Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 60. Missed: 13. Coverage: 82.2%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (57.50% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1027 – encode data using XOR
• T1003 – Accessed credential storage registry keys
• T1129 – Drops a binary and executes it
• T1053 – Installs itself for autorun at Windows startup
• T1564 – A process created a hidden window
• T1202 – Uses Windows utilities for basic functionality
• T1562 – Tries to unhook or modify Windows functions monitored by CAPE
• T1112 – Installs itself for autorun at Windows startup
• T1112 – Installs itself for autorun at Windows startup
• T1070 – Deletes executed files from disk
• T1497 – Checks the version of Bios, possibly for anti-virtualization
• T1497 – Detects VirtualBox through the presence of a registry key
• T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027 – The binary likely contains encrypted or compressed data
• T1564.003 – A process created a hidden window
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary likely contains encrypted or compressed data
• T1543 – Created a service that was not started
• T1547 – Installs itself for autorun at Windows startup
• T1543.003 – Created a service that was not started
• T1547.001 – Installs itself for autorun at Windows startup
• T1082 – Checks the version of Bios, possibly for anti-virtualization
• T1082 – Checks available memory
• T1010 – Checks for the presence of known windows from debuggers and forensic tools
• T1083 – Checks for the presence of known devices from debuggers and forensic tools
• T1083 – Attempts to identify installed AV products by installation directory
• T1057 – Checks for the presence of known devices from debuggers and forensic tools
• T1057 – Checks the version of Bios, possibly for anti-virtualization
• T1057 – Detects the presence of Wine emulator via registry key
• T1057 – Expresses interest in specific running processes
• T1057 – Checks for the presence of known windows from debuggers and forensic tools
• T1057 – Enumerates running processes
• T1057 – Detects VirtualBox through the presence of a registry key
• T1012 – Checks the version of Bios, possibly for anti-virtualization
• T1012 – Detects the presence of Wine emulator via registry key
• T1012 – Detects VirtualBox through the presence of a registry key
• T1518.001 – Attempts to identify installed AV products by installation directory
• T1518 – Detects the presence of Wine emulator via registry key
• T1518 – Attempts to identify installed AV products by installation directory
• T1071 – Reads data out of its own binary image
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – A process attempted to delay the analysis task.
• T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
• T1071 – A ping command was executed with the -n argument possibly to delay analysis
• T1071 – Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext
• T1071 – Executable is attempted to be downloaded from an IP
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1573 – Establishes an encrypted HTTPS connection
• T1485 – Anomalous file deletion behavior detected (10+)
• T1005 – Searches for sensitive browser data
• T1010 – Tries to detect debugger
• T1012 – Tries to detect virtual machine
• T1016 – Queries a host’s domain name
• T1020 – Uses HTTP to upload a large amount of data
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Obfuscates control flow
• T1027.002 – Resolves API functions dynamically
• T1036.001 – Signed executable failed signature validation
• T1047 – Queries OS version via WMI
• T1047 – Collects hardware properties
• T1047 – Tries to detect the presence of antivirus software
• T1055 – Writes into the memory of another process
• T1055 – Modifies control flow of a process started from a created or modified executable
• T1055.012 – Process Hollowing
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1056.001 – Monitors keyboard input
• T1057 – Enumerates running processes
• T1071.001 – Downloads executable
• T1071.001 – Downloads file
• T1071.001 – Uses HTTP to upload a large amount of data
• T1082 – Enumerates running processes
• T1082 – Queries OS version via WMI
• T1082 – Collects hardware properties
• T1083 – Searches for sensitive browser data
• T1083 – Possibly does reconnaissance
• T1105 – Downloads executable
• T1105 – Downloads file
• T1106 – Tries to evade debugger
• T1113 – Takes screenshot
• T1115 – Captures clipboard data
• T1119 – Searches for sensitive browser data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1124 – Tries to detect virtual machine
• T1129 – Loads a dropped DLL
• T1134 – Enables process privileges
• T1480 – Known malicious mutex name is created
• T1497.001 – Tries to detect virtual machine
• T1497.003 – Delays execution
• T1497.003 – Tries to detect virtual machine
• T1518.001 – Tries to detect the presence of antivirus software
• T1552.001 – Searches for sensitive browser data
• T1553 – Allows invalid SSL certificates
• T1562.001 – Modifies native system functions
• T1564.003 – Creates process with hidden window
• T1622 – Tries to detect debugger
• T1622 – Tries to evade debugger
• T1129 – The process tried to load dynamically one or more functions.
• T1057 – The process may have looked for a particular process running on the system
• T1045 – Manalize Local SandBox Packer Harvesting
• T1057 – The process attempted to detect a running debugger using common APIs
• T1063 – The process tried to detect the presence of common debug and forensic utilities
• T1119 – The process tried to detect the presence of common debug and forensic utilities
• T1063 – The process attempted to detect debuggers and common forensic/analysis tools looking for known devices
• T1119 – The process attempted to detect debuggers and common forensic/analysis tools looking for known devices
• T1082 – The process has tried to retrieve the BIOS version (maybe for checking the virtualization presence)
• T1012 – The process has tried to retrieve the BIOS version (maybe for checking the virtualization presence)

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.