Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 47. Missed: 26. Coverage: 64.4%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (73.65% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1083 – enumerate files on Windows
• T1027 – encode data using XOR
• T1129 – link function at runtime on Windows
• T1497.001 – reference anti-VM strings targeting Xen
• T1083 – get common file path
• T1129 – link many functions at runtime
• T1083 – enumerate files recursively
• T1129 – parse PE header
• T1082 – get disk information
• T1083 – get file size
• T1082 – query environment variable
• T1059 – accept command line arguments
• T1057 – enumerate process modules
• T1202 – Uses suspicious command line tools or Windows utilities
• T1202 – Uses Windows utilities for basic functionality
• T1112 – Installs itself for autorun at Windows startup
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1082 – Checks available memory
• T1057 – Uses Windows utilities to enumerate running processes
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – The PE file contains an overlay
• T1071 – Reads data out of its own binary image
• T1106 – Created a process from a suspicious location
• T1059 – Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
• T1486 – Exhibits possible ransomware or wiper file modification behavior: overwrites_existing_files
• T1014 – Installs kernel driver
• T1016 – Reads network adapter information
• T1027.002 – Resolves API functions dynamically
• T1071.004 – Performs DNS request
• T1095 – Connects to remote host
• T1095 – Sets up server that accepts incoming connections
• T1112 – Installs system startup script or application
• T1129 – Loads a dropped DLL
• T1134 – Enables process privileges
• T1547.001 – Installs system startup script or application
• T1564.003 – Creates process with hidden window
• T1571 – Tries to connect using an uncommon port
• T1140 – Detected an attempt to pull out some data from the binary image
• T1045 – Manalize Local SandBox Packer Harvesting
• T1063 – It Tries to detect injection methods
• T1027.009 – Drops interesting files and uses them
• T1070.006 – Binary contains a suspicious time stamp
• T1082 – Queries the volume information (name, serial number etc) of a device

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.