Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 59. Missed: 14. Coverage: 80.8%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat shows heavy registry manipulation (38.99% of total behavior), indicating persistent backdoor installation, configuration tampering, or system policy modification attempts. The malware likely establishes persistence mechanisms and modifies security settings to maintain long-term access.

MITRE ATT&CK Mapping

• T1620 – load .NET assembly
• T1564 – A process created a hidden window
• T1202 – Uses Windows utilities for basic functionality
• T1202 – Uses suspicious command line tools or Windows utilities
• T1562 – Attempts to modify Windows Defender using PowerShell
• T1036 – Attempts to mimic the file extension of a PDF document by having ‘pdf’ in the file name.
• T1055 – Writes an executable to the memory of another process
• T1055 – Writes to the memory another process
• T1070 – Deletes executed files from disk
• T1064 – A scripting utility was executed
• T1497 – Checks for mouse movement
• T1562.001 – Attempts to modify Windows Defender using PowerShell
• T1027 – The binary likely contains encrypted or compressed data
• T1564.003 – A process created a hidden window
• T1027.002 – The binary likely contains encrypted or compressed data
• T1539 – Touches a file containing cookies, possibly for information gathering
• T1082 – Checks available memory
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1071 – Reads from the memory of another process
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1106 – Guard pages use detected – possible anti-debugging.
• T1059 – Attempts to modify Windows Defender using PowerShell
• T1059 – A scripting utility was executed
• T1129 – The process attempted to dynamically load a malicious function
• T1059 – Detected command line output monitoring
• T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
• T1057 – The process has tried to detect the debugger probing the use of page guards.
• T1027 – Detected the execution of a powershell command with one or more suspicious parameter
• T1129 – Detected the execution of a powershell command with one or more suspicious parameter
• T1086 – Detected the execution of a powershell command with one or more suspicious parameter
• T1129 – The process tried to load dynamically one or more functions.
• T1620 – load .NET assembly
• T1057 – The process attempted to detect a running debugger using common APIs
• T1089 – The process has tried to suspend a sandbox-related thread (possible sandbox evasion attempt)
• T1082 – Queries for the computername
• T1086 – Detected some PowerShell commands executions
• T1027.009 – Drops interesting files and uses them
• T1055 – Injects a PE file into a foreign processes
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1036 – Creates files inside the user directory
• T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
• T1562.001 – Adds a directory exclusion to Windows Defender
• T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
• T1497 – Queries disk information (often used to detect virtual machines)
• T1497 – Checks if the current process is being debugged
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1027 – Binary may include packed or crypted data
• T1027.002 – .NET source code contains potential unpacker
• T1027.002 – Binary may include packed or crypted data
• T1027.002 – PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)
• T1518.001 – Queries disk information (often used to detect virtual machines)
• T1518.001 – Checks if the current process is being debugged
• T1518.001 – Tries to detect virtualization through RDTSC time measurements
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1057 – Queries a list of all running processes
• T1083 – Reads ini files
• T1082 – Queries disk information (often used to detect virtual machines)
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1082 – Queries the cryptographic machine GUID
• T1082 – Tries to detect virtualization through RDTSC time measurements
• T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.