Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 3+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 65. Detected as malicious: 27. Missed: 38. Coverage: 41.5%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (33.12% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1082 – get COMSPEC environment variable
• T1082 – get memory capacity
• T1083 – get file size
• T1112 – delete registry value
• T1027 – encode data using Base64
• T1010 – enumerate gui resources
• T1134 – acquire debug privileges
• T1083 – get file version info
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1083 – get common file path
• T1083 – enumerate files recursively
• T1083 – check if file exists
• T1222 – set file attributes
• T1056.001 – log keystrokes via polling
• T1083 – enumerate files on Windows
• T1033 – get session user name
• T1087 – get session user name
• T1012 – query or enumerate registry key
• T1134 – modify access privileges
• T1129 – link function at runtime on Windows
• T1115 – open clipboard
• T1497.002 – check for unmoving mouse cursor
• T1564.003 – hide graphical window
• T1134.001 – impersonate user
• T1016 – get socket status
• T1529 – shutdown system
• T1082 – get system information on Windows
• T1083 – get Program Files directory
• T1112 – delete registry key
• T1105 – download and write a file
• T1082 – get hostname
• T1614.001 – get keyboard layout
• T1056.001 – log keystrokes
• T1129 – link many functions at runtime
• T1012 – query or enumerate registry value
• T1010 – find graphical window
• T1027 – encode data using XOR
• T1115 – list drag and drop files
• T1057 – enumerate process modules
• T1082 – get disk size
• T1547.009 – create shortcut via IShellLink
• T1082 – query environment variable
• T1129 – parse PE header
• T1115 – read clipboard data
• T1082 – get disk information
• T1059 – compiled with AutoIt
• T1113 – capture screenshot
• T1547.001 – get startup folder
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary likely contains encrypted or compressed data
• T1082 – Checks available memory
• T1071 – Reads data out of its own binary image
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – The PE file contains an overlay
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1071 – Binary file triggered YARA rule
• T1071 – Attempts to execute a binary from a dead or sinkholed URL
• T1573 – Establishes an encrypted HTTPS connection
• T1573 – Establishes an encrypted HTTPS connection containing a suspicious or fake User Agent

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.