Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 51. Missed: 22. Coverage: 69.9%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat shows heavy registry manipulation (74.97% of total behavior), indicating persistent backdoor installation, configuration tampering, or system policy modification attempts. The malware likely establishes persistence mechanisms and modifies security settings to maintain long-term access.

MITRE ATT&CK Mapping

• T1222 – set file attributes
• T1134 – modify access privileges
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1083 – get common file path
• T1129 – link function at runtime on Windows
• T1055.003 – inject thread
• T1620 – inject thread
• T1129 – link many functions at runtime
• T1082 – get disk information
• T1547.001 – persist via Run registry key
• T1134 – acquire debug privileges
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1055 – Writes to the memory another process
• T1055 – Writes an executable to the memory of another process
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Binary file triggered YARA rule
• T1112 – Installs itself for autorun at Windows startup
• T1497 – Checks for mouse movement
• T1057 – Expresses interest in specific running processes
• T1057 – Enumerates running processes
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1055 – Writes into the memory of another process
• T1055 – Modifies control flow of another process
• T1057 – Enumerates running processes
• T1112 – Installs system startup script or application
• T1115 – Captures clipboard data
• T1134 – Enables process privileges
• T1547.001 – Installs system startup script or application
• T1564.001 – Hides files
• T1129 – The process tried to load dynamically one or more functions.
• T1057 – The process may have looked for a particular process running on the system
• T1112 – The process has tried to set its autorun on the system startup
• T1060 – The process has tried to set its autorun on the system startup
• T1050 – The process has tried to set its autorun on the system startup
• T1063 – It Tries to detect injection methods
• T1547.001 – Creates an autostart registry key
• T1055 – Allocates memory in foreign processes
• T1055 – Injects code into the Windows Explorer (explorer.exe)
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1036 – Creates files inside the user directory
• T1057 – Queries a list of all running processes
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1082 – Queries the volume information (name, serial number etc) of a device

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.