Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 55. Missed: 17. Coverage: 76.4%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Heavy cryptographic operations (52.62% of behavior) indicate potential ransomware, data encryption for exfiltration, or secure C2 communications. The malware is actively encrypting or decrypting sensitive data.

MITRE ATT&CK Mapping

• T1059 – accept command line arguments
• T1497.001 – reference anti-VM strings targeting Xen
• T1529 – shutdown system
• T1083 – enumerate files recursively
• T1083 – get file size
• T1115 – open clipboard
• T1012 – query or enumerate registry value
• T1012 – query or enumerate registry key
• T1112 – delete registry value
• T1010 – find graphical window
• T1112 – delete registry key
• T1082 – get disk size
• T1547.009 – create shortcut via IShellLink
• T1083 – get common file path
• T1082 – check OS version
• T1129 – link function at runtime on Windows
• T1497.001 – reference anti-VM strings targeting VirtualBox
• T1083 – get file system object information
• T1497.001 – reference anti-VM strings targeting VMWare
• T1083 – check if file exists
• T1222 – set file attributes
• T1027 – encode data using XOR
• T1125 – capture webcam image
• T1083 – enumerate files on Windows
• T1082 – query environment variable
• T1003 – Steals private information from local Internet browsers
• T1539 – Touches a file containing cookies, possibly for information gathering
• T1555 – Steals private information from local Internet browsers
• T1552 – Steals private information from local Internet browsers
• T1555.003 – Steals private information from local Internet browsers
• T1552.001 – Steals private information from local Internet browsers
• T1129 – Drops a binary and executes it
• T1106 – Created a process from a suspicious location
• T1106 – Guard pages use detected – possible anti-debugging.
• T1059 – A script process initiated network activity
• T1059 – A script process created a new process
• T1059 – Stores JavaScript or a script command in the registry, likely for fileless persistence
• T1059 – A scripting utility was executed
• T1059 – Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
• T1064 – A script process created a new process
• T1064 – A script process initiated network activity
• T1064 – A scripting utility was executed
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1055 – Writes an executable to the memory of another process
• T1055 – Writes to the memory another process
• T1548 – A file was accessed within the Public folder.
• T1564 – A process created a hidden window
• T1202 – Uses suspicious command line tools or Windows utilities
• T1202 – Uses Windows utilities for basic functionality
• T1036 – A file was accessed within the Public folder.
• T1112 – Installs itself for autorun at Windows startup
• T1112 – Stores JavaScript or a script command in the registry, likely for fileless persistence
• T1070 – Deletes executed files from disk
• T1497 – Detects VirtualBox through the presence of a registry key
• T1497 – Checks the version of Bios, possibly for anti-virtualization
• T1027 – The binary likely contains encrypted or compressed data
• T1564.003 – A process created a hidden window
• T1027.002 – The binary likely contains encrypted or compressed data
• T1082 – Checks the version of Bios, possibly for anti-virtualization
• T1082 – Checks available memory
• T1057 – Expresses interest in specific running processes
• T1057 – Detects the presence of Wine emulator via registry key
• T1057 – Detects VirtualBox through the presence of a registry key
• T1057 – Checks the version of Bios, possibly for anti-virtualization
• T1057 – Enumerates running processes
• T1057 – Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
• T1012 – Detects VirtualBox through the presence of a registry key
• T1012 – Checks the version of Bios, possibly for anti-virtualization
• T1012 – Detects the presence of Wine emulator via registry key
• T1518 – Detects the presence of Wine emulator via registry key
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – Starts servers listening on 127.0.0.1:0
• T1071 – Reads data out of its own binary image
• T1071 – A script process initiated network activity
• T1071 – Reads from the memory of another process
• T1071 – Terminates another process
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Creates known Neshta virus mutexes
• T1071 – Likely virus infection of existing binary
• T1071 – The PE file contains an overlay
• T1071 – A process attempted to delay the analysis task.
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Looks up the external IP address
• T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
• T1005 – Steals private information from local Internet browsers
• T1486 – Exhibits possible ransomware or wiper file modification behavior: overwrites_existing_files
• T1485 – Anomalous file deletion behavior detected (10+)
• T1129 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1083 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1059 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1112 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1134 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1222 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1497.001 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1082 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1012 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1135 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1027 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
• T1129 – The process attempted to dynamically load a malicious function
• T1059 – Detected command line output monitoring
• T1057 – The process has tried to detect the debugger probing the use of page guards.
• T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
• T1095 – The process started one or more servers (listening on address 127.0.0.1:0)
• T1129 – The process tried to load dynamically one or more functions.
• T1140 – Detected an attempt to pull out some data from the binary image
• T1129 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1083 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1059 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1112 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1134 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1222 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1497.001 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1082 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1012 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1135 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1027 – Detected a call to the Crypt API containing an IP address, a domain, or a filename
• T1027.009 – The process has executed a dropped binary
• T1045 – Manalize Local SandBox Packer Harvesting
• T1071 – Detected one or more anomalous HTTP requests
• T1071 – Detected HTTP requests to some non white-listed domains
• T1057 – The process attempted to detect a running debugger using common APIs
• T1071 – The process behaves as a known keylogger (iSpy)
• T1129 – The process exhibits an execution pattern common in virus infections
• T1083 – The process exhibits an execution pattern common in virus infections
• T1059 – The process exhibits an execution pattern common in virus infections
• T1112 – The process exhibits an execution pattern common in virus infections
• T1134 – The process exhibits an execution pattern common in virus infections
• T1222 – The process exhibits an execution pattern common in virus infections
• T1497.001 – The process exhibits an execution pattern common in virus infections
• T1082 – The process exhibits an execution pattern common in virus infections
• T1012 – The process exhibits an execution pattern common in virus infections
• T1135 – The process exhibits an execution pattern common in virus infections
• T1027 – The process exhibits an execution pattern common in virus infections
• T1112 – The process attempted to store a script command into the registry
• T1202 – The process attempted to store a script command into the registry
• T1082 – Queries for the computername
• T1129 – A process attempted to delay the analysis task by a long amount of time.
• T1083 – A process attempted to delay the analysis task by a long amount of time.
• T1059 – A process attempted to delay the analysis task by a long amount of time.
• T1112 – A process attempted to delay the analysis task by a long amount of time.
• T1134 – A process attempted to delay the analysis task by a long amount of time.
• T1222 – A process attempted to delay the analysis task by a long amount of time.
• T1497.001 – A process attempted to delay the analysis task by a long amount of time.
• T1082 – A process attempted to delay the analysis task by a long amount of time.
• T1012 – A process attempted to delay the analysis task by a long amount of time.
• T1135 – A process attempted to delay the analysis task by a long amount of time.
• T1027 – A process attempted to delay the analysis task by a long amount of time.
• T1063 – The process attempted to detect debuggers and common forensic/analysis tools looking for known devices
• T1119 – The process attempted to detect debuggers and common forensic/analysis tools looking for known devices
• T1082 – The process has tried to retrieve the BIOS version (maybe for checking the virtualization presence)
• T1012 – The process has tried to retrieve the BIOS version (maybe for checking the virtualization presence)
• T1129 – Manalize Local SandBox Strings
• T1083 – Manalize Local SandBox Strings
• T1059 – Manalize Local SandBox Strings
• T1112 – Manalize Local SandBox Strings
• T1134 – Manalize Local SandBox Strings
• T1222 – Manalize Local SandBox Strings
• T1497.001 – Manalize Local SandBox Strings
• T1082 – Manalize Local SandBox Strings
• T1012 – Manalize Local SandBox Strings
• T1135 – Manalize Local SandBox Strings
• T1027 – Manalize Local SandBox Strings
• T1112 – Detected an attempt to write registry keys related to the proxy settings
• T1185 – Detected an attempt to write registry keys related to the proxy settings
• T1112 – The process has tried to set its autorun on the system startup
• T1060 – The process has tried to set its autorun on the system startup
• T1050 – The process has tried to set its autorun on the system startup
• T1053 – It creates a system task
• T1027.009 – Drops interesting files and uses them
• T1064 – Executes batch files
• T1064 – Found WSH timer for Javascript or VBS script (likely evasive script)
• T1091 – May infect USB drives
• T1547.001 – Creates an autostart registry key
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1036 – Creates files inside the user directory
• T1112 – Stores large binary data to the registry
• T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
• T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1027 – Binary may include packed or crypted data
• T1027.002 – Binary may include packed or crypted data
• T1070.006 – Binary contains a suspicious time stamp
• T1070.004 – May delete shadow drive data (may be related to ransomware)
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1120 – Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
• T1083 – Reads ini files
• T1082 – Queries the cryptographic machine GUID
• T1082 – Queries the volume information (name, serial number etc) of a device

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.