Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 47. Missed: 25. Coverage: 65.3%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (45.51% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1083 – get common file path
• T1547.009 – create shortcut via IShellLink
• T1129 – parse PE header
• T1083 – check if file exists
• T1614 – get geographical location
• T1033 – get token membership
• T1134 – modify access privileges
• T1564.003 – hide graphical window
• T1083 – get file system object information
• T1213 – reference WMI statements
• T1047 – connect to WMI namespace via WbemLocator
• T1027 – reference AES constants
• T1027 – encrypt data using AES
• T1083 – enumerate files on Windows
• T1082 – query environment variable
• T1129 – link function at runtime on Windows
• T1222 – set file attributes
• T1027 – encode data using XOR
• T1140 – decrypt data using AES via x86 extensions
• T1012 – query or enumerate registry value
• T1010 – find graphical window
• T1059 – accept command line arguments
• T1082 – check OS version
• T1003 – Accessed credential storage registry keys
• T1539 – Touches a file containing cookies, possibly for information gathering
• T1547 – Installs itself for autorun at Windows startup
• T1053 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1564 – A process created a hidden window
• T1202 – Uses suspicious command line tools or Windows utilities
• T1202 – Uses Windows utilities for basic functionality
• T1562 – Attempts to modify Windows Defender using PowerShell
• T1112 – Installs itself for autorun at Windows startup
• T1112 – Installs itself for autorun at Windows startup
• T1112 – Stores JavaScript or a script command in the registry, likely for fileless persistence
• T1064 – Attempts to execute suspicious powershell command arguments
• T1064 – A scripting utility was executed
• T1064 – A powershell command using multiple variables was executed possibly indicative of obfuscation
• T1497 – Detects VirtualBox through the presence of a registry key
• T1497 – Checks the version of Bios, possibly for anti-virtualization
• T1497 – Detects the presence of Windows Defender AV emulator via files
• T1562.001 – Attempts to modify Windows Defender using PowerShell
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027 – Appears to use command line obfuscation
• T1027 – A powershell command using multiple variables was executed possibly indicative of obfuscation
• T1564.003 – A process created a hidden window
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1082 – Checks available memory
• T1082 – Checks the version of Bios, possibly for anti-virtualization
• T1010 – Checks for the presence of known windows from debuggers and forensic tools
• T1083 – Attempts to identify installed AV products by installation directory
• T1083 – Detects the presence of Windows Defender AV emulator via files
• T1083 – Checks for the presence of known devices from debuggers and forensic tools
• T1057 – Expresses interest in specific running processes
• T1057 – Checks the version of Bios, possibly for anti-virtualization
• T1057 – Detects the presence of Windows Defender AV emulator via files
• T1057 – Enumerates the modules from a process (may be used to locate base addresses in process injection)
• T1057 – Checks for the presence of known windows from debuggers and forensic tools
• T1057 – Uses Windows utilities to enumerate running processes
• T1057 – Detects VirtualBox through the presence of a registry key
• T1057 – Detects the presence of Wine emulator via registry key
• T1057 – Checks for the presence of known devices from debuggers and forensic tools
• T1012 – Detects VirtualBox through the presence of a registry key
• T1012 – Checks the version of Bios, possibly for anti-virtualization
• T1012 – Detects the presence of Wine emulator via registry key
• T1518.001 – Attempts to identify installed AV products by installation directory
• T1518 – Attempts to identify installed AV products by installation directory
• T1518 – Detects the presence of Windows Defender AV emulator via files
• T1518 – Detects the presence of Wine emulator via registry key
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1071 – Reads data out of its own binary image
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Terminates another process
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Reads from the memory of another process
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
• T1071 – Dynamic (imported) function loading detected
• T1071 – Executable is attempted to be downloaded from an IP
• T1071 – Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext
• T1071 – The PE file contains a PDB path
• T1071 – The PE file contains an overlay
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1071 – A process attempted to delay the analysis task.
• T1573 – Establishes an encrypted HTTPS connection
• T1106 – Guard pages use detected – possible anti-debugging.
• T1106 – Created a process from a suspicious location
• T1059 – Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
• T1059 – Attempts to modify Windows Defender using PowerShell
• T1059 – Attempts to execute suspicious powershell command arguments
• T1059 – Appears to use command line obfuscation
• T1059 – A powershell command using multiple variables was executed possibly indicative of obfuscation
• T1059 – A scripting utility was executed
• T1059 – Executed a very long command line or script command which may be indicative of chained commands or obfuscation
• T1059 – Stores JavaScript or a script command in the registry, likely for fileless persistence
• T1059 – A script or command line contains a long continuous string indicative of obfuscation
• T1059.001 – Attempts to execute suspicious powershell command arguments
• T1059.001 – A powershell command using multiple variables was executed possibly indicative of obfuscation
• T1485 – Anomalous file deletion behavior detected (10+)
• T1005 – Searches for sensitive browser data
• T1006 – Accesses volumes directly
• T1016 – Queries a host’s domain name
• T1020 – Uses HTTP to upload a large amount of data
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1036.001 – Signed executable failed signature validation
• T1047 – Queries OS version via WMI
• T1047 – Collects hardware properties
• T1047 – Tries to detect the presence of antivirus software
• T1053.005 – Schedules task
• T1053.005 – Schedules task via schtasks
• T1055 – Writes into the memory of another process
• T1055 – Writes into the memory of a process started from a created or modified executable
• T1055 – Modifies control flow of a process started from a created or modified executable
• T1055.012 – Process Hollowing
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1059.001 – Bypasses PowerShell execution policy
• T1070.004 – Deletes file after execution
• T1071.001 – Downloads executable
• T1071.001 – Downloads file
• T1071.001 – Uses HTTP to upload a large amount of data
• T1082 – Queries OS version via WMI
• T1082 – Collects hardware properties
• T1083 – Searches for sensitive browser data
• T1105 – Downloads executable
• T1105 – Downloads file
• T1113 – Takes screenshot
• T1115 – Captures clipboard data
• T1119 – Searches for sensitive browser data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1129 – Loads a dropped DLL
• T1134 – Enables critical process privileges
• T1134 – Enables process privileges
• T1480 – Known malicious mutex name is created
• T1497.003 – Delays execution
• T1518.001 – Tries to detect the presence of antivirus software
• T1552.001 – Searches for sensitive browser data
• T1564.003 – Creates process with hidden window
• T1622 – Tries to detect debugger
• T1564.003 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1059 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1614 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1134 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1213 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1129 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1547.009 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1222 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1010 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1012 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1033 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1082 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1083 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1027 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1140 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1569.002 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1047 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1129 – The process attempted to dynamically load a malicious function
• T1059 – Detected command line output monitoring
• T1057 – The process has tried to detect the debugger probing the use of page guards.
• T1140 – Detected an attempt to pull out some data from the binary image
• T1027.009 – The process has executed a dropped binary
• T1027 – encode data using XOR
• T1222 – set file attributes
• T1564.003 – hide graphical window
• T1083 – get file system object information
• T1569.002 – interact with driver via control codes
• T1134 – modify access privileges
• T1083 – check if file exists
• T1083 – enumerate files on Windows
• T1082 – check OS version
• T1047 – connect to WMI namespace via WbemLocator
• T1213 – reference WMI statements
• T1083 – get common file path
• T1027 – encrypt data using AES
• T1027 – reference AES constants
• T1140 – decrypt data using AES via x86 extensions
• T1129 – link function at runtime on Windows
• T1033 – get token membership
• T1547.009 – create shortcut via IShellLink
• T1010 – find graphical window
• T1614 – get geographical location
• T1012 – query or enumerate registry value
• T1082 – query environment variable
• T1059 – accept command line arguments
• T1129 – parse PE header
• T1071 – Detected one or more anomalous HTTP requests
• T1071 – Detected HTTP requests to some non white-listed domains
• T1057 – The process attempted to detect a running debugger using common APIs
• T1082 – Queries for the computername
• T1564.003 – A process attempted to delay the analysis task by a long amount of time.
• T1059 – A process attempted to delay the analysis task by a long amount of time.
• T1614 – A process attempted to delay the analysis task by a long amount of time.
• T1134 – A process attempted to delay the analysis task by a long amount of time.
• T1213 – A process attempted to delay the analysis task by a long amount of time.
• T1129 – A process attempted to delay the analysis task by a long amount of time.
• T1547.009 – A process attempted to delay the analysis task by a long amount of time.
• T1222 – A process attempted to delay the analysis task by a long amount of time.
• T1010 – A process attempted to delay the analysis task by a long amount of time.
• T1012 – A process attempted to delay the analysis task by a long amount of time.
• T1033 – A process attempted to delay the analysis task by a long amount of time.
• T1082 – A process attempted to delay the analysis task by a long amount of time.
• T1083 – A process attempted to delay the analysis task by a long amount of time.
• T1027 – A process attempted to delay the analysis task by a long amount of time.
• T1140 – A process attempted to delay the analysis task by a long amount of time.
• T1569.002 – A process attempted to delay the analysis task by a long amount of time.
• T1047 – A process attempted to delay the analysis task by a long amount of time.
• T1055 – Likely PROPagate Technique is running
• T1063 – The process attempted to detect some widespread AVs presence looking at their installation directories
• T1564.003 – Manalize Local SandBox Find Crypto
• T1059 – Manalize Local SandBox Find Crypto
• T1614 – Manalize Local SandBox Find Crypto
• T1134 – Manalize Local SandBox Find Crypto
• T1213 – Manalize Local SandBox Find Crypto
• T1129 – Manalize Local SandBox Find Crypto
• T1547.009 – Manalize Local SandBox Find Crypto
• T1222 – Manalize Local SandBox Find Crypto
• T1010 – Manalize Local SandBox Find Crypto
• T1012 – Manalize Local SandBox Find Crypto
• T1033 – Manalize Local SandBox Find Crypto
• T1082 – Manalize Local SandBox Find Crypto
• T1083 – Manalize Local SandBox Find Crypto
• T1027 – Manalize Local SandBox Find Crypto
• T1140 – Manalize Local SandBox Find Crypto
• T1569.002 – Manalize Local SandBox Find Crypto
• T1047 – Manalize Local SandBox Find Crypto
• T1564.003 – Manalize Local SandBox Strings
• T1059 – Manalize Local SandBox Strings
• T1614 – Manalize Local SandBox Strings
• T1134 – Manalize Local SandBox Strings
• T1213 – Manalize Local SandBox Strings
• T1129 – Manalize Local SandBox Strings
• T1547.009 – Manalize Local SandBox Strings
• T1222 – Manalize Local SandBox Strings
• T1010 – Manalize Local SandBox Strings
• T1012 – Manalize Local SandBox Strings
• T1033 – Manalize Local SandBox Strings
• T1082 – Manalize Local SandBox Strings
• T1083 – Manalize Local SandBox Strings
• T1027 – Manalize Local SandBox Strings
• T1140 – Manalize Local SandBox Strings
• T1569.002 – Manalize Local SandBox Strings
• T1047 – Manalize Local SandBox Strings
• T1086 – Detected some PowerShell commands executions
• T1050 – The process has tried to set its autorun on the system startup
• T1112 – The process has tried to set its autorun on the system startup
• T1060 – The process has tried to set its autorun on the system startup
• T1053 – It registers tasks through ITaskFolder::RegisterTaskDefinition
• T1059 – Apparent Internal Usage of CMD.EXE
• T1063 – It Tries to detect injection methods
• T1027.009 – Drops interesting files and uses them
• T1064 – Drops VBS files to the startup folder (C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup)
• T1064 – Executes batch files
• T1047 – Checks if Antivirus program is installed (via WMI)
• T1047 – Queries process information (via WMI, Win32_Process)
• T1047 – Queries BIOS Information (via WMI, Win32_Bios)
• T1047 – Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
• T1047 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
• T1047 – Queries memory information (via WMI often done to detect virtual machines)
• T1047 – Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
• T1059 – Very long cmdline option found, this is very uncommon (may be encrypted or packed)
• T1059 – Uses cmd line tools excessively to alter registry or file data
• T1053 – Uses schtasks.exe or at.exe to add and modify task schedules
• T1059.001 – Suspicious powershell command line found
• T1059.001 – Bypasses PowerShell execution policy
• T1547.001 – Creates a start menu entry (Start Menu\\Programs\\Startup)
• T1547.001 – Stores files to the Windows startup directory
• T1055 – Injects a PE file into a foreign processes
• T1055 – Writes to foreign memory regions
• T1055 – Injects code into the Windows Explorer (explorer.exe)
• T1055 – Compiles code to inject code (via .Net compiler)
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1055 – Early bird code injection technique detected
• T1036 – Creates files inside the user directory
• T1036 – Creates files inside the system directory
• T1112 – Uses reg.exe to modify the Windows registry
• T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
• T1497 – Queries Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
• T1497 – Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
• T1497 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
• T1497 – Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
• T1027 – Binary may include packed or crypted data
• T1027 – Sample is packed with UPX
• T1027.002 – Binary may include packed or crypted data
• T1027.002 – File is packed with WinRar
• T1027.002 – .NET source code contains potential unpacker
• T1027.002 – PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)
• T1027.002 – PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
• T1027.002 – Sample is packed with UPX
• T1518.001 – Checks if Antivirus program is installed (via WMI)
• T1518.001 – Queries Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
• T1518.001 – Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
• T1518.001 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
• T1518.001 – Queries memory information (via WMI often done to detect virtual machines)
• T1518.001 – Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
• T1057 – Queries a list of all running processes
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1083 – Enumerates the file system
• T1083 – Reads ini files
• T1082 – Queries process information (via WMI, Win32_Process)
• T1082 – Queries Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
• T1082 – Queries the cryptographic machine GUID
• T1082 – Queries BIOS Information (via WMI, Win32_Bios)
• T1082 – Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1021.001 – Contains functionality to start a terminal service
• T1105 – Downloads files from webservers via HTTP
• T1105 – Downloads executable code via HTTP
• T1095 – Downloads files from webservers via HTTP
• T1095 – Posts data to webserver
• T1071 – Downloads files from webservers via HTTP
• T1071 – Posts data to webserver
• T1071 – Downloads executable code via HTTP

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.