Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 58. Missed: 15. Coverage: 79.5%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (47.92% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1053.002 – schedule task via at
• T1083 – check if file exists
• T1134 – modify access privileges
• T1027.005 – contain obfuscated stackstrings
• T1057 – get process heap flags
• T1129 – link function at runtime on Windows
• T1083 – get file size
• T1027 – encode data using XOR
• T1053.005 – schedule task via schtasks
• T1490 – delete volume shadow copies
• T1070.004 – delete volume shadow copies
• T1083 – get common file path
• T1027 – encrypt data using Curve25519
• T1129 – parse PE header
• T1033 – get session user name
• T1087 – get session user name
• T1070.001 – clear Windows event logs
• T1134 – acquire debug privileges
• T1082 – get system information on Windows
• T1082 – query environment variable
• T1543.003 – delete service
• T1135 – enumerate network shares
• T1082 – get hostname
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1129 – access PEB ldr_data
• T1222 – set file attributes
• T1543.003 – stop service
• T1489 – stop service
• T1083 – enumerate files on Windows
• T1016 – get local IPv4 addresses
• T1497.001 – reference anti-VM strings targeting VirtualBox
• T1082 – get disk information
• T1007 – query service status
• T1543.003 – start service
• T1070.004 – self delete
• T1497.001 – reference anti-VM strings targeting VMWare
• T1027 – reference Base64 string
• T1006 – Accesses volumes directly
• T1016 – Reads network adapter information
• T1016 – Queries a host’s domain name
• T1057 – Enumerates running processes
• T1134 – Enables process privileges
• T1134 – Enables critical process privileges
• T1486 – Appends new extensions to many filenames
• T1489 – Tries to disable antivirus software
• T1489 – Disables a crucial system service
• T1490 – Modifies Windows automatic backups
• T1491.001 – Changes the desktop wallpaper
• T1562.001 – Tries to disable antivirus software
• T1564.003 – Creates process with hidden window
• T1059 – Detected command line output monitoring
• T1129 – The process attempted to dynamically load a malicious function
• T1057 – The process searched for a process without success: maybe some not-found process was needed (browser?)
• T1057 – The process may have looked for a particular process running on the system
• T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
• T1129 – The process tried to load dynamically one or more functions.
• T1045 – Manalize Local SandBox Packer Harvesting
• T1222 – set file attributes
• T1027 – encrypt data using Curve25519
• T1027 – encode data using XOR
• T1129 – access PEB ldr_data
• T1057 – get process heap flags
• T1134 – acquire debug privileges
• T1083 – enumerate files on Windows
• T1083 – check if file exists
• T1083 – get file size
• T1082 – get system information on Windows
• T1082 – get disk information
• T1053.002 – schedule task via at
• T1135 – enumerate network shares
• T1082 – get hostname
• T1016 – get local IPv4 addresses
• T1082 – query environment variable
• T1129 – parse PE header
• T1129 – link function at runtime on Windows
• T1134 – modify access privileges
• T1007 – query service status
• T1543.003 – start service
• T1543.003 – delete service
• T1083 – get common file path
• T1053.005 – schedule task via schtasks
• T1027 – reference Base64 string
• T1107 – The process attempted to delete some Shadow Volume Copies (typical in ransomware)
• T1106 – The process attempted to delete some Shadow Volume Copies (typical in ransomware)
• T1107 – The process acted as a ransomware (suspicious behaviours common in ransomwares were detected)
• T1105 – The process acted as a ransomware (suspicious behaviours common in ransomwares were detected)
• T1031 – The process has tried to stop some active services
• T1082 – Queries for the computername
• T1027.005 – contain obfuscated stackstrings
• T1070.004 – self delete
• T1070.001 – clear Windows event logs
• T1490 – delete volume shadow copies
• T1070.004 – delete volume shadow copies
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1543.003 – stop service
• T1489 – stop service
• T1033 – get session user name
• T1087 – get session user name
• T1497.001 – reference anti-VM strings targeting VirtualBox
• T1497.001 – reference anti-VM strings targeting VMWare
• T1027.009 – Drops interesting files and uses them
• T1063 – It Tries to detect injection methods

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.