Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 56. Missed: 17. Coverage: 76.7%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (48.92% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1113 – capture screenshot
• T1620 – invoke .NET assembly method
• T1082 – get OS version in .NET
• T1033 – Collects and encrypts information about the computer likely to send to C2 server
• T1082 – Checks available memory
• T1003 – Accessed credential storage registry keys
• T1539 – Touches a file containing cookies, possibly for information gathering
• T1564 – A process created a hidden window
• T1562 – Attempts to modify Windows Defender using PowerShell
• T1055 – Writes an executable to the memory of another process
• T1055 – Writes to the memory another process
• T1070.006 – The PE file contains an overlay
• T1070.006 – Reads from the memory of another process
• T1070.006 – The PE file contains a suspicious PDB path
• T1070.006 – Binary compilation timestomping detected
• T1070.006 – Yara detections observed in process dumps, payloads or dropped files
• T1070.006 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1070 – The PE file contains an overlay
• T1070 – Deletes executed files from disk
• T1070 – Reads from the memory of another process
• T1070 – The PE file contains a suspicious PDB path
• T1070 – Binary compilation timestomping detected
• T1070 – Yara detections observed in process dumps, payloads or dropped files
• T1070 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1064 – A scripting utility was executed
• T1562.001 – Attempts to modify Windows Defender using PowerShell
• T1027 – The binary likely contains encrypted or compressed data
• T1564.003 – A process created a hidden window
• T1027.002 – The binary likely contains encrypted or compressed data
• T1071 – The PE file contains an overlay
• T1071 – Reads from the memory of another process
• T1071 – The PE file contains a suspicious PDB path
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1106 – Guard pages use detected – possible anti-debugging.
• T1059 – A scripting utility was executed
• T1059 – Attempts to modify Windows Defender using PowerShell
• T1560 – Collects and encrypts information about the computer likely to send to C2 server
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1036.001 – Signed executable failed signature validation
• T1047 – Queries OS version via WMI
• T1047 – Collects hardware properties
• T1047 – Tries to detect the presence of antivirus software
• T1053.005 – Schedules task
• T1055 – Writes into the memory of another process
• T1055 – Modifies control flow of another process
• T1055.012 – Process Hollowing
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1056.001 – Monitors keyboard input
• T1056.004 – Monitors keyboard input
• T1057 – Enumerates running processes
• T1071.004 – Performs DNS request
• T1082 – Enumerates running processes
• T1082 – Queries OS version via WMI
• T1082 – Collects hardware properties
• T1095 – Connects to remote host
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1134 – Enables process privileges
• T1518.001 – Tries to detect the presence of antivirus software
• T1564.003 – Creates process with hidden window
• T1571 – Tries to connect using an uncommon port
• T1129 – The process attempted to dynamically load a malicious function
• T1059 – Detected command line output monitoring
• T1198 – The binary has an Authenticode signature
• T1198 – The file have a Trusted Certificate
• T1057 – The process has tried to detect the debugger probing the use of page guards.
• T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
• T1129 – The process tried to load dynamically one or more functions.
• T1129 – Detected the execution of a powershell command with one or more suspicious parameter
• T1027 – Detected the execution of a powershell command with one or more suspicious parameter
• T1086 – Detected the execution of a powershell command with one or more suspicious parameter
• T1140 – Detected an attempt to pull out some data from the binary image
• T1082 – get OS version in .NET
• T1113 – capture screenshot
• T1057 – The process attempted to detect a running debugger using common APIs
• T1056 – The process behaves as a keylogger (keyboard capturing detected)
• T1179 – The process behaves as a keylogger (keyboard capturing detected)
• T1082 – Queries for the computername
• T1086 – Detected some PowerShell commands executions
• T1027.009 – Drops interesting files and uses them
• T1053 – It creates a system task

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.