Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 44. Missed: 28. Coverage: 61.1%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (47.98% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1082 – query environment variable
• T1012 – query or enumerate registry value
• T1129 – link function at runtime on Windows
• T1497.001 – reference anti-VM strings targeting Xen
• T1082 – check OS version
• T1134 – modify access privileges
• T1083 – get common file path
• T1529 – shutdown system
• T1083 – get file version info
• T1614.001 – identify system language via API
• T1082 – get disk size
• T1083 – check if file exists
• T1059 – accept command line arguments
• T1614 – get geographical location
• T1082 – get system information on Windows
• T1027 – encrypt data using RC4 PRGA
• T1027 – encode data using XOR
• T1129 – Drops a binary and executes it
• T1053 – Installs itself for autorun at Windows startup
• T1106 – Guard pages use detected – possible anti-debugging.
• T1059 – Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
• T1059 – Attempts to modify Windows Defender using PowerShell
• T1059 – A scripting utility was executed
• T1059 – Appears to use command line obfuscation
• T1059 – Attempts to execute suspicious powershell command arguments
• T1059 – Executed a very long command line or script command which may be indicative of chained commands or obfuscation
• T1064 – Attempts to execute suspicious powershell command arguments
• T1064 – A scripting utility was executed
• T1059.001 – Attempts to execute suspicious powershell command arguments
• T1202 – Uses suspicious command line tools or Windows utilities
• T1202 – Uses Windows utilities for basic functionality
• T1562 – Attempts to stop active services
• T1562 – Attempts to modify Windows Defender using PowerShell
• T1562 – Tries to unhook or modify Windows functions monitored by CAPE
• T1036 – A file was accessed within the Public folder.
• T1036 – Spoofs its process name and/or associated pathname to appear as a legitimate process
• T1055 – Contains .tls (Thread Local Storage) section
• T1055 – Writes to the memory another process
• T1218 – UAC bypass via CMSTP COM interface detected
• T1112 – Attempts to create or modify system certificates
• T1112 – Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
• T1112 – Installs itself for autorun at Windows startup
• T1112 – Installs itself for autorun at Windows startup
• T1548 – A file was accessed within the Public folder.
• T1070 – Deletes executed files from disk
• T1497 – Checks for mouse movement
• T1562.001 – Attempts to stop active services
• T1562.001 – Attempts to modify Windows Defender using PowerShell
• T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027 – Appears to use command line obfuscation
• T1553 – Attempts to create or modify system certificates
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1543 – Attempts to stop active services
• T1547 – Loads a driver
• T1547 – Installs itself for autorun at Windows startup
• T1543.003 – Attempts to stop active services
• T1547.001 – Installs itself for autorun at Windows startup
• T1547.006 – Loads a driver
• T1539 – Touches a file containing cookies, possibly for information gathering
• T1489 – Attempts to stop active services
• T1486 – Exhibits possible ransomware or wiper file modification behavior: overwrites_existing_files
• T1485 – Anomalous file deletion behavior detected (10+)
• T1082 – Checks available memory
• T1057 – Expresses interest in specific running processes
• T1057 – Enumerates running processes
• T1057 – Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – The PE file contains an overlay
• T1006 – Accesses volumes directly
• T1012 – Query OS Information
• T1014 – Installs kernel driver
• T1016 – Reads network adapter information
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1027.002 – Overwrites code
• T1036.001 – Signed executable failed signature validation
• T1047 – Enumerates running processes
• T1047 – Reads network adapter information
• T1055 – Writes into the memory of another process
• T1055 – Modifies control flow of another process
• T1055.012 – Process Hollowing
• T1057 – Enumerates running processes
• T1070.004 – Deletes file after execution
• T1071.004 – Performs DNS request
• T1082 – Enumerates running processes
• T1082 – Query OS Information
• T1083 – Possibly does reconnaissance
• T1095 – Connects to remote host
• T1106 – Makes direct system call to possibly evade hooking based monitoring
• T1112 – Installs system service
• T1112 – Writes an unusually large amount of data to the registry
• T1129 – Loads a dropped DLL
• T1134 – Enables process privileges
• T1134 – Enables critical process privileges
• T1134.002 – Creates elevated child process
• T1497 – Creates an unusually large number of processes
• T1543.003 – Installs system service
• T1564.003 – Creates process with hidden window
• T1571 – Tries to connect using an uncommon port
• T1574.011 – Installs system service
• T1059 – Detected command line output monitoring
• T1129 – The process attempted to dynamically load a malicious function
• T1129 – The process tried to load dynamically one or more functions.
• T1035 – Detected an attemp to load a driver service
• T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
• T1057 – The process may have looked for a particular process running on the system
• T1057 – The process searched for a process without success: maybe some not-found process was needed (browser?)
• T1140 – Detected an attempt to pull out some data from the binary image
• T1057 – The process has tried to detect the debugger probing the use of page guards.
• T1027.009 – The process has executed a dropped binary
• T1045 – Manalize Local SandBox Packer Harvesting
• T1057 – The process attempted to detect a running debugger using common APIs
• T1179 – The process attempted to monitor the mouse events (using a hooked procedure)
• T1031 – The process has tried to stop some active services
• T1086 – Detected the execution of a powershell command with one or more suspicious parameter
• T1129 – Detected the execution of a powershell command with one or more suspicious parameter
• T1564.003 – Detected the execution of a powershell command with one or more suspicious parameter
• T1027 – Detected the execution of a powershell command with one or more suspicious parameter
• T1082 – Queries for the computername
• T1055 – Likely PROPagate Technique is running
• T1012 – The process tried to collect informations about the system reading some known registry keys
• T1082 – The process tried to collect informations about the system reading some known registry keys
• T1050 – The process created a never-started service
• T1086 – Detected some PowerShell commands executions
• T1053 – It registers tasks through ITaskFolder::RegisterTaskDefinition
• T1060 – The process has tried to set its autorun on the system startup
• T1050 – The process has tried to set its autorun on the system startup
• T1112 – The process has tried to set its autorun on the system startup
• T1027.009 – Drops interesting files and uses them
• T1063 – It Tries to detect injection methods

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.