Windows Analysis Report
Desktops.exe

Overview

General Information

Sample name: Desktops.exe
Analysis ID: 1615130
MD5: e768207b1f49d680673af35c5687c10c
SHA1: ef332012524c638f389744f67685a480ce07d7be
SHA256: ff82c4c679c5486aed2d66a802682245a1e9cd7d6ceb65fa0e7b222f902998e8
Tags: exeKouisMoaMegaByteInformationTechnologCoLtduser-SquiblydooBlog
Infos:

Detection

Score: 60
Range: 0 - 100
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Contains functionality to hide windows to a different desktop
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Desktops.exe Virustotal: Detection: 38% Perma Link
Source: Desktops.exe Static PE information: certificate valid
Source: Binary string: D:\a\1\s\x64\Release\Desktops64.pdb source: Desktops.exe
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140012D64 FindFirstFileExW, 0_2_0000000140012D64
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.6:61956 -> 162.159.36.2:53
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: Desktops.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Desktops.exe String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Desktops.exe String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Desktops.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Desktops.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Desktops.exe String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Desktops.exe String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Desktops.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Desktops.exe String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Desktops.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Desktops.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Desktops.exe String found in binary or memory: http://www.sysinternals.com
Source: Desktops.exe String found in binary or memory: http://www.sysinternals.comopenOne
Source: Desktops.exe String found in binary or memory: https://www.globalsign.com/repository/0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400028A7 GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,ReleaseDC,DeleteDC, 0_2_00000001400028A7
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002990 PostMessageW,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,PostMessageW, 0_2_0000000140002990

Protection of GUI
barindex
Contains functionality to hide windows to a different desktop
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002E50 DeleteObject,CreateDesktopW,GetLastError,OpenDesktopW,FormatMessageW,MessageBoxW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityInfo,LocalFree,SwitchDesktop,SetThreadDesktop,RegOpenKeyW,RegSetValueExW,RegCloseKey, 0_2_0000000140002E50
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002E50 DeleteObject,CreateDesktopW,GetLastError,OpenDesktopW,FormatMessageW,MessageBoxW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityInfo,LocalFree,SwitchDesktop,SetThreadDesktop,RegOpenKeyW,RegSetValueExW,RegCloseKey, 0_2_0000000140002E50
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F8122B NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory, 0_2_01F8122B
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F83433 NtProtectVirtualMemory, 0_2_01F83433
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F833C3 NtProtectVirtualMemory, 0_2_01F833C3
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F832C8 NtProtectVirtualMemory, 0_2_01F832C8
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F8323D NtProtectVirtualMemory, 0_2_01F8323D
Detected potential crypto function
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002BF0 0_2_0000000140002BF0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000B7F8 0_2_000000014000B7F8
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014001A838 0_2_000000014001A838
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140004080 0_2_0000000140004080
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000E104 0_2_000000014000E104
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140003110 0_2_0000000140003110
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000B518 0_2_000000014000B518
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140004540 0_2_0000000140004540
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140012D64 0_2_0000000140012D64
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140011184 0_2_0000000140011184
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400155C0 0_2_00000001400155C0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400159EC 0_2_00000001400159EC
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002E50 0_2_0000000140002E50
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000B294 0_2_000000014000B294
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400012E0 0_2_00000001400012E0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140012B58 0_2_0000000140012B58
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140010778 0_2_0000000140010778
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400173A0 0_2_00000001400173A0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_00000001400037D0 0_2_00000001400037D0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F8122B 0_2_01F8122B
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F8059D 0_2_01F8059D
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F83C22 0_2_01F83C22
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F80290 0_2_01F80290
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB253F 0_2_01FB253F
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB48F0 0_2_01FB48F0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB24C0 0_2_01FB24C0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB2AC0 0_2_01FB2AC0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB53A0 0_2_01FB53A0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB276B 0_2_01FB276B
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB6360 0_2_01FB6360
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB275C 0_2_01FB275C
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB1551 0_2_01FB1551
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB2550 0_2_01FB2550
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB274A 0_2_01FB274A
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB1330 0_2_01FB1330
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB5F1E 0_2_01FB5F1E
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB2A7A 0_2_01FB2A7A
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB3E73 0_2_01FB3E73
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB302F 0_2_01FB302F
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01FB1000 0_2_01FB1000
Sample file is different than original file name gathered from version info
Source: Desktops.exe, 00000000.00000000.2120368527.00000001400E5000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDesktops2 vs Desktops.exe
Source: Desktops.exe Binary or memory string: OriginalFilenameDesktops2 vs Desktops.exe
Source: classification engine Classification label: mal60.winEXE@1/0@1/0
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140002E50 DeleteObject,CreateDesktopW,GetLastError,OpenDesktopW,FormatMessageW,MessageBoxW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityInfo,LocalFree,SwitchDesktop,SetThreadDesktop,RegOpenKeyW,RegSetValueExW,RegCloseKey, 0_2_0000000140002E50
Source: Desktops.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Desktops.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Desktops.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Desktops.exe Section loaded: wintypes.dll Jump to behavior
Source: Desktops.exe Static PE information: certificate valid
Source: Desktops.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Desktops.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\s\x64\Release\Desktops64.pdb source: Desktops.exe
PE file contains sections with non-standard names
Source: Desktops.exe Static PE information: section name: _RDATA

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download5.png
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Desktops.exe API coverage: 7.1 %
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140012D64 FindFirstFileExW, 0_2_0000000140012D64
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_01F8122B NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,LdrLoadDll,NtProtectVirtualMemory,NtProtectVirtualMemory, 0_2_01F8122B
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000F644 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014000F644
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140014030 GetProcessHeap, 0_2_0000000140014030
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140005500 SetUnhandledExceptionFilter, 0_2_0000000140005500
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014000F644 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000014000F644
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140004EBC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0000000140004EBC
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140005318 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0000000140005318
Source: C:\Users\user\Desktop\Desktops.exe Memory protected: page read and write | page execute and write copy | page guard | page no cache Jump to behavior
Source: Desktops.exe Binary or memory string: Shell_TrayWnd
Source: Desktops.exe Binary or memory string: %dTaskbarCreatedDefaultSysinternals Desktop 1Sysinternals Desktop 2Sysinternals Desktop 3S:(ML;;NW;;;LW)OptionsShownHotkeyModifiersHotkeyIsFunctionSoftware\Sysinternals\Desktops%s: %sDesktopsACCELERATORSShell_TrayWnd\Explorer.exeError creating desktopSoftware\Microsoft\Windows\CurrentVersion\ExplorerAltTabSettingsBUTTONHANDSoftware\Microsoft\Windows\CurrentVersion\RunSysinternals Desktopshttp://www.sysinternals.comopenOne or more of the specified hotkeys are in use.
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_000000014001A680 cpuid 0_2_000000014001A680
Source: C:\Users\user\Desktop\Desktops.exe Code function: 0_2_0000000140005570 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0000000140005570
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615130 Sample: Desktops.exe Startdate: 14/02/2025 Architecture: WINDOWS Score: 60 9 15.164.165.52.in-addr.arpa 2->9 11 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->11 13 Multi AV Scanner detection for submitted file 2->13 6 Desktops.exe 2->6         started        signatures3 process4 signatures5 15 Contains functionality to hide windows to a different desktop 6->15
No contacted IP infos

Contacted Domains

Name IP Active
15.164.165.52.in-addr.arpa unknown unknown