enumerate files recursively
  • T1027 – encrypt data using AES via x86 extensions
  • T1614.001 – identify system language via API
  • T1082 – enumerate disk volumes
  • T1027 – encode data using XOR
  • T1129 – link many functions at runtime
  • T1027 – encrypt data using AES
  • T1012 – query or enumerate registry value
  • T1622 – hide thread from debugger
  • T1016 – get local IPv4 addresses

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.31 United States Akamai Technologies, Inc.
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
www.aieov.com A
www.msftncsi.com A
5isohu.com A
101.56.168.192.in-addr.arpa PTR
14.56.168.192.in-addr.arpa PTR
13.56.168.192.in-addr.arpa PTR
12.56.168.192.in-addr.arpa PTR
7.56.168.192.in-addr.arpa PTR

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
138 1 udp
5355 20 udp
53 32 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 7.264639139175415 udp
192.168.56.11 192.168.56.255 138 138 102.04255414009094 udp
192.168.56.11 224.0.0.252 49563 5355 7.309308052062988 udp
192.168.56.11 224.0.0.252 50586 5355 42.640089988708496 udp
192.168.56.11 224.0.0.252 51628 5355 34.6563401222229 udp
192.168.56.11 224.0.0.252 51663 5355 34.96730995178223 udp
192.168.56.11 224.0.0.252 51880 5355 39.377445936203 udp
192.168.56.11 224.0.0.252 52464 5355 42.377427101135254 udp
192.168.56.11 224.0.0.252 53480 5355 39.50848698616028 udp
192.168.56.11 224.0.0.252 54684 5355 42.03340005874634 udp
192.168.56.11 224.0.0.252 55601 5355 7.411009073257446 udp
192.168.56.11 224.0.0.252 56473 5355 34.60608100891113 udp
192.168.56.11 224.0.0.252 56666 5355 39.508312940597534 udp
192.168.56.11 224.0.0.252 58800 5355 42.37773895263672 udp
192.168.56.11 224.0.0.252 60054 5355 39.6118049621582 udp
192.168.56.11 224.0.0.252 60205 5355 7.40732216835022 udp
192.168.56.11 224.0.0.252 60334 5355 34.656495094299316 udp
192.168.56.11 224.0.0.252 61507 5355 34.69916915893555 udp
192.168.56.11 224.0.0.252 62120 5355 34.77818298339844 udp
192.168.56.11 224.0.0.252 62798 5355 10.215898036956787 udp
192.168.56.11 224.0.0.252 63550 5355 39.15862512588501 udp
192.168.56.11 224.0.0.252 64563 5355 42.252074003219604 udp
192.168.56.11 239.255.255.250 62184 3702 7.411391019821167 udp
192.168.56.11 8.8.4.4 51569 53 118.04359412193298 udp
192.168.56.11 8.8.4.4 51690 53 21.761868000030518 udp
192.168.56.11 8.8.4.4 51899 53 10.328977108001709 udp
192.168.56.11 8.8.4.4 54650 53 7.309949159622192 udp
192.168.56.11 8.8.4.4 54823 53 88.63659596443176 udp
192.168.56.11 8.8.4.4 55183 53 55.51603603363037 udp
192.168.56.11 8.8.4.4 56007 53 103.0432710647583 udp
192.168.56.11 8.8.4.4 56213 53 23.652410984039307 udp
192.168.56.11 8.8.4.4 58090 53 41.01192116737366 udp
192.168.56.11 8.8.4.4 58917 53 23.77836012840271 udp
192.168.56.11 8.8.4.4 59770 53 23.65239405632019 udp
192.168.56.11 8.8.4.4 59945 53 136.34000706672668 udp
192.168.56.11 8.8.4.4 60141 53 150.94950413703918 udp
192.168.56.11 8.8.4.4 61467 53 70.19889807701111 udp
192.168.56.11 8.8.4.4 62329 53 23.69919514656067 udp
192.168.56.11 8.8.4.4 63439 53 23.606547117233276 udp
192.168.56.11 8.8.8.8 51569 53 117.05094599723816 udp
192.168.56.11 8.8.8.8 51690 53 22.761803150177002 udp
192.168.56.11 8.8.8.8 51899 53 11.324280977249146 udp
192.168.56.11 8.8.8.8 54650 53 8.309656143188477 udp
192.168.56.11 8.8.8.8 54823 53 87.63846898078918 udp
192.168.56.11 8.8.8.8 55183 53 54.5226891040802 udp
192.168.56.11 8.8.8.8 56007 53 102.04339909553528 udp
192.168.56.11 8.8.8.8 56213 53 22.652135133743286 udp
192.168.56.11 8.8.8.8 58090 53 40.012274980545044 udp
192.168.56.11 8.8.8.8 58917 53 22.777595043182373 udp
192.168.56.11 8.8.8.8 59770 53 22.652238130569458 udp
192.168.56.11 8.8.8.8 59945 53 135.3494279384613 udp
192.168.56.11 8.8.8.8 60141 53 149.95634508132935 udp
192.168.56.11 8.8.8.8 61467 53 69.20946598052979 udp
192.168.56.11 8.8.8.8 62329 53 22.69936203956604 udp
192.168.56.11 8.8.8.8 63439 53 22.606861114501953 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

1

Registry Set

12

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_CURRENT_USER\Software\LockBit
Show all (1 total)

Registry Set (Top 25)

Key Value
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}ComputeIgnorableProduct (Enter) 48 00 00 00 00 00 00 00 00 95 F6 13 FF 23 DC 01 00 00 00 00 00 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}ComputeIgnorableProduct (Leave) 48 00 00 00 00 00 00 00 E0 A7 4E 14 FF 23 DC 01 00 00 00 00 00 00 00 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}DeleteProcess (Enter) 48 00 00 00 00 00 00 00 80 51 5F 14 FF 23 DC 01 00 00 00 00 00 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}DeleteProcess (Leave) 48 00 00 00 00 00 00 00 80 51 5F 14 FF 23 DC 01 00 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\LockBit\Public CD FB 35 4C 82 0A 8D F1 B0 C7 CC 5A A0 89 92 8C B7 5C 82 22 3E 5A 30 0E E2 47 D9 12 D8 65 EE 96 79 55 01 AE 83 39 38 0E 2F 94 4B 8B FA 3F D5 0C B9 FA 66 6F 84 6A 40 E2 6F 5B E8 09 C3 3F 9A 6D F1 FD 9E 13 6A A0 F1 C9 85 49 8F 47 64 CA 87 B3 A4 A7 C7 43 33 32 6D BE 1C 4D 93 04 28 60 30 20 A0 EA 49 EB 07 B2 49 74 11 15 80 89 81 1F 5F 8E E9 16 03 83 FE 3D 22 33 A8 DC 6B 14 D3 76 52 88 2F 75 BF A3 37 90 75 A8 BD 68 70 95 3F 87 E2 B4 B1 51 30 78 AA 50 25 56 A6 84 33 BD 91 D9 60 4E 09 9E 9A 4A 29 CB 78 D7 E9 4B 61 D5 3E 7E CB 98 1E 52 BA 2C 57 96 D1 A4 47 25 C7 B5 F3 FE 62 BE 48 35 8E 20 4C 2D 50 DB B9 02 BB AE 1B 35 71 6C F3 EF C6 A2 09 33 10 68 24 B6 86 0E FB CB 9D 14 34 88 FE DA CA 93 2E 57 56 F6 C1 12 2B 2A C6 56 17 A4 12 B1 57 FC 37 81 11 BD 62 C1 01 C1 02 B7 01 00 01
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\LockBit\full 7F 01 7F 12 1D B6 21 07 85 1E 08 4D 68 88 FC CA 24 43 74 55 1D F1 33 A0 F4 A5 3D 57 FB F5 6C FC 97 3D B2 24 94 95 6B B1 47 19 53 24 48 63 92 10 DA 85 2F D0 95 14 4E 97 B0 3E 7A C9 C3 72 1F 37 10 D2 4F 1C 7B 0F 66 CF B5 20 42 01 2A 96 19 DB 0B FD A3 CE DD B4 0B 9A 8B 09 24 00 3B 45 04 2C BB 91 7A 1C 56 56 E6 BC 4A EA 1C 2F 63 66 38 1E 84 A5 18 6E B2 CA 1A 95 8D 2A 34 30 13 71 77 EE 31 BE A7 FF E3 06 8C A1 1B C6 E2 84 67 6B 6A E8 08 34 94 53 02 2A 7C 9C BA CE 26 4D 3A 8B A8 5C 56 26 DE 29 AF EC CA CC 8B 2E 45 31 72 BF 3B 25 58 F1 FE 58 6F C1 1E A8 C1 DB 62 2B 59 B4 97 3D 37 5C 2C F0 54 2D B7 89 68 C9 03 5C 1E 33 E5 BA 11 75 83 77 1D 13 69 53 C2 37 A7 DB E8 AE 61 60 8D 21 E0 14 D5 2F 05 D8 E5 E8 1F D4 64 F5 9A C0 15 EC C4 9B 26 0A 15 C5 C6 79 E2 81 82 48 2C 44 84 40 A3 76 E6 FF F9 8C 2A A5 5B A8 99 CC 89 24 E4 A9 D1 81 AA 11 C4 16 B7 84 EF 0F 9A FC B2 5E 1F A0 A7 6A 7E F9 E0 6B 1B F8 37 52 B8 75 2D 49 2E B1 F3 16 7F AD 77 0E F4 67 7E B8 CF 5C C0 A6 30 E2 74 E6 14 88 77 E7 7F F7 B7 9D 69 BC EF EA 81 4A DD 53 26 2
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 “%TEMP%\W919O4G93IK3N2IL.exe”
\\Registry\Machine\BCD00000000\Objects\{73f6dfe1-2d75-11ea-8605-9a0fd88c3b92}\Elements\16000009\Element
\\Registry\Machine\BCD00000000\Objects\{73f6dfe1-2d75-11ea-8605-9a0fd88c3b92}\Elements\250000e0\Element
HKEY_CURRENT_USER\Software\LockBit\Public
HKEY_CURRENT_USER\Software\LockBit\full
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 “c:\analyse\1763209128.9682035_87ee9277-a748-4460-9d41-2fca36d85b3c”

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top