Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 71. Detected as malicious: 42. Missed: 29. Coverage: 59.2%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

MITRE ATT&CK Mapping

• T1082 – query environment variable
• T1562.001 – disable Windows Defender features via registry on Windows
• T1027 – reference Base64 string
• T1027 – encrypt data using speck
• T1129 – parse PE header
• T1027 – encrypt data using RC4 PRGA
• T1027 – encrypt data using Salsa20 or ChaCha
• T1083 – get common file path
• T1083 – check if file exists
• T1027 – encode data using Base64
• T1059 – accept command line arguments
• T1129 – link many functions at runtime
• T1129 – link function at runtime on Windows
• T1027 – encode data using XOR
• T1202 – Uses Windows utilities for basic functionality
• T1202 – Uses suspicious command line tools or Windows utilities
• T1082 – Checks available memory
• T1057 – Uses Windows utilities to enumerate running processes
• T1071 – Binary file triggered YARA rule
• T1106 – Guard pages use detected – possible anti-debugging.
• T1059 – Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
• T1047 – Queries process information (via WMI, Win32_Process)
• T1036 – Creates files inside the user directory
• T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
• T1070.004 – May delete shadow drive data (may be related to ransomware)
• T1057 – Uses tasklist.exe to query information about running processes
• T1082 – Queries process information (via WMI, Win32_Process)
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1090 – Found Tor onion address
• T1486 – Modifies user documents (likely ransomware behavior)

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.