Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 0+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 52. Missed: 20. Coverage: 72.2%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

MITRE ATT&CK Mapping

• T1083 – get common file path
• T1082 – get hostname
• T1083 – get file size
• T1082 – get memory capacity
• T1082 – get disk information
• T1007 – query service status
• T1082 – enumerate disk volumes
• T1027 – encrypt data using Curve25519
• T1543.003 – stop service
• T1489 – stop service
• T1082 – query environment variable
• T1027 – encrypt data using Salsa20 or ChaCha
• T1083 – enumerate files recursively
• T1082 – get system information on Windows
• T1129 – link function at runtime on Windows
• T1016.001 – list domain servers
• T1113 – capture screenshot
• T1027 – encode data using XOR
• T1027.005 – contain obfuscated stackstrings
• T1135 – enumerate network shares
• T1083 – check if file exists
• T1129 – parse PE header
• T1055.003 – hijack thread execution
• T1620 – hijack thread execution
• T1083 – enumerate files on Windows
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1547 – Adds itself to the Safe Mode boot to ensure its start
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Adds itself to the Safe Mode boot to ensure its start
• T1547.001 – Installs itself for autorun at Windows startup
• T1564 – A process created a hidden window
• T1202 – Uses suspicious command line tools or Windows utilities
• T1562 – Attempts to disable Windows Defender
• T1562 – Attempts to modify Windows Defender using PowerShell
• T1055 – Creates a process in a suspended state, likely for injection
• T1055 – Contains .tls (Thread Local Storage) section
• T1112 – Adds itself to the Safe Mode boot to ensure its start
• T1112 – Installs itself for autorun at Windows startup
• T1064 – A scripting utility was executed
• T1562.001 – Attempts to disable Windows Defender
• T1562.001 – Attempts to modify Windows Defender using PowerShell
• T1564.003 – A process created a hidden window
• T1082 – Checks available memory
• T1082 – Queries the mount points and then resolves volume paths to enumerate storage devices
• T1057 – Enumerates running processes
• T1057 – Enumerates the modules from a process (may be used to locate base addresses in process injection)
• T1059 – A scripting utility was executed
• T1059 – Attempts to disable Windows Defender
• T1059 – Attempts to modify Windows Defender using PowerShell
• T1547.001 – Registers a service to start in safe boot mode
• T1547.001 – Creates an autostart registry key
• T1562.001 – Disables the Windows task manager (taskmgr)
• T1562.001 – Modifies Windows Defender protection settings
• T1562.001 – Disable Task Manager(disabletaskmgr)
• T1562.001 – Disables Windows Defender
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1070.004 – May delete shadow drive data (may be related to ransomware)
• T1057 – Queries a list of all running processes
• T1082 – Queries the volume information (name, serial number etc) of a device

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.