Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 10+ hours, this malware remained undetected — a several-hour window that allowed the adversary to complete initial compromise and begin early-stage persistence establishment.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 57. Missed: 16. Coverage: 78.1%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (54.71% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1222 – set file attributes
• T1125 – capture webcam image
• T1012 – query or enumerate registry value
• T1112 – delete registry key
• T1082 – query environment variable
• T1083 – enumerate files on Windows
• T1083 – check if file exists
• T1083 – get file system object information
• T1083 – enumerate files recursively
• T1129 – link many functions at runtime
• T1059 – accept command line arguments
• T1115 – open clipboard
• T1010 – find graphical window
• T1083 – get common file path
• T1012 – query or enumerate registry key
• T1547.009 – create shortcut via IShellLink
• T1056.001 – log keystrokes via polling
• T1082 – get disk size
• T1083 – get file size
• T1083 – get file version info
• T1529 – shutdown system
• T1027 – encode data using XOR
• T1129 – link function at runtime on Windows
• T1070.004 – self delete
• T1112 – delete registry value
• T1006 – Accesses volumes directly
• T1027.002 – Resolves API functions dynamically
• T1057 – Enumerates running processes
• T1564.003 – Creates process with hidden window
• T1622 – Tries to detect debugger
• T1129 – The process attempted to dynamically load a malicious function
• T1129 – The process tried to load dynamically one or more functions.
• T1140 – Detected an attempt to pull out some data from the binary image
• T1045 – Manalize Local SandBox Packer Harvesting
• T1082 – Queries for the computername
• T1027.009 – Drops interesting files and uses them
• T1063 – It Tries to detect injection methods

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.