Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 57. Missed: 16. Coverage: 78.1%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (67.09% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1082 – get disk information
• T1033 – get token membership
• T1082 – get memory capacity
• T1134.001 – impersonate user
• T1056.001 – log keystrokes via polling
• T1129 – parse PE header
• T1033 – get session user name
• T1087 – get session user name
• T1115 – read clipboard data
• T1082 – get COMSPEC environment variable
• T1056.001 – log keystrokes
• T1082 – query environment variable
• T1010 – find graphical window
• T1497.002 – check for unmoving mouse cursor
• T1529 – shutdown system
• T1115 – open clipboard
• T1547.009 – create shortcut via IShellLink
• T1134 – acquire debug privileges
• T1027 – encode data using Base64
• T1113 – capture screenshot
• T1083 – get file size
• T1083 – enumerate files recursively
• T1134 – modify access privileges
• T1082 – get disk size
• T1222 – set file attributes
• T1129 – link function at runtime on Windows
• T1027 – encode data using XOR
• T1012 – query or enumerate registry value
• T1083 – get file version info
• T1105 – download and write a file
• T1059 – compiled with AutoIt
• T1082 – get hostname
• T1016 – get socket status
• T1083 – check if file exists
• T1614.001 – get keyboard layout
• T1082 – get system information on Windows
• T1115 – list drag and drop files
• T1112 – delete registry key
• T1083 – get common file path
• T1083 – enumerate files on Windows
• T1564.003 – hide graphical window
• T1112 – delete registry value
• T1010 – enumerate gui resources
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1012 – query or enumerate registry key
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Binary file triggered YARA rule
• T1071 – Reads data out of its own binary image
• T1071 – A process attempted to delay the analysis task.
• T1071 – Reads from the memory of another process
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1112 – Installs itself for autorun at Windows startup
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary likely contains encrypted or compressed data
• T1010 – Monitors user input
• T1012 – Query OS Information
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1055 – Writes into the memory of another process
• T1055 – Modifies control flow of another process
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1056.001 – Monitors keyboard input
• T1056.004 – Monitors keyboard input
• T1071.004 – Performs DNS request
• T1082 – Query OS Information
• T1106 – Makes direct system call to possibly evade hooking based monitoring
• T1115 – Captures clipboard data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1497.003 – Delays execution
• T1547.001 – Installs system startup script or application
• T1564.003 – Creates process with hidden window
• T1622 – Tries to detect debugger
• T1064 – Executes visual basic scripts
• T1064 – Drops VBS files to the startup folder (C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup)
• T1064 – Found WSH timer for Javascript or VBS script (likely evasive script)
• T1547.001 – Creates a start menu entry (Start Menu\\Programs\\Startup)
• T1547.001 – Stores files to the Windows startup directory
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1036 – Creates files inside the user directory
• T1518.001 – Switches to a customs stack to bypass stack traces
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1083 – Reads ini files
• T1082 – Queries the cryptographic machine GUID
• T1082 – Switches to a customs stack to bypass stack traces
• T1560 – Public key (encryption) found
• T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.