Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wlbsctrl.dll

Overview

General Information

Sample Name:wlbsctrl.dll
Analysis ID:651262
MD5:8b2356cc4b0a382e79dcd4a844839e91
SHA1:ffb6a64c9996aa9e14ab69791f610babf98784c5
SHA256:1e57baa7d7c987aebd09b43788e9388c89a1cb9e89b4cbad24a8662e606d62f2
Infos:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to detect sleep reduction / modifications
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to detect sandboxes (mouse cursor move detection)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample may be VM or Sandbox-aware, try analysis on a native machine
  • System is w10x64
  • loaddll64.exe (PID: 5068 cmdline: loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 3352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5828 cmdline: rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: wlbsctrl.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\lemmy\Desktop\shellcodeless\syscall-xll-SecMods\x64\DLL\WhackAMole.pdb source: loaddll64.exe, 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.276464539.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmp, wlbsctrl.dll
Source: C:\Windows\System32\loaddll64.exeCode function: 4x nop then dec eax1_2_000002DCB240B7BA
Source: C:\Windows\System32\rundll32.exeCode function: 4x nop then dec eax4_2_00000220E1E8B7BA
Source: wlbsctrl.dllBinary or memory string: OriginalFilenameOfficev1 vs wlbsctrl.dll
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E102D1_2_00007FFFF00E102D
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E11401_2_00007FFFF00E1140
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000002DCB241398A1_2_000002DCB241398A
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000002DCB24193DA1_2_000002DCB24193DA
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000002DCB240C0CA1_2_000002DCB240C0CA
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000002DCB241B46A1_2_000002DCB241B46A
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000220E1E993DA4_2_00000220E1E993DA
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000220E1E9398A4_2_00000220E1E9398A
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000220E1E8C0CA4_2_00000220E1E8C0CA
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000220E1E9B46A4_2_00000220E1E9B46A
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E1140 GetModuleHandleA,memset,GetCurrentProcess,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,CloseHandle,1_2_00007FFFF00E1140
Source: wlbsctrl.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1Jump to behavior
Source: classification engineClassification label: sus26.evad.winDLL@5/0@0/0
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E2B00 GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep,1_2_00007FFFF00E2B00
Source: wlbsctrl.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: wlbsctrl.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: wlbsctrl.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\lemmy\Desktop\shellcodeless\syscall-xll-SecMods\x64\DLL\WhackAMole.pdb source: loaddll64.exe, 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.276464539.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmp, wlbsctrl.dll
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000002DCB2422850 push ecx; retf 003Fh1_2_000002DCB24228B0
Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000220E1EA2850 push ecx; retf 003Fh4_2_00000220E1EA28B0
Source: wlbsctrl.dllStatic PE information: section name: .00cfg
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E11F91_2_00007FFFF00E11F9
Source: C:\Windows\System32\loaddll64.exe TID: 2324Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep,1_2_00007FFFF00E2B00
Source: C:\Windows\System32\loaddll64.exeCode function: GetCursorPos,Sleep,GetCursorPos,IsProcessorFeaturePresent,capture_current_context,1_2_00007FFFF00E1219
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E11F91_2_00007FFFF00E11F9
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E11EA IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFFF00E11EA
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E11EA IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFFF00E11EA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFF00E5094 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00007FFFF00E5094
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception11
Process Injection
1
Rundll32
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts12
Virtualization/Sandbox Evasion
LSASS Memory13
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information
NTDS12
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Application Window Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials3
System Information Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 651262 Sample: wlbsctrl.dll Startdate: 23/06/2022 Architecture: WINDOWS Score: 26 6 loaddll64.exe 1 2->6         started        signatures3 13 Contains functionality to detect sleep reduction / modifications 6->13 9 cmd.exe 1 6->9         started        process4 process5 11 rundll32.exe 9->11         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.