Note: this report may be incomplete because the AI analysis reached the following limit(s): token.

## Summary

The submitted sample #AID=178# is a 32-bit Windows PE executable, 7,752,712 bytes, SHA-256:

`3c47eccd8fc8d9a9ce087c5ff5f9dce08d5dd15123b84a44301ca98b6a4f797d`

Malcat identifies compiler/tooling indicators for Rust and MSVC 2022. The debug metadata contains `wallpaper_manager.pdb`, suggesting the apparent project name was “wallpaper_manager”. The file contains a very large `.rdata` section and a medium/high-entropy overlay of 51,208 bytes. The resource/virtual files are only icon/image resources.

Overall, the file is assessed as **malicious or highly suspicious**, primarily due to embedded persistence and staging strings, runtime base64/XOR decoding behavior, process execution capability, and use of deceptive Windows-media-like paths under user-writable locations.

## Key detections/IOCs

### File IOCs

- #AID=178# root file:
  - SHA-256: `3c47eccd8fc8d9a9ce087c5ff5f9dce08d5dd15123b84a44301ca98b6a4f797d`
  - PE32 / x86 Windows executable
  - Debug path: `wallpaper_manager.pdb`

### Host/path/registry IOCs extracted from strings

Found in #AID=178#:

- `LOCALAPPDATA`
- `MicrosoftWindowsMedia`
- `C:\Windows\Temp\WindowsMedia`
- `regadd`
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- `/v`
- `/tREG_SZ`
- `/d`
- `/f`
- `\cmd.exe`

The most relevant combined string is:

`LOCALAPPDATAMicrosoftWindowsMediaC:\Windows\Temp\WindowsMediaregaddHKCU\Software\Microsoft\Windows\CurrentVersion\Run/v/tREG_SZ/d/f`

This strongly suggests the program builds or uses commands/paths involving:
- a user-local persistence location resembling Microsoft Windows Media,
- a temp staging path,
- and the HKCU Run autorun registry key.

### Detection highlights

- YARA:
  - `AutorunKey` matched: file contains an autorun registry key path.
  - `RunShell` matched: file contains shell execution indicators.
  - `Rust` compiler indicator.
- Malcat anomalies:
  - `HugeStringBase64` on two large base64-looking strings.
  - `DynamicString` and `FewStrings`.
  - `UnknownOverlayMediumToHighEntropy`.
  - `StackArrayInitialisationX86`, `XorInLoop`, `ManyHighValueImmediates`, and `SpaghettiFunction`, consistent with encoded data handling and/or obfuscation.
- Kesakode:
  - `DustyHammock` confidence 18/100.
  - `Spankrat` confidence 0/100.
  - This is a weak family classification and was not used as a primary basis for verdict.

## Evidence

### Generic file information

The root sample #AID=178# is a PE32 x86 executable. It contains Rust runtime indicators and MSVC 2022 linker/rich-header indicators. Debug metadata references `wallpaper_manager.pdb`.

Sections of note in #AID=178#:

- `.text`: executable code.
- `.rdata`: very large, ~7.29 MB, containing many strings/data blocks.
- `.rsrc`: icon resources.
- `overlay`: 51,208 bytes, medium-to-high entropy and unidentified by Malcat.

The virtual/carved sub-files are icon/image resources only:

- #AID=178# `ICO/1/unk` through `ICO/9/unk`
- #AID=178# `GRPICO/ICON207/unk`

No pertinent executable or script sub-file was identified among the virtual files.

### Inferred behavior

The program appears to carry encoded embedded data and decode it at runtime. Function `sub_401330` #AID=178# references the suspicious persistence/staging string many times. Its decompilation shows base64-like decoding logic and XOR post-processing over decoded bytes. The function iterates through embedded data records, decodes base64-like buffers, XORs bytes with a per-record byte, and then processes the resulting data.

The suspicious combined string referenced by `sub_401330` contains:
- `LOCALAPPDATA`
- `MicrosoftWindowsMedia`
- `C:\Windows\Temp\WindowsMedia`
- `regadd`
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- `/v /t REG_SZ /d /f`-style command fragments

This is consistent with constructing a command to install persistence under the current user’s Run key, likely pointing to a copied payload in a masqueraded “WindowsMedia” directory.

The program imports and uses `CreateProcessW`. The decompiled function `sub_4165e0` #AID=178# references `\cmd.exe` and contains Windows process-spawning logic around `kernel32.CreateProcessW`. Some of this code may belong to Rust standard-library process handling, but the presence of the suspicious persistence command fragments gives the process execution capability malicious relevance.

The file contains no visible network IOCs such as URLs or domains in the strings examined.

### Interesting functions

#### `sub_401330` #AID=178#

Relevant observations:

- References the suspicious persistence/staging string:
  - `LOCALAPPDATAMicrosoftWindowsMediaC:\Windows\Temp\WindowsMediaregaddHKCU\Software\Microsoft\Windows\CurrentVersion\Run/v/tREG_SZ/d/f`
- Contains base64-like decoding logic:
  - character lookup table access,
  - padding handling,
  - output buffer construction.
- Applies XOR to decoded bytes:
  - decoded buffer bytes are XORed with a byte from the embedded record metadata.
- Iterates through multiple embedded records.

This strongly suggests an unpacking/deobfuscation routine for embedded strings, commands, or payload data.

#### `sub_4165e0` #AID=178#

Relevant observations:

- References `\cmd.exe`.
- Contains command/path construction and process creation logic.
- Calls `kernel32.CreateProcessW`.
- Handles executable path discovery, full path expansion, environment data, and process startup structures.

This behavior can be legitimate in Rust runtime/process-spawning support, but in this sample it is relevant because other recovered strings indicate likely use of `cmd.exe`/`reg add` for persistence.

### Sub-files

No malicious sub-file was identified. The virtual/carved files in #AID=178# are icon/image resources:

- #AID=178# `ICO/1/unk` — PNG/image resource.
- #AID=178# `ICO/2/unk` through `ICO/9/unk` — DIB/image resources.
- #AID=178# `GRPICO/ICON207/unk` — group icon metadata.

These were not pertinent to the malicious behavior assessment.

## Verdict

**Final verdict: Malicious**

**Confidence: 80/100**

The sample #AID=178# contains strong indicators of malicious persistence and staging behavior: autorun Run-key fragments, `regadd`, user-writable masqueraded WindowsMedia paths, `cmd.exe` execution support, and encoded/obfuscated embedded data decoded by custom base64/XOR-like logic. The main limitation is that some process-spawning code appears to overlap with Rust standard-library behavior, and the exact final command line was not fully reconstructed. However, the persistence-related strings and their use from decoding/processing code are sufficiently suspicious to classify the file as malware.