Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 70. Detected as malicious: 50. Missed: 20. Coverage: 71.4%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (39.90% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1083 – get common file path
• T1105 – download and write a file
• T1129 – parse PE header
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1055.003 – inject thread
• T1620 – inject thread
• T1055 – Contains .tls (Thread Local Storage) section
• T1055 – Writes to the memory another process
• T1082 – Checks available memory
• T1057 – Expresses interest in specific running processes
• T1057 – Enumerates running processes
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1071 – Reads data out of its own binary image
• T1071 – Suspicious communication with abused trusted site
• T1071 – Reads from the memory of another process
• T1573 – Downloads executable over encrypted HTTPS connection
• T1573 – Establishes an encrypted HTTPS connection
• T1573 – Establishes an encrypted HTTPS connection to a social media API
• T1573 – Establishes an encrypted HTTPS connection to an open-source code-hosting platform
• T1106 – Guard pages use detected – possible anti-debugging.
• T1106 – Created a process from a suspicious location
• T1129 – The process attempted to dynamically load a malicious function
• T1129 – The process tried to load dynamically one or more functions.
• T1057 – The process may have looked for a particular process running on the system
• T1045 – Manalize Local SandBox Packer Harvesting
• T1071 – Detected one or more anomalous HTTP requests
• T1071 – Detected HTTP requests to some non white-listed domains
• T1082 – The process tried to collect informations about the system reading some known registry keys
• T1012 – The process tried to collect informations about the system reading some known registry keys
• T1112 – The process has tried to alter the system certificates
• T1112 – Detected an attempt to write registry keys related to the proxy settings
• T1185 – Detected an attempt to write registry keys related to the proxy settings
• T1071 – Some process has originated direct HTTPS traffic with one or more hosts.
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1055 – Injects code into the Windows Explorer (explorer.exe)
• T1055 – Writes to foreign memory regions
• T1055 – Allocates memory in foreign processes
• T1036 – Creates files inside the user directory
• T1056 – Installs a raw input device (often for capturing keystrokes)
• T1056 – Sample has functionality to log and monitor keystrokes, analyze it with the keystroke simulation cookbook
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1057 – Queries a list of all running processes
• T1083 – Reads ini files
• T1573 – Uses HTTPS
• T1071 – Uses HTTPS

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.