Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 65. Missed: 8. Coverage: 89.0%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (43.80% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1012 – query or enumerate registry key
• T1614.001 – get keyboard layout
• T1112 – delete registry key
• T1543.003 – continue service
• T1123 – capture microphone audio
• T1027 – encrypt data using AES
• T1056.001 – log keystrokes via application hook
• T1112 – delete registry value
• T1083 – enumerate files on Windows
• T1056.001 – log keystrokes
• T1082 – enumerate disk volumes
• T1082 – get disk information
• T1059.003 – create reverse shell
• T1083 – enumerate files recursively
• T1027 – reference AES constants
• T1055.012 – use process replacement
• T1620 – use process replacement
• T1548.002 – bypass UAC via ICMLuaUtil
• T1010 – enumerate gui resources
• T1518 – get installed programs
• T1129 – link many functions at runtime
• T1543.003 – pause service
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1134 – modify access privileges
• T1115 – read clipboard data
• T1115 – open clipboard
• T1070.004 – self delete
• T1083 – get common file path
• T1222 – set file attributes
• T1547.001 – persist via Run registry key
• T1027 – encode data using XOR
• T1562.001 – disable system features via registry on Windows
• T1056.001 – log keystrokes via polling
• T1083 – get file size
• T1082 – query environment variable
• T1007 – enumerate services
• T1027 – encrypt data using RC4 KSA
• T1614 – get geographical location
• T1059.003 – execute shell command and capture output
• T1027 – encrypt data using RC4 PRGA
• T1543.003 – stop service
• T1489 – stop service
• T1543.003 – start service
• T1129 – link function at runtime on Windows
• T1529 – shutdown system
• T1012 – query or enumerate registry value
• T1113 – capture screenshot
• T1543.003 – modify service
• T1569.002 – modify service
• T1007 – query service status
• T1082 – get system information on Windows
• T1564.003 – hide graphical window
• T1555.003 – gather firefox profile information
• T1083 – check if file exists
• T1129 – parse PE header
• T1033 – get session user name
• T1087 – get session user name
• T1539 – Touches a file containing cookies, possibly for information gathering
• T1082 – Checks available memory
• T1071 – Binary file triggered YARA rule
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
• T1071 – Looks up the external IP address
• T1012 – Query OS Information
• T1027.002 – Resolves API functions dynamically
• T1082 – Query OS Information
• T1095 – Connects to remote host
• T1497.003 – Delays execution
• T1571 – Tries to connect using an uncommon port
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1055 – Maps a DLL or memory area into another process
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1003 – Tries to harvest and steal browser information (history, passwords, etc)
• T1552.002 – Tries to get messenger accounts or passwords
• T1552.001 – Tries to get messenger accounts or passwords
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1057 – Queries a list of all running processes
• T1057 – Queries a list of all open handles
• T1083 – Reads ini files
• T1082 – Queries a list of all open handles
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1082 – Checks if Microsoft Office is installed
• T1082 – Queries the cryptographic machine GUID
• T1114 – Tries to search for mail accounts
• T1560 – Public key (encryption) found
• T1005 – Tries to harvest and steal browser information (history, passwords, etc)
• T1571 – Detected TCP or UDP traffic on non-standard ports
• T1219 – Detected Remcos RAT
• T1105 – Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.
• T1105 – Downloads files from webservers via HTTP
• T1105 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
• T1095 – Downloads files from webservers via HTTP
• T1095 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
• T1071 – Downloads files from webservers via HTTP
• T1071 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
• T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.