Now I have sufficient evidence to compile the report. Let me organize my findings. --- # Malware Analysis Report ## Summary **File**: `3c47eccd8fc8d9a9ce087c5ff5f9dce08d5dd15123b84a44301ca98b6a4f797d` **Analysis ID**: #AID=165# **Type**: PE32 (x86) executable **Size**: 7,752,712 bytes (~7.4 MB) **Compiler**: Rust (MSVC 2022 v17.14.2 pre-1.0) **PDB Path**: `wallpaper_manager.pdb` **Debug Timestamp**: 2025-12-11 **Entropy**: 116 (overall), overlay entropy 186 (very high) --- ## 1. Generic Info | Attribute | Value | |---|---| | File type | PE32 GUI subsystem | | Architecture | x86 (32-bit) | | Language/Runtime | Rust with MSVC CRT | | PE Checksum | Invalid | | Overlay | 51,208 bytes, entropy 186, starts with `CRYPTED_` marker | | .rdata section | 7.2 MB (unusually large — contains embedded data, constants, and base64 blocks) | --- ## 2. Inferred Behavior This is a **Rust-compiled trojan dropper/loader** disguised as a "wallpaper manager." The file exhibits the following malicious behavior chain: ### a) Persistence via Registry Autorun A contiguous string at EA `0x713993` (#AID=165#) encodes the full persistence command: ``` LOCALAPPDATA\Microsoft\Windows\Media C:\Windows\Temp\WindowsMedia reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v /t REG_SZ /d /f ``` This registers a copy of itself in the Windows autorun registry key so it executes on every login. ### b) Process Execution / Shell Spawning Function `sub_4165e0` (EA `0x159E0`, 15,332 bytes, 993 basic blocks) directly invokes `CreateProcessW` (imported from kernel32). It references `\\cmd.exe` (EA `0x71FC0`) and constructs command-line arguments dynamically. The function includes extensive path resolution logic using `GetModuleFileNameW`, `GetFullPathNameW`, `GetSystemDirectoryW`, and `GetWindowsDirectoryW` — consistent with locating and executing dropped binaries. ### c) Encrypted Payload in Overlay The file overlay (offset `0x75D000`) begins with the ASCII marker `CRYPTED_` followed by 51KB of high-entropy (186/255) data. This is almost certainly an encrypted payload (secondary executable, shellcode, or configuration) decrypted at runtime. ### d) Base64-Encoded Data Two large base64-encoded blobs reside in `.rdata` (EA `0x413000` ~2.7KB and EA `0x411000` ~2.5KB). These likely contain additional encrypted configurations, commands, or secondary payloads. ### e) Code Obfuscation Indicators - **156 instances** of `BigBufferNoXrefMediumToHighEntropy` — large crypto data buffers - **16 XOR-in-loop** occurrences — runtime decryption primitives - **47 stack array initializations** — dynamic shellcode/string construction - **4 spaghetti functions** — obfuscated control flow - **5 dynamic strings** — strings constructed at runtime to evade static scanning - **3 high-xref looping functions** — likely string decryption routines --- ## 3. Sub-files The PE contains only icon resources (10 icons for UI presentation): - `ICO/1/unk` through `ICO/9/unk` — PNG/DIB icon resources (4KB–68KB) - `GRPICO/ICON207/unk` — small 132-byte icon entry No executable sub-files were carved or found as virtual files. The malicious payload is embedded as an encrypted overlay and base64 blobs, not as separate PE files. --- ## 4. IOCs ### Strings/Paths | IOC | Type | EA | |---|---|---| | `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` | Registry persistence key | 0x713A1B | | `LOCALAPPDATA\Microsoft\Windows\Media` | Dropper target directory | 0x713A1B | | `C:\Windows\Temp\WindowsMedia` | Temp staging path | 0x713A1B | | `\\cmd.exe` | Shell execution | 0x71FC4 | | `CRYPTED_` | Overlay encryption marker | 0x75D000 | ### Hashes (Dynamic/Embedded) | Hash | Type | |---|---| | `2D362799AB4DC06407E23358BE7E902C` | MD5 (appears as dynamic binary string) | | `6D5DCBD62C50EB637841A657711B8BB9` | MD5 (appears as dynamic binary string) | ### Registry Constants Found in Code - `HKEY_CURRENT_USER` (4 references) - `HKEY_LOCAL_MACHINE` (2 references) - `registry::autorun` constant --- ## 5. Key Detections | Detection | Reliability | Description | |---|---|---| | **AutorunKey** (YARA) | 20/100 | File contains the path of an autorun registry key | | **RunShell** (YARA) | 70/100 | File starts a shell (cmd.exe) | | **Kesakode: DustyHammock** | 18/100 | Weak ML-based family classification | | **Invalid PE Checksum** | N/A | Header checksum is wrong — possible tampering | | **Unknown overlay (high entropy)** | N/A | 51KB encrypted payload starting with `CRYPTED_` | | **GUI subsystem with no window APIs** | N/A | Uses GUI subsystem but imports zero user32 window functions — headless execution | | **Debug timestamp mismatch** | N/A | >1 year difference between PE TimeDateStamp and Debug TimeDateStamp | | **156 unxref'd crypto buffers** | N/A | Large medium-to-high entropy buffers with no code references | --- ## 6. Counter-Arguments / Caveats | Argument | Assessment | |---|---| | **Kesakode score is very low (18/100)** | Likely a false positive or unknown family; weak evidence standing alone, but corroborated by other findings | | **AutorunKey YARA reliability is 20/100** | Low confidence on its own, but the full persistence string is unambiguous | | **Rust binaries can be complex** | Some anomalies (large .rdata, many functions, stack arrays) are normal for Rust runtime — however, the persistence string and shell execution are not Rust runtime artifacts | | **No network IOCs found** | No URLs, IPs, or HTTP strings were detected — C2 communication may be encrypted or use a non-standard protocol, or the sample may be a first-stage dropper | | **Icon resources are benign** | 10 icons are consistent with a wallpaper manager UI — possibly used for social engineering camouflage | | **Could be a legitimate tool with aggressive update mechanism** | Possible but the `reg add` persistence + `cmd.exe` execution + encrypted overlay is an extremely unusual pattern for legitimate software | --- ## 7. Final Verdict ### **MALICIOUS — Confidence: 85/100** **Classification**: Trojan Dropper / Loader **Rationale**: The file unambiguously contains: 1. A **registry persistence mechanism** (`HKCU\...\Run`) with hardcoded paths to `%LOCALAPPDATA%\Microsoft\Windows\Media` and `C:\Windows\Temp\WindowsMedia` 2. A **process creation function** that spawns `cmd.exe` and constructs command lines dynamically 3. An **encrypted overlay** (`CRYPTED_` marker + 51KB of high-entropy data) 4. **Multiple obfuscation indicators** (XOR loops, dynamic strings, spaghetti code, crypto buffers) 5. A GUI subsystem entry point **without any window management APIs** — designed for headless execution The PDB path `wallpaper_manager.pdb` and icon resources serve as camouflage. The combination of persistence, shell execution, encrypted payloads, and obfuscation constitutes a classic dropper/loader pattern. The 15% uncertainty margin accounts for the low Kesakode confidence and the absence of live C2 network indicators in the static analysis.