Windows Analysis Report
msimg32.dll

Overview

General Information

Sample name: msimg32.dll
Analysis ID: 1528944
MD5: 26fc1bca08f774ae76ac140ada344686
SHA1: bc93c170f1b131d9fa8c7ae835e583eeef3cf885
SHA256: 63a8464636601279443580899d9d0bae931360251992af15f040d98e2f1f8118
Tags: dllTaxOrganizer2023user-JAMESWT_MHT
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: msimg32.dll ReversingLabs: Detection: 18%
Uses 32bit PE files
Source: msimg32.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: msimg32.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: E:\building\360project\360sd\branches\beta\Build\x86\WhiteCache.pdb source: loaddll32.exe, 00000000.00000002.1858994541.000000001013D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.000000001013D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.000000001013D000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll String found in binary or memory: http://www.openssl.org/support/faq.html
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll String found in binary or memory: http://www.openssl.org/support/faq.html....................
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001804 0_2_10001804
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000521E 0_2_1000521E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100054A0 0_2_100054A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10008EA3 0_2_10008EA3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100054AB 0_2_100054AB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004AF0 0_2_10004AF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004AFE 0_2_10004AFE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004B0E 0_2_10004B0E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004B31 0_2_10004B31
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004F43 0_2_10004F43
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001784 0_2_10001784
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004B8D 0_2_10004B8D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10004B98 0_2_10004B98
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100017BB 0_2_100017BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001804 3_2_10001804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000521E 3_2_1000521E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100054A0 3_2_100054A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008EA3 3_2_10008EA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100054AB 3_2_100054AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004AF0 3_2_10004AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004AFE 3_2_10004AFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004B0E 3_2_10004B0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004B31 3_2_10004B31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004F43 3_2_10004F43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001784 3_2_10001784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004B8D 3_2_10004B8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10004B98 3_2_10004B98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100017BB 3_2_100017BB
Sample file is different than original file name gathered from version info
Source: msimg32.dll Binary or memory string: OriginalFilenameWhiteCache.DLL, vs msimg32.dll
Uses 32bit PE files
Source: msimg32.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal48.winDLL@8/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: msimg32.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msimg32.dll,AlphaBlend
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT filepath FROM BlackCache ORDER BY atime DESC LIMIT 2000%04d-%02d-%02d %02d:%02d:%02dSELECT filepath, mtime, size, atime FROM WhiteCache ORDER BY atime DESC LIMIT 2000COMMITDELETE FROM WhiteCache WHERE atime < datetime('now', '-%d hour', 'localtime')CREATE TABLE IF NOT EXISTS BlackCache (filepath varchar(300) UNIQUE,atime char(255));CREATE TABLE IF NOT EXISTS WhiteCache (filepath varchar(300) UNIQUE,mtime char(255),atime char(255),size INTEGER(8))BEGIN TRANSACTIONwhitecacheINSERT INTO BlackCache(filepath, atime) VALUES ('%q', datetime('now', 'localtime'))DELETE FROM BlackCache WHERE filepath = '%q'DELETE FROM WhiteCacheDELETE FROM WhiteCache WHERE filepath = '%q' UPDATE WhiteCache SET atime = datetime('now', 'localtime') WHERE filepath = '%q'INSERT INTO WhiteCache(filepath, size, mtime, atime) VALUES ('%q', %lld, '%4d-%02d-%02d %2d:%02d:%02d', datetime('now', 'localtime'))list<T> too long
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0BEGIN EXCLUSIVE;PRAGMA vacuum_db.synchronous=OFFATTACH '' AS vacuum_db;cannot VACUUM from within a transactionwin32
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS BlackCache (filepath varchar(300) UNIQUE,atime char(255));
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: loaddll32.exe, 00000000.00000002.1858994541.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.0000000010119000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.0000000010119000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: msimg32.dll ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\msimg32.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msimg32.dll,AlphaBlend
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msimg32.dll,AlphaBlend Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: msimg32.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: msimg32.dll Static file information: File size 2338816 > 1048576
Source: msimg32.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117400
Source: msimg32.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: msimg32.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\building\360project\360sd\branches\beta\Build\x86\WhiteCache.pdb source: loaddll32.exe, 00000000.00000002.1858994541.000000001013D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1838868667.000000001013D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1838411799.000000001013D000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll
PE file contains an invalid checksum
Source: msimg32.dll Static PE information: real checksum: 0x175e45 should be: 0x23e37f
PE file contains sections with non-standard names
Source: msimg32.dll Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100AE25B push ecx; ret 0_2_100AE26E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10007B8B push 8DCB8153h; retf 0000h 0_2_10007B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100AE25B push ecx; ret 3_2_100AE26E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10007B8B push 8DCB8153h; retf 0000h 3_2_10007B90
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 9.1 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 9.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528944 Sample: msimg32.dll Startdate: 08/10/2024 Architecture: WINDOWS Score: 48 17 Multi AV Scanner detection for submitted file 2->17 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 rundll32.exe 9->15         started       
No contacted IP infos