Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 70. Detected as malicious: 54. Missed: 16. Coverage: 77.1%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat shows heavy registry manipulation (68.36% of total behavior), indicating persistent backdoor installation, configuration tampering, or system policy modification attempts. The malware likely establishes persistence mechanisms and modifies security settings to maintain long-term access.

MITRE ATT&CK Mapping

• T1083 – get common file path
• T1497.001 – reference anti-VM strings targeting Xen
• T1129 – Drops a binary and executes it
• T1053 – Installs itself for autorun at Windows startup
• T1106 – Created a process from a suspicious location
• T1564 – A process created a hidden window
• T1202 – Uses Windows utilities for basic functionality
• T1562 – Tries to unhook or modify Windows functions monitored by CAPE
• T1055 – Writes to the memory another process
• T1055 – Writes an executable to the memory of another process
• T1112 – Installs itself for autorun at Windows startup
• T1112 – Installs itself for autorun at Windows startup
• T1070 – Deletes executed files from disk
• T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
• T1027 – The binary likely contains encrypted or compressed data
• T1564.003 – A process created a hidden window
• T1027.002 – The binary likely contains encrypted or compressed data
• T1543 – Created a service that was not started
• T1547 – Installs itself for autorun at Windows startup
• T1543.003 – Created a service that was not started
• T1547.001 – Installs itself for autorun at Windows startup
• T1539 – Touches a file containing cookies, possibly for information gathering
• T1082 – Checks available memory
• T1057 – Enumerates running processes
• T1057 – Enumerates the modules from a process (may be used to locate base addresses in process injection)
• T1057 – Expresses interest in specific running processes
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Reads data out of its own binary image
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Suspicious communication with abused trusted site
• T1071 – Reads from the memory of another process
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1071 – A process attempted to delay the analysis task.
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
• T1071 – Network activity contains more than one unique useragent.
• T1573 – Establishes an encrypted HTTPS connection
• T1485 – Anomalous file deletion behavior detected (10+)
• T1027.002 – Creates a page with write and execute permissions
• T1036.001 – Signed executable failed signature validation
• T1055 – Modifies control flow of a process started from a created or modified executable
• T1055.012 – Process Hollowing
• T1057 – Enumerates running processes
• T1112 – Installs system startup script or application
• T1129 – Loads a dropped DLL
• T1134 – Enables process privileges
• T1497.001 – Tries to detect application sandbox
• T1497.003 – Delays execution
• T1547.001 – Installs system startup script or application
• T1564.001 – Hides files
• T1564.003 – Creates process with hidden window
• T1622 – Tries to detect debugger
• T1129 – The process attempted to dynamically load a malicious function
• T1057 – The process may have looked for a particular process running on the system
• T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
• T1140 – Detected an attempt to pull out some data from the binary image
• T1129 – The process tried to load dynamically one or more functions.
• T1027.009 – The process has executed a dropped binary
• T1083 – get common file path
• T1071 – Detected one or more anomalous HTTP requests
• T1071 – Detected HTTP requests to some non white-listed domains
• T1057 – The process attempted to detect a running debugger using common APIs
• T1497.001 – reference anti-VM strings targeting Xen
• T1050 – The process has tried to set its autorun on the system startup
• T1060 – The process has tried to set its autorun on the system startup
• T1112 – The process has tried to set its autorun on the system startup
• T1059 – Apparent Internal Usage of CMD.EXE
• T1027.009 – Drops interesting files and uses them
• T1547.001 – Creates an autostart registry key
• T1542.003 – May use bcdedit to modify the Windows boot settings
• T1055 – Hijacks the control flow in another process
• T1055 – Modifies the context of a thread in another process (thread injection)
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1055 – Injects a PE file into a foreign processes
• T1036 – Creates files inside the user directory
• T1562.001 – Launches processes in debugging mode, may be used to hinder debugging
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1497 – Checks if the current process is being debugged
• T1027 – Binary may include packed or crypted data
• T1027.002 – PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
• T1027.002 – Binary may include packed or crypted data
• T1518.001 – Checks if the current process is being debugged
• T1057 – Queries a list of all running processes
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1083 – Enumerates the file system
• T1083 – Reads ini files
• T1083 – Writes ini files
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1105 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
• T1105 – Downloads files from webservers via HTTP
• T1105 – Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.
• T1095 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
• T1095 – Downloads files from webservers via HTTP
• T1071 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
• T1071 – Downloads files from webservers via HTTP
• T1071 – Uses a known web browser user agent for HTTP communication
• T1055 – Injects code into the Windows Explorer (explorer.exe)
• T1055 – Allocates memory in foreign processes
• T1105 – Downloads executable code via HTTP
• T1071 – C2 URLs / IPs found in malware configuration
• T1071 – Downloads executable code via HTTP

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.