Edit tour

Windows Analysis Report
Unconfirmed 739754.dll

Overview

General Information

Sample name:Unconfirmed 739754.dll
renamed because original name is a hash value
Original sample name:Unconfirmed 739754.crdownload
Analysis ID:1671111
MD5:f62de98ee452ed4ea0543ee5129fd21d
SHA1:61578f17f4150998911457befb59aed431e393e3
SHA256:5bd74c996047c87917e5cea60eb924e8a63d64271a8787eb29eaee855cdfcd13
Infos:

Detection

Score:2
Range:0 - 100
Confidence:60%

Signatures

Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • loaddll32.exe (PID: 7136 cmdline: loaddll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5172 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 5648 cmdline: rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Unconfirmed 739754.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\BuildAgent\work\eb14b679815cea5b\Core\Tools\Tyler.IMS.Publishing\obj\Release\Tyler.IMS.Publishing.pdb source: Unconfirmed 739754.dll
Source: Unconfirmed 739754.dllString found in binary or memory: http://schemas.tylertech.com/ims/packaging/2016/11/imssecure.xsd
Source: Unconfirmed 739754.dllString found in binary or memory: http://schemas.tylertech.com/ims/packaging/2016/11/imsspec.xsd
Source: Unconfirmed 739754.dllBinary or memory string: OriginalFilenameTyler.IMS.Publishing.dllJ vs Unconfirmed 739754.dll
Source: classification engineClassification label: clean2.winDLL@6/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: Unconfirmed 739754.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Unconfirmed 739754.dllStatic file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 49.81%
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: Unconfirmed 739754.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Unconfirmed 739754.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Unconfirmed 739754.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\BuildAgent\work\eb14b679815cea5b\Core\Tools\Tyler.IMS.Publishing\obj\Release\Tyler.IMS.Publishing.pdb source: Unconfirmed 739754.dll
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
1
Rundll32
OS Credential Dumping1
Virtualization/Sandbox Evasion
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1671111 Sample: Unconfirmed 739754.dll Startdate: 22/04/2025 Architecture: WINDOWS Score: 2 6 loaddll32.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        10 conhost.exe 6->10         started        process4 12 rundll32.exe 8->12         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version

windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://schemas.tylertech.com/ims/packaging/2016/11/imsspec.xsd0%Avira URL Cloudsafe
http://schemas.tylertech.com/ims/packaging/2016/11/imssecure.xsd0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://schemas.tylertech.com/ims/packaging/2016/11/imssecure.xsdUnconfirmed 739754.dllfalse
  • Avira URL Cloud: safe
unknown
http://schemas.tylertech.com/ims/packaging/2016/11/imsspec.xsdUnconfirmed 739754.dllfalse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1671111
Start date and time:2025-04-22 16:49:04 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 50s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Unconfirmed 739754.dll
renamed because original name is a hash value
Original Sample Name:Unconfirmed 739754.crdownload
Detection:CLEAN
Classification:clean2.winDLL@6/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 4.245.163.56, 184.29.183.29
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):5.680936736950834
TrID:
  • Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 49.81%
  • Win32 Dynamic Link Library (generic) (1002004/3) 49.34%
  • Windows Screen Saver (13104/52) 0.65%
  • Generic Win/DOS Executable (2004/3) 0.10%
  • DOS Executable Generic (2002/1) 0.10%
File name:Unconfirmed 739754.dll
File size:55'296 bytes
MD5:f62de98ee452ed4ea0543ee5129fd21d
SHA1:61578f17f4150998911457befb59aed431e393e3
SHA256:5bd74c996047c87917e5cea60eb924e8a63d64271a8787eb29eaee855cdfcd13
SHA512:d6faa30b286f8fafec0c74f3112e7062ca2e6909fdf6db3f46fcee641948dc4d9bfdcbe2f39a89592f7e91439cc673c90b4b1f2992845b969620c7d165c31293
SSDEEP:1536:QwbusnuDZsztM4QMrjWtz6tXyo6bCBGF0qIxjF5:Qwi3DCztzQMrjW1vDCBFqmjr
TLSH:7043C75033FCC33AE6FF2B7D75B0405106F6F689A531DA9D6E81649E2E22B404B61B63
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.~g.........." ..0.................. ........... .......................@............@................................
Icon Hash:7ae282899bbab082
Entrypoint:0x1000edfa
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x677ED065 [Wed Jan 8 19:22:13 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:dae02f32a21e03ce65412f6e56942daa
Instruction
jmp dword ptr [10002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xeda80x4f.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x42c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xec700x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000xce000xce00b0ca68de35df2275b1ccdaab31fc5c3eFalse0.4386377427184466data5.805383443786634IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x100000x42c0x600ac20157ed92d53922c92594ba79a8f8dFalse0.2734375data2.4469577481207856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x120000xc0x200225ee030e13978e0942d0939b4326e52False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x100580x3d0data0.3985655737704918
DLLImport
mscoree.dll_CorDllMain
DescriptionData
Translation0x0000 0x04b0
Comments
CompanyNameTyler Technologies
FileDescriptionTyler.IMS.Publishing
FileVersion1.4.5.0
InternalNameTyler.IMS.Publishing.dll
LegalCopyrightCopyright Tyler Technologies 2009-2021
LegalTrademarks
OriginalFilenameTyler.IMS.Publishing.dll
ProductNameTyler.IMS.Publishing
ProductVersion1.4.5.0
Assembly Version1.4.5.0
No network behavior found
050100150s020406080100

Click to jump to process

050100150s0.0051015MB

Click to jump to process

Target ID:0
Start time:10:49:54
Start date:22/04/2025
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll"
Imagebase:0x550000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:1
Start time:10:49:54
Start date:22/04/2025
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6e60e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:2
Start time:10:49:54
Start date:22/04/2025
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
Imagebase:0x8e0000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:3
Start time:10:49:54
Start date:22/04/2025
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\Unconfirmed 739754.dll",#1
Imagebase:0xf00000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

No disassembly