Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 12+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 50. Missed: 23. Coverage: 68.5%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (57.14% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1529 – shutdown system
• T1105 – download and write a file
• T1112 – delete registry value
• T1082 – get disk size
• T1010 – find graphical window
• T1115 – open clipboard
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1222 – set file attributes
• T1012 – query or enumerate registry value
• T1083 – get file version info
• T1082 – get hostname
• T1129 – link function at runtime on Windows
• T1112 – delete registry key
• T1083 – enumerate files on Windows
• T1547.009 – create shortcut via IShellLink
• T1083 – get common file path
• T1056.001 – log keystrokes
• T1027 – encode data using XOR
• T1115 – read clipboard data
• T1027.005 – contain obfuscated stackstrings
• T1083 – enumerate files recursively
• T1010 – enumerate gui resources
• T1497.002 – check for foreground window switch
• T1059 – compiled with AutoHotKey
• T1125 – capture webcam image
• T1564.003 – hide graphical window
• T1497.002 – check for unmoving mouse cursor
• T1614.001 – get keyboard layout
• T1113 – capture screenshot
• T1056.001 – log keystrokes via application hook
• T1082 – check OS version
• T1056.001 – log keystrokes via polling
• T1082 – get disk information
• T1082 – query environment variable
• T1012 – query or enumerate registry key
• T1027 – encode data using Base64
• T1083 – check if file exists
• T1129 – link many functions at runtime
• T1083 – get file size
• T1134 – modify access privileges
• T1071 – Binary file triggered YARA rule
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary likely contains encrypted or compressed data
• T1129 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1057 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1129 – The process attempted to dynamically load a malicious function
• T1129 – The process tried to load dynamically one or more functions.
• T1056 – The process behaves as a keylogger (keyboard capturing detected)
• T1179 – The process behaves as a keylogger (keyboard capturing detected)
• T1179 – The process attempted to monitor the mouse events (using a hooked procedure)
• T1129 – Manalize Local SandBox Find Crypto
• T1057 – Manalize Local SandBox Find Crypto
• T1129 – Manalize Local SandBox Strings
• T1057 – Manalize Local SandBox Strings
• T1063 – It Tries to detect injection methods

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.