Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 58. Missed: 15. Coverage: 79.5%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (49.79% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1083 – check if file exists
• T1083 – check if directory exists
• T1560.002 – compress data using GZip in .NET
• T1222 – set file attributes
• T1082 – query environment variable
• T1129 – Drops a binary and executes it
• T1106 – Guard pages use detected – possible anti-debugging.
• T1106 – Created a process from a suspicious location
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary likely contains encrypted or compressed data
• T1082 – Checks available memory
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Reads from the memory of another process
• T1071 – Looks up the external IP address
• T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
• T1012 – Query OS Information
• T1016 – Checks external IP address
• T1016 – Combination of other detections shows configuration discovery
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1036.001 – Signed executable failed signature validation
• T1047 – Collects hardware properties
• T1047 – Queries OS version via WMI
• T1047 – Enumerates running processes
• T1057 – Enumerates running processes
• T1059.001 – Bypasses PowerShell execution policy
• T1068 – Loads a known vulnerable file
• T1071.004 – Performs DNS request
• T1082 – Enumerates running processes
• T1082 – Collects hardware properties
• T1082 – Queries OS version via WMI
• T1082 – Query OS Information
• T1082 – Combination of other detections shows configuration discovery
• T1095 – Connects to remote host
• T1095 – Sets up server that accepts incoming connections
• T1134 – Enables process privileges
• T1497 – Creates an unusually large number of processes
• T1497.001 – Tries to detect application sandbox
• T1497.003 – Delays execution
• T1543.003 – Installs system service
• T1562.001 – Modifies Windows Defender configuration
• T1564.003 – Creates process with hidden window
• T1129 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1083 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1112 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1059 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1082 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1012 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1129 – The process attempted to dynamically load a malicious function
• T1129 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1083 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1112 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1059 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1082 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1012 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
• T1129 – The process tried to load dynamically one or more functions.
• T1057 – The process has tried to detect the debugger probing the use of page guards.
• T1140 – Detected an attempt to pull out some data from the binary image
• T1071 – Detected one or more anomalous HTTP requests
• T1071 – Detected HTTP requests to some non white-listed domains
• T1071 – Some process has originated direct HTTPS traffic with one or more hosts.
• T1057 – The process attempted to detect a running debugger using common APIs
• T1063 – The process has tried to detect Sandboxie (loading its library)
• T1129 – The process has tried to detect Sandboxie (loading its library)
• T1179 – The process behaves as a keylogger (keyboard capturing detected)
• T1056 – The process behaves as a keylogger (keyboard capturing detected)
• T1027 – Detected the execution of a powershell command with one or more suspicious parameter
• T1086 – Detected the execution of a powershell command with one or more suspicious parameter
• T1129 – Detected the execution of a powershell command with one or more suspicious parameter
• T1082 – Queries for the computername
• T1082 – The process tried to collect informations about the system reading some known registry keys
• T1012 – The process tried to collect informations about the system reading some known registry keys
• T1129 – Manalize Local SandBox Strings
• T1083 – Manalize Local SandBox Strings
• T1112 – Manalize Local SandBox Strings
• T1059 – Manalize Local SandBox Strings
• T1082 – Manalize Local SandBox Strings
• T1012 – Manalize Local SandBox Strings
• T1086 – Detected some PowerShell commands executions
• T1129 – Created network traffic indicative of malicious activity
• T1083 – Created network traffic indicative of malicious activity
• T1112 – Created network traffic indicative of malicious activity
• T1059 – Created network traffic indicative of malicious activity
• T1082 – Created network traffic indicative of malicious activity
• T1012 – Created network traffic indicative of malicious activity
• T1050 – The process has tried to set its autorun on the system startup
• T1112 – The process has tried to set its autorun on the system startup
• T1060 – The process has tried to set its autorun on the system startup
• T1047 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
• T1569.002 – Uses sc.exe to modify the status of services
• T1543.003 – Uses sc.exe to modify the status of services
• T1036 – Creates files inside the user directory
• T1036 – Creates files inside the system directory
• T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
• T1562.001 – Adds a directory exclusion to Windows Defender
• T1497 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
• T1497 – Checks if the current process is being debugged
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
• T1140 – .NET source code contains calls to encryption/decryption functions
• T1027 – .NET source code contains long base64-encoded strings
• T1027.002 – .NET source code contains potential unpacker
• T1027.002 – .NET source code contains method to dynamically call methods (often used by packers)
• T1056 – Contains functionality to log keystrokes (.Net Source)
• T1518.001 – Check if machine is in data center or colocation facility
• T1518.001 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
• T1518.001 – Checks if the current process is being debugged
• T1057 – Queries a list of all running processes
• T1016 – Checks the online ip address of the machine
• T1083 – Reads ini files
• T1082 – Checks the free space of harddrives
• T1082 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
• T1082 – Queries the cryptographic machine GUID
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1560 – Public key (encryption) found
• T1560 – .NET source code contains calls to encryption/decryption functions
• T1105 – Downloads files from webservers via HTTP
• T1095 – Downloads files from webservers via HTTP
• T1071 – Downloads files from webservers via HTTP
• T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.