Edit tour

Windows Analysis Report
wlbsctrl.dll

Overview

General Information

Sample Name:	wlbsctrl.dll
Analysis ID:	651262
MD5:	8b2356cc4b0a382e79dcd4a844839e91
SHA1:	ffb6a64c9996aa9e14ab69791f610babf98784c5
SHA256:	1e57baa7d7c987aebd09b43788e9388c89a1cb9e89b4cbad24a8662e606d62f2
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to detect sleep reduction / modifications

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to call native functions

Contains functionality to detect sandboxes (mouse cursor move detection)

May check if the current machine is a sandbox (GetTickCount - Sleep)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample may be VM or Sandbox-aware, try analysis on a native machine

Process Tree

System is w10x64

loaddll64.exe (PID: 5068 cmdline: loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 3352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5828 cmdline: rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: wlbsctrl.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\lemmy\Desktop\shellcodeless\syscall-xll-SecMods\x64\DLL\WhackAMole.pdb source: loaddll64.exe, 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.276464539.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmp, wlbsctrl.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 4x nop then dec eax		1_2_000002DCB240B7BA
Source: C:\Windows\System32\rundll32.exe	Code function: 4x nop then dec eax		4_2_00000220E1E8B7BA

Source: wlbsctrl.dll

Binary or memory string: OriginalFilenameOfficev1 vs wlbsctrl.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00007FFFF00E102D	1_2_00007FFFF00E102D
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_00007FFFF00E1140	1_2_00007FFFF00E1140
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000002DCB241398A	1_2_000002DCB241398A
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000002DCB24193DA	1_2_000002DCB24193DA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000002DCB240C0CA	1_2_000002DCB240C0CA
Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000002DCB241B46A	1_2_000002DCB241B46A
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000220E1E993DA	4_2_00000220E1E993DA
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000220E1E9398A	4_2_00000220E1E9398A
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000220E1E8C0CA	4_2_00000220E1E8C0CA
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000220E1E9B46A	4_2_00000220E1E9B46A

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFFF00E1140 GetModuleHandleA,memset,GetCurrentProcess,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,CloseHandle,

1_2_00007FFFF00E1140

Source: wlbsctrl.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1	Jump to behavior

Source: classification engine

Classification label: sus26.evad.winDLL@5/0@0/0

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFFF00E2B00 GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep,

1_2_00007FFFF00E2B00

Source: wlbsctrl.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wlbsctrl.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: wlbsctrl.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Windows\System32\loaddll64.exe	Code function: 1_2_000002DCB2422850 push ecx; retf 003Fh		1_2_000002DCB24228B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000220E1EA2850 push ecx; retf 003Fh		4_2_00000220E1EA28B0

Source: wlbsctrl.dll

Static PE information: section name: .00cfg

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFFF00E11F9

1_2_00007FFFF00E11F9

Source: C:\Windows\System32\loaddll64.exe TID: 2324

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep,		1_2_00007FFFF00E2B00
Source: C:\Windows\System32\loaddll64.exe	Code function: GetCursorPos,Sleep,GetCursorPos,IsProcessorFeaturePresent,capture_current_context,		1_2_00007FFFF00E1219

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFFF00E11F9

1_2_00007FFFF00E11F9

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFFF00E11EA IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FFFF00E11EA

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

1_2_00007FFFF00E11EA

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 1_2_00007FFFF00E5094 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FFFF00E5094

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	12 Virtualization/Sandbox Evasion	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	651262
Start date and time: 23/06/202218:03:50	2022-06-23 18:03:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wlbsctrl.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus26.evad.winDLL@5/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 19.6% (good quality ratio 3.5%) Quality average: 13.8% Quality standard deviation: 31.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, time.windows.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:05:07	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	2.301165268606333
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	wlbsctrl.dll
File size:	775168
MD5:	8b2356cc4b0a382e79dcd4a844839e91
SHA1:	ffb6a64c9996aa9e14ab69791f610babf98784c5
SHA256:	1e57baa7d7c987aebd09b43788e9388c89a1cb9e89b4cbad24a8662e606d62f2
SHA512:	273c11f50ce23d01108c7edf484f10fc7d318cd89fcc51baf7f2721f1655340b0167214498f5e08a9e7fdae9e656f6f516a7eff7a25e7151e1f0ea5fc5d71ba0
SSDEEP:	12288:FjwnXutNmopfRYxaKHFiPTLJsaVHct37frld/ibWcccccccccI6gRThD:
TLSH:	59F4B75A0823D211D8244C3196377AC66F1672E9776C27D3F6A92FA2C1390C1AD77F3A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{Fv.(Fv.(Fv.(O.k(Bv.(...)Dv.(R..)Cv.(Fv.(pv.(...)Jv.(...)Nv.(...)Bv.(...)Gv.(...(Gv.(Fvo(Gv.(...)Gv.(RichFv.(...............

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x18000100a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x62ACC1D8 [Fri Jun 17 18:03:04 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	05dcd6eab6e64f86dc1e816425be7b14

Entrypoint Preview

Instruction
jmp 00007F7328B01BB2h
jmp 00007F7328B02099h
jmp 00007F7328B00C2Ch
jmp 00007F7328B02107h
jmp 00007F7328B00DF2h
jmp 00007F7328B02925h
jmp 00007F7328B02B44h
jmp 00007F7328AFFA93h
jmp 00007F7328B02342h
jmp 00007F7328B020EDh
jmp 00007F7328B05F64h
jmp 00007F7328B02B23h
jmp 00007F7328B02B32h
jmp 00007F7328B00B35h
jmp 00007F7328B05F30h
jmp 00007F7328B03D6Bh
jmp 00007F7328B01122h
jmp 00007F7328B05FA1h
jmp 00007F7328B0169Ch
jmp 00007F7328B028BBh
jmp 00007F7328B02B02h
jmp 00007F7328B0220Dh
jmp 00007F7328B03D28h
jmp 00007F7328B015F3h
jmp 00007F7328B02AE6h
jmp 00007F7328B05FD9h
jmp 00007F7328B00F1Ch
jmp 00007F7328B014D7h
jmp 00007F7328B05E8Ah
jmp 00007F7328B023F9h
jmp 00007F7328B02AD4h
jmp 00007F7328B02007h
jmp 00007F7328B05E26h
jmp 00007F7328B01FF9h
jmp 00007F7328B0225Ch
jmp 00007F7328B00467h
jmp 00007F7328B05FC2h
jmp 00007F7328B02069h
jmp 00007F7328B00C6Ch
jmp 00007F7328AFF7A3h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe3b0	0x78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc1000	0x890	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xbd000	0x420	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0x40	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xab64	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb0a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xaba0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xbe000	0x3b0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89b5	0x8a00	False	0.24363111413043478	data	3.5100227973693183	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x1f62	0x2000	False	0.1304931640625	data	1.5044615193257005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xb0539	0xafe00	False	0.1482459355010661	data	2.016608344146886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xbd000	0x5ac	0x600	False	0.3919270833333333	data	3.213440260810703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0xbe000	0xe3d	0x1000	False	0.23828125	data	3.0459227597586005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xbf000	0x309	0x400	False	0.021484375	data	0.011173818721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0xc0000	0x151	0x200	False	0.0546875	data	0.330964730370671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc1000	0x890	0xa00	False	0.2640625	data	2.6030848233720585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0x1f1	0x200	False	0.14453125	data	0.7368777605793444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc11c0	0x354	data	English	United States
RT_MANIFEST	0xc1518	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileA, GetDiskFreeSpaceExA, CloseHandle, Sleep, GetCurrentProcess, GetTickCount, GetModuleHandleA, GetProcAddress, CreateFileMappingA, K32EnumProcesses, K32GetModuleInformation, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dll	GetCursorPos
VCRUNTIME140.dll	memset, __C_specific_handler, __current_exception, __current_exception_context, __std_type_info_destroy_list
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __stdio_common_vfprintf
api-ms-win-crt-runtime-l1-1-0.dll	terminate, _initterm_e, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _crt_at_quick_exit, _cexit, _initterm

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 5068, Parent PID: 3892

General

Target ID:	1
Start time:	18:04:53
Start date:	23/06/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll"
Imagebase:	0x7ff7eaf20000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3352, Parent PID: 5068

General

Target ID:	3
Start time:	18:04:53
Start date:	23/06/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Imagebase:	0x7ff7bb450000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5828, Parent PID: 3352

General

Target ID:	4
Start time:	18:04:54
Start date:	23/06/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Imagebase:	0x7ff745220000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll64.exePID: 5068, Parent PID: 3892COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	23.2%
Signature Coverage:	16.8%
Total number of Nodes:	185
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFFF00E2B00 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 127
sleeplibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00007FFFF00E2B2A
Sleep.KERNEL32 ref: 00007FFFF00E2B37
GetCursorPos.USER32 ref: 00007FFFF00E2B64
Sleep.KERNEL32 ref: 00007FFFF00E2B6F
GetCursorPos.USER32 ref: 00007FFFF00E2B7A
GetDiskFreeSpaceExA.KERNEL32 ref: 00007FFFF00E2BA7
GetModuleHandleA.KERNEL32 ref: 00007FFFF00E2C24
GetProcAddress.KERNEL32 ref: 00007FFFF00E2C77
GlobalMemoryStatusEx.KERNELBASE ref: 00007FFFF00E2C89
K32EnumProcesses.KERNEL32 ref: 00007FFFF00E2CB4
Sleep.KERNEL32 ref: 00007FFFF00E2CD7

Strings

@, xrefs: 00007FFFF00E2BD2
C:\, xrefs: 00007FFFF00E2BA0

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: Sleep$Cursor$AddressCountDiskEnumFreeGlobalHandleMemoryModuleProcProcessesSpaceStatusTick
String ID: @$C:\
API String ID: 1094001007-2217305858
Opcode ID: bf23feac25fa6789cfb7cb4e4c0ad847f7ba566056215651666ce38ee523ffbb
Instruction ID: ab55ec66915afdcde04eae2c897f8694e90fba9fc9211581a58cf034f692c751
Opcode Fuzzy Hash: bf23feac25fa6789cfb7cb4e4c0ad847f7ba566056215651666ce38ee523ffbb
Instruction Fuzzy Hash: 1C51D432E0868686FB108B61E4943BE67E1FB84794F580231EA6E937D9CF7CE548C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF00E102D Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 303
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 00007FFFF00E244F
CreateFileMappingA.KERNEL32 ref: 00007FFFF00E2471
GetModuleHandleA.KERNEL32 ref: 00007FFFF00E24C4
GetProcAddress.KERNEL32 ref: 00007FFFF00E2517
MapViewOfFile.KERNELBASE ref: 00007FFFF00E2536
GetModuleHandleA.KERNEL32 ref: 00007FFFF00E2719
CloseHandle.KERNEL32 ref: 00007FFFF00E27C0

Strings

NtCreateThreadEx, xrefs: 00007FFFF00E25C7
ntdll.dll, xrefs: 00007FFFF00E2712

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: FileHandle$CreateModule$AddressCloseMappingProcView
String ID: NtCreateThreadEx$ntdll.dll
API String ID: 2780192746-690569937
Opcode ID: a20f02d3871e444d9c41e9ea417fa4be42467ff58e261095a7fe092d24706668
Instruction ID: b0807a0c186d33cd1c86e144b6653c5ec75499627aee183e8bea7f790e31c747
Opcode Fuzzy Hash: a20f02d3871e444d9c41e9ea417fa4be42467ff58e261095a7fe092d24706668
Instruction Fuzzy Hash: 1CD1F422E0D6C686F710CB26E9A46BA6BD0BB41BD8F444335DA7D177DADE6CE108C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF00E1140 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 191
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFFF00E309B
memset.VCRUNTIME140 ref: 00007FFFF00E3112
GetCurrentProcess.KERNEL32 ref: 00007FFFF00E31B3
NtAddBootEntry.NTDLL ref: 00007FFFF00E31E9
NtAddBootEntry.NTDLL ref: 00007FFFF00E323D
NtAddBootEntry.NTDLL ref: 00007FFFF00E3289
NtAddBootEntry.NTDLL ref: 00007FFFF00E32BD
CloseHandle.KERNEL32 ref: 00007FFFF00E32C7

Strings

ntdll.dll, xrefs: 00007FFFF00E3094

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: BootEntry$Handle$CloseCurrentModuleProcessmemset
String ID: ntdll.dll
API String ID: 3873965561-2227199552
Opcode ID: 8ec1fb59fc83e3fbd599cd93e82e9b1dc2d926dcafa1658c45c0997bf7e50469
Instruction ID: 4e6d0aec2f20f6e80bac6c732366d5884c652106b14cf92b20110f8a2bd4639c
Opcode Fuzzy Hash: 8ec1fb59fc83e3fbd599cd93e82e9b1dc2d926dcafa1658c45c0997bf7e50469
Instruction Fuzzy Hash: E3A15031E09B8685F7608F64E9942A97BE4FB44B98F440239DAAD57BE9CF3CE145C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF00E3AD4 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 204
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFFF00E3AEA
GetModuleHandleW.KERNEL32 ref: 00007FFFF00E3AF7
GetModuleHandleW.KERNEL32 ref: 00007FFFF00E3B0C
GetProcAddress.KERNEL32 ref: 00007FFFF00E3B24
GetProcAddress.KERNEL32 ref: 00007FFFF00E3B37
CreateEventW.KERNEL32 ref: 00007FFFF00E3B63
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFFF00E3BEE
GetModuleHandleW.KERNEL32 ref: 00007FFFF00E3BFB
GetModuleHandleW.KERNEL32 ref: 00007FFFF00E3C10
GetProcAddress.KERNEL32 ref: 00007FFFF00E3C28
GetProcAddress.KERNEL32 ref: 00007FFFF00E3C3B
CreateEventW.KERNEL32 ref: 00007FFFF00E3C70
DeleteCriticalSection.KERNEL32 ref: 00007FFFF00E3CC7
CloseHandle.KERNEL32 ref: 00007FFFF00E3CD9

Strings

kernel32.dll, xrefs: 00007FFFF00E3B05, 00007FFFF00E3C09
WakeAllConditionVariable, xrefs: 00007FFFF00E3B2A, 00007FFFF00E3C2E
SleepConditionVariableCS, xrefs: 00007FFFF00E3B1A, 00007FFFF00E3C1E
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FFFF00E3AF0, 00007FFFF00E3BF4

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: Handle$AddressModuleProc$CriticalSection$CountCreateEventInitializeSpin$CloseDelete
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 251140187-3242537097
Opcode ID: 9849fdbbacffd081f93dd195d024c6097c9f37e40ccc457ff2f290fb4760c6ba
Instruction ID: 1cf7dd0f66f4c8a0493a8d4a2a1923be78b77a5f5b27a619f755729822a69c9c
Opcode Fuzzy Hash: 9849fdbbacffd081f93dd195d024c6097c9f37e40ccc457ff2f290fb4760c6ba
Instruction Fuzzy Hash: 74414D20F19A0791FB549F10FA9967567E2AF48788F580635DA3E127E9EF6CF4488300

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB240B1D6 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 198
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002DCB240B2DF
GetComputerNameExW.KERNELBASE ref: 000002DCB240B332
NetWkstaGetInfo.NETAPI32 ref: 000002DCB240B3B7

Strings

a, xrefs: 000002DCB240B2A0
t, xrefs: 000002DCB240B29B
i, xrefs: 000002DCB240B2AA
e, xrefs: 000002DCB240B296
2, xrefs: 000002DCB240B2B4
3, xrefs: 000002DCB240B2AF
l, xrefs: 000002DCB240B2C8
., xrefs: 000002DCB240B2B9
p, xrefs: 000002DCB240B2A5
n, xrefs: 000002DCB240B291
l, xrefs: 000002DCB240B2C3
d, xrefs: 000002DCB240B2BE

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID: ComputerInfoLibraryLoadNameWksta
String ID: .$2$3$a$d$e$i$l$l$n$p$t
API String ID: 3393981993-1206877643
Opcode ID: 9f1df4b9c6e76e77351a2f1aa7da60c0e0fb4b368d1276d023936cfa14d4e98f
Instruction ID: f469caa897da0e7bdf930100cdeb37dee7cd548662f9c8266b2d218218b39535
Opcode Fuzzy Hash: 9f1df4b9c6e76e77351a2f1aa7da60c0e0fb4b368d1276d023936cfa14d4e98f
Instruction Fuzzy Hash: 9D811B3011C7848FE364DB18C04975BFBE6FBA9308F64495EE089C76A9CBB5D985CB06

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB240BC3A Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 370
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002DCB240BFBD

Strings

v, xrefs: 000002DCB240BF90
i, xrefs: 000002DCB240BF9F
a, xrefs: 000002DCB240BF95
3, xrefs: 000002DCB240BFA4
a, xrefs: 000002DCB240BF86
d, xrefs: 000002DCB240BF8B
p, xrefs: 000002DCB240BF9A
2, xrefs: 000002DCB240BFA9

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID: LibraryLoad
String ID: 2$3$a$a$d$i$p$v
API String ID: 1029625771-1673513319
Opcode ID: 886938e3ccb0d6dbac8807b67c971d65b303b8bc3fbc6529e8d30fe2f3ad3af2
Instruction ID: bb407f8c006e65cad1aaacf094d55619b722115f5d1bd05e0a659562c9efc120
Opcode Fuzzy Hash: 886938e3ccb0d6dbac8807b67c971d65b303b8bc3fbc6529e8d30fe2f3ad3af2
Instruction Fuzzy Hash: EDE1D93491CE888FD794EB28C089B1AB7E5FB99304F60495EB199C72A5C775D882CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF00E2140 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00007FFF7FFFF00E2140(void* __ecx, void* __edx, void* __eflags, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r8, char _a8, intOrPtr _a16, long long _a24, long long _a32) {
				char _v40;
				void* __rdi;
				signed char _t35;
				signed char _t38;
				signed char _t40;
				void* _t42;
				int _t45;
				void* _t71;
				unsigned long long _t73;
				unsigned long long _t75;
				unsigned long long _t77;
				unsigned long long _t97;
				unsigned long long _t98;
				unsigned long long _t100;
				char* _t109;
				void* _t110;
				void* _t112;
				unsigned long long _t113;
				unsigned long long _t114;

				_t71 = __rax;
				_a24 = __rbx;
				_a32 = __rsi;
				_t35 = E00007FFF7FFFF00E17A0( &_a8, __rdx);
				_t112 = _t71;
				if ( *((char*)(_t71 + 0xd)) == 0) goto 0xf00e21a2;
				r8d = 0;
				asm("o16 nop [eax+eax]");
				_t73 = 0x1b4949a3 >> (r8b & 7) << 3;
				 *(__r8 + _t112) =  *(__r8 + _t112) ^ _t35;
				if (__r8 + 1 - 0xd < 0) goto 0xf00e2180;
				 *((char*)(_t112 + 0xd)) = 0;
				GetModuleHandleA(??);
				GetCurrentProcess();
				r9d = 0x18;
				_t109 =  &_v40;
				0xf00e532c(); // executed
				_t38 = E00007FFF7FFFF00E1E50( &_a8, _t73);
				_t113 = _t73;
				if ( *((char*)(_t73 + 0xf)) == 0) goto 0xf00e2212;
				r8d = 0;
				asm("o16 nop [eax+eax]");
				_t75 = 0x9f9f81c5 >> (r8b & 7) << 3;
				 *(_t109 + _t113) =  *(_t109 + _t113) ^ _t38;
				_t110 = _t109 + 1;
				if (_t110 - 0xf < 0) goto 0xf00e21f0;
				 *((char*)(_t113 + 0xf)) = 0;
				GetProcAddress(??, ??);
				 *0xf019bd10 = _t75;
				_t40 = E00007FFF7FFFF00E1C60( &_a8, _t113);
				_t114 = _t75;
				if ( *((char*)(_t75 + 0xd)) == 0) goto 0xf00e2272;
				r8d = 0;
				asm("o16 nop [eax+eax]");
				_t77 = 0x6f49fdeb >> (r8b & 7) << 3;
				 *(_t110 + _t114) =  *(_t110 + _t114) ^ _t40;
				if (_t110 + 1 - 0xd < 0) goto 0xf00e2250;
				 *((char*)(_t114 + 0xd)) = 0;
				_t97 = _t114;
				GetProcAddress(??, ??);
				 *0xf019bd18 = _t77;
				r8d = 0x3000;
				_a8 = 0xc3e3ff41;
				_t20 = _t97 - 0x60; // 0x4, executed
				r9d = _t20;
				_t42 = VirtualAlloc(??, ??, ??, ??); // executed
				_t98 = _t77;
				_t100 = _t77;
				E00007FFF7FFFF00E1109(_t42, 0, _t77, 0xf00ea9a4, _t98, _t100);
				 *_t100 =  *__rcx;
				 *((short*)(_t100 + 4)) =  *(__rcx + 4) & 0x0000ffff;
				 *((char*)(_t100 + 6)) =  *(__rcx + 6) & 0x000000ff;
				_t26 = _t98 - 0x44; // 0x20
				r8d = _t26;
				 *((short*)(_t100 + 7)) = 0x4900;
				 *((char*)(_t100 + 9)) = 0xbb;
				 *((intOrPtr*)(_t100 + 0x12)) = _a8;
				 *((long long*)(_t100 + 0xa)) =  *0xf019bd00 + __rdx;
				_a16 = 0;
				_t45 = VirtualProtect(??, ??, ??, ??); // executed
				return _t45;
			}

0x7ffff00e2140
0x7ffff00e2140
0x7ffff00e2145
0x7ffff00e215a
0x7ffff00e215f
0x7ffff00e2166
0x7ffff00e2168
0x7ffff00e2175
0x7ffff00e218d
0x7ffff00e2190
0x7ffff00e219b
0x7ffff00e219d
0x7ffff00e21a5
0x7ffff00e21ae
0x7ffff00e21b4
0x7ffff00e21ba
0x7ffff00e21c5
0x7ffff00e21cf
0x7ffff00e21d4
0x7ffff00e21db
0x7ffff00e21dd
0x7ffff00e21ea
0x7ffff00e21fd
0x7ffff00e2200
0x7ffff00e2204
0x7ffff00e220b
0x7ffff00e220d
0x7ffff00e2218
0x7ffff00e2223
0x7ffff00e222a
0x7ffff00e222f
0x7ffff00e2236
0x7ffff00e2238
0x7ffff00e2245
0x7ffff00e225d
0x7ffff00e2260
0x7ffff00e226b
0x7ffff00e226d
0x7ffff00e2272
0x7ffff00e2278
0x7ffff00e228c
0x7ffff00e2293
0x7ffff00e2299
0x7ffff00e22a4
0x7ffff00e22a4
0x7ffff00e22a8
0x7ffff00e22aa
0x7ffff00e22b4
0x7ffff00e22b7
0x7ffff00e22c3
0x7ffff00e22ce
0x7ffff00e22d6
0x7ffff00e22d9
0x7ffff00e22d9
0x7ffff00e22dd
0x7ffff00e22e6
0x7ffff00e22ee
0x7ffff00e22f1
0x7ffff00e22f5
0x7ffff00e22fd
0x7ffff00e2315

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFFF00E21A5
GetCurrentProcess.KERNEL32 ref: 00007FFFF00E21AE
K32GetModuleInformation.KERNEL32 ref: 00007FFFF00E21C5
GetProcAddress.KERNEL32 ref: 00007FFFF00E2218
GetProcAddress.KERNEL32 ref: 00007FFFF00E2278
VirtualAlloc.KERNELBASE ref: 00007FFFF00E22A8
VirtualProtect.KERNELBASE ref: 00007FFFF00E22FD

Strings

%p, xrefs: 00007FFFF00E22AD

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: AddressModuleProcVirtual$AllocCurrentHandleInformationProcessProtect
String ID: %p
API String ID: 3934800070-3072491283
Opcode ID: e6e2722ae6fc6a8f1b979f5f3329be49983f528aa590691acc1b6b3cb0427b5b
Instruction ID: 835d804702162630a1b0db0cac9081730088dcd58509a1d5d96454122ba7ae92
Opcode Fuzzy Hash: e6e2722ae6fc6a8f1b979f5f3329be49983f528aa590691acc1b6b3cb0427b5b
Instruction Fuzzy Hash: 2C411322A0878683F7148B56E4547AEBBE0FB45BC4F088235EB6D13BD5CA7CE114C740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000002DCB240C0CA Relevance: 32.3, Strings: 25, Instructions: 1047COMMON

Download Yara Rule

Strings

Cach, xrefs: 000002DCB240C1D1
GetN, xrefs: 000002DCB240C1D8
ct, xrefs: 000002DCB240C1AE
onTa, xrefs: 000002DCB240C215
hIns, xrefs: 000002DCB240C1BC
ualP, xrefs: 000002DCB240C19E
Load, xrefs: 000002DCB240C166
Virt, xrefs: 000002DCB240C196
ddFu, xrefs: 000002DCB240C207
Flus, xrefs: 000002DCB240C1B5
ualA, xrefs: 000002DCB240C186
rote, xrefs: 000002DCB240C1A6
temI, xrefs: 000002DCB240C1EF
eSys, xrefs: 000002DCB240C1E8
ncti, xrefs: 000002DCB240C20E
Libr, xrefs: 000002DCB240C16E
tion, xrefs: 000002DCB240C1CA
ativ, xrefs: 000002DCB240C1E0
RtlA, xrefs: 000002DCB240C200
Slee, xrefs: 000002DCB240C159
Virt, xrefs: 000002DCB240C17E
aryA, xrefs: 000002DCB240C176
lloc, xrefs: 000002DCB240C18E
truc, xrefs: 000002DCB240C1C3
p, xrefs: 000002DCB240C161

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID:
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$onTa$p$rote$temI$tion$truc$ualA$ualP
API String ID: 0-924545899
Opcode ID: ba67eb782131c3f065ce6fb0f8a316021b757953efe746a7c66d5e51c776329b
Instruction ID: 84293f268abfe6748396e0cdcdb48048892ac4591eee676677c22d465a8cad70
Opcode Fuzzy Hash: ba67eb782131c3f065ce6fb0f8a316021b757953efe746a7c66d5e51c776329b
Instruction Fuzzy Hash: F072C431614A0A8BE718DF18C88A77BF7E5FB55305F24822FD88AC3655DB34D886CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF00E11EA Relevance: 13.6, APIs: 9, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFFF00E4724
memset.VCRUNTIME140 ref: 00007FFFF00E4748
RtlCaptureContext.KERNEL32 ref: 00007FFFF00E4751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFFF00E476B
RtlVirtualUnwind.KERNEL32 ref: 00007FFFF00E47AC
memset.VCRUNTIME140 ref: 00007FFFF00E47DF
IsDebuggerPresent.KERNEL32 ref: 00007FFFF00E4800
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFFF00E4821
UnhandledExceptionFilter.KERNEL32 ref: 00007FFFF00E482C

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 2c738ed967bc5df8c1013ba23ad59abb648def6edd02a07e1447defbd1282bbc
Instruction ID: 64d88d1732015a3b51611d1adf1b3de5f1627c72ceeb44db268e86d4fd6b4015
Opcode Fuzzy Hash: 2c738ed967bc5df8c1013ba23ad59abb648def6edd02a07e1447defbd1282bbc
Instruction Fuzzy Hash: AC315C72B09B8289EB608F60E8807EE63A1FB84748F444539DA9E57BD8DF78D548C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF00E1219 Relevance: 7.6, APIs: 5, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32 ref: 00007FFFF00E2D99
Sleep.KERNEL32 ref: 00007FFFF00E2DA4
GetCursorPos.USER32 ref: 00007FFFF00E2DAF
IsProcessorFeaturePresent.KERNEL32 ref: 00007FFFF00E4E3E
capture_current_context.LIBCMT ref: 00007FFFF00E4E57

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: Cursor$FeaturePresentProcessorSleepcapture_current_context
String ID:
API String ID: 1686489235-0
Opcode ID: 615716072627917ba3ce45cd08dde62bfdf5f9842916c67441e716f792528eab
Instruction ID: c49ecb8fb879618066074b098e0d4b24676af6571c1d6b8d03d7845bfd724014
Opcode Fuzzy Hash: 615716072627917ba3ce45cd08dde62bfdf5f9842916c67441e716f792528eab
Instruction Fuzzy Hash: C541EB72E1C646CBE750CF14E88026A77E1FB84748F500235E6AE827A9DF7DE9858B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF00E11F9 Relevance: 4.5, APIs: 3, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FFFF00E2E56
Sleep.KERNEL32 ref: 00007FFFF00E2E63
GetTickCount.KERNEL32 ref: 00007FFFF00E2E69

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: ffafef7f60f6108d52e334d56fbdad7ae5ddcc298aed7986da1fda1fb18b02a0
Instruction ID: 663a1740020d95ee517cfdfccdf4485e4a52a0938817d4822794f37a3dde8c9b
Opcode Fuzzy Hash: ffafef7f60f6108d52e334d56fbdad7ae5ddcc298aed7986da1fda1fb18b02a0
Instruction Fuzzy Hash: 77D09E65F5454253FB181FB4D8DA17A12D29F0C725F180134E52B953D1CD6CA5D99620

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB241B46A Relevance: 1.8, APIs: 1, Instructions: 326COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000002DCB241B6B9

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 4f3d86407dd9789fcda393b78ce5ac7fd63888f80a1eb3623365494ce4a13953
Instruction ID: e5de6192cc269acf74fabd62a05a79b4198dca9f907d9ad557477418c9b8fd5a
Opcode Fuzzy Hash: 4f3d86407dd9789fcda393b78ce5ac7fd63888f80a1eb3623365494ce4a13953
Instruction Fuzzy Hash: 33C14D30510A4E8FEB99CF1CC88AB55B7E0FB56309F24859AE859CB6A9C375DC52CF01

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB24193DA Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed34afde64f4defd51681823c72b705d98dd479eeb089942ec1be46fd4c04c2d
Instruction ID: d26957d136dedabf4228000b8387d76cc16e7ad7d053f1df78b8cc313e6a2eb0
Opcode Fuzzy Hash: ed34afde64f4defd51681823c72b705d98dd479eeb089942ec1be46fd4c04c2d
Instruction Fuzzy Hash: 32F14530A58A4D4FD719DF58C4896E9FBE1FB96305F24822FD48BC719ADA30D906CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB241398A Relevance: .2, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541710f845fd4202dd23b37e000bb6fe77ecd75944506428e97748b45ea3ae15
Instruction ID: a07da31f3efc3aefe263f09acb6dea44447b244b6f2a5b05379c9ad8b29feb3c
Opcode Fuzzy Hash: 541710f845fd4202dd23b37e000bb6fe77ecd75944506428e97748b45ea3ae15
Instruction Fuzzy Hash: 56511132318E094FDB1CEE6CD489675B7D2E7AD315B14822FE40AD72AADA34DC468781

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB240B7BA Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a045b2f751b5460fa633a29ece8ebdd46b3de0df5ba9f12dd207b5748212fe94
Instruction ID: 9fc5cde7f8068da52568cd1be201c1dcec334b9effa6132ba0436e27c3176691
Opcode Fuzzy Hash: a045b2f751b5460fa633a29ece8ebdd46b3de0df5ba9f12dd207b5748212fe94
Instruction Fuzzy Hash: 0A31B430518A498FEB94EF18C089B2AF7E1FB99345F54591AF488D36A8D774D8C0CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB240F016 Relevance: 19.8, APIs: 13, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002DCB240F03E
__scrt_acquire_startup_lock.LIBCMT ref: 000002DCB240F0A4
_RTC_Initialize.LIBCMT ref: 000002DCB240F0D2
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 000002DCB240F0DC
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002DCB240F0F8
__scrt_release_startup_lock.LIBCMT ref: 000002DCB240F123
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 000002DCB240F142
__scrt_fastfail.LIBCMT ref: 000002DCB240F178
__scrt_acquire_startup_lock.LIBCMT ref: 000002DCB240F1BA
_RTC_Initialize.LIBCMT ref: 000002DCB240F1D9
__scrt_release_startup_lock.LIBCMT ref: 000002DCB240F1EC
__scrt_uninitialize_crt.LIBCMT ref: 000002DCB240F1F6
__scrt_fastfail.LIBCMT ref: 000002DCB240F209

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
String ID:
API String ID: 1988982384-0
Opcode ID: 59a5b4de44f6355801b1f155b58871900563701d3536bb07b74828003180b5cb
Instruction ID: 54f9a149d804e9e50c64f81f365899c64fd0fadb393f4da46782d4f4a58e8c3c
Opcode Fuzzy Hash: 59a5b4de44f6355801b1f155b58871900563701d3536bb07b74828003180b5cb
Instruction Fuzzy Hash: C891F830714A034BF794AB68984BB5BF2D9E75A308F65852BE405C769ADE34CC81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB241C482 Relevance: 9.2, APIs: 6, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000002DCB241C4DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000002DCB241C543
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000002DCB241C5A7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000002DCB241C60B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000002DCB241C66F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000002DCB241C6D3

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 7fbaef9c46b0c8ee2a82887f37f94b9b3dc8bc5b9c15c2ff3529230b087d5f66
Instruction ID: 224b8a2abe1105c55e76e7685b39d2c56382ea7fb8377de0d6b7855a88abe6b4
Opcode Fuzzy Hash: 7fbaef9c46b0c8ee2a82887f37f94b9b3dc8bc5b9c15c2ff3529230b087d5f66
Instruction Fuzzy Hash: B761D720564C4E4AFB09F738ED4EBA9B791F399309FA0C617D045C29E9E93D99C0CB09

Uniqueness

Uniqueness Score: -1.00%

Function 000002DCB2411FDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002DCB2410866: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 000002DCB241086A

__DestructExceptionObject.LIBVCRUNTIME ref: 000002DCB2412004
__DestructExceptionObject.LIBVCRUNTIME ref: 000002DCB241208E

Strings

csm, xrefs: 000002DCB2412061

Memory Dump Source

Source File: 00000001.00000002.266382312.000002DCB240B000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DCB240B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2dcb240b000_loaddll64.jbxd

Similarity

API ID: DestructExceptionObject$__vcrt_getptd_noexit
String ID: csm
API String ID: 3780691363-1018135373
Opcode ID: 7c86f85e02e1cf17e2d905d46dea6ba077f0d3649df00ce6c101bcd2a45804e8
Instruction ID: 5cf4ccf9b12e518ea1fde8206c5645c9fb403b454bf19996554117f370ad10e3
Opcode Fuzzy Hash: 7c86f85e02e1cf17e2d905d46dea6ba077f0d3649df00ce6c101bcd2a45804e8
Instruction Fuzzy Hash: 3E316F30158B158FE764EF18C486B5ABBE1FB99319F20561ED48AC3696C731EC41CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF00E1127 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFFF00E2F04
GetProcAddress.KERNEL32 ref: 00007FFFF00E2F57

Strings

@, xrefs: 00007FFFF00E2EB1

Memory Dump Source

Source File: 00000001.00000002.267988196.00007FFFF00E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF00E0000, based on PE: true

Associated: 00000001.00000002.267975714.00007FFFF00E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268156670.00007FFFF00E7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268351744.00007FFFF00EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.268379197.00007FFFF00EC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272243206.00007FFFF016C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272295089.00007FFFF019B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272370215.00007FFFF019D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.272383317.00007FFFF01A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffff00e0000_loaddll64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: @
API String ID: 1646373207-2766056989
Opcode ID: e0ca159923323c96d1c3349e815427a49f6cb7f5a8f3cd0aee64a08b7ea1ebf8
Instruction ID: ac3540a3044b6c4bf8950f92adcad1c57a2bc280f34bb45fb9e8c54232c58cd4
Opcode Fuzzy Hash: e0ca159923323c96d1c3349e815427a49f6cb7f5a8f3cd0aee64a08b7ea1ebf8
Instruction Fuzzy Hash: FB21D613E1968A86FB508B65E0647BE67E0BB81BD4F444335EB6E577CACE2CD1088740

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5828, Parent PID: 3352COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	43
Total number of Limit Nodes:	0

Executed Functions

Function 00000220E1E8B1D6 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 198
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000220E1E8B2DF
GetComputerNameExW.KERNELBASE ref: 00000220E1E8B332
NetWkstaGetInfo.NETAPI32 ref: 00000220E1E8B3B7

Strings

l, xrefs: 00000220E1E8B2C8
2, xrefs: 00000220E1E8B2B4
l, xrefs: 00000220E1E8B2C3
i, xrefs: 00000220E1E8B2AA
3, xrefs: 00000220E1E8B2AF
d, xrefs: 00000220E1E8B2BE
n, xrefs: 00000220E1E8B291
p, xrefs: 00000220E1E8B2A5
., xrefs: 00000220E1E8B2B9
e, xrefs: 00000220E1E8B296
t, xrefs: 00000220E1E8B29B
a, xrefs: 00000220E1E8B2A0

Memory Dump Source

Source File: 00000004.00000002.276392010.00000220E1E8B000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000220E1E8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220e1e8b000_rundll32.jbxd

Similarity

API ID: ComputerInfoLibraryLoadNameWksta
String ID: .$2$3$a$d$e$i$l$l$n$p$t
API String ID: 3393981993-1206877643
Opcode ID: 9f1df4b9c6e76e77351a2f1aa7da60c0e0fb4b368d1276d023936cfa14d4e98f
Instruction ID: a6c1c1f1101203ce76e3e8a6bb9bebd3c40b300e273da931176278d965ab0672
Opcode Fuzzy Hash: 9f1df4b9c6e76e77351a2f1aa7da60c0e0fb4b368d1276d023936cfa14d4e98f
Instruction Fuzzy Hash: 8F81CA301187849FE368EB58C089B5AFBE1FB99308F54495DF489C72A2DBB5DD85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00000220E1E8BC3A Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 370
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000220E1E8BFBD

Strings

d, xrefs: 00000220E1E8BF8B
a, xrefs: 00000220E1E8BF95
p, xrefs: 00000220E1E8BF9A
3, xrefs: 00000220E1E8BFA4
2, xrefs: 00000220E1E8BFA9
v, xrefs: 00000220E1E8BF90
a, xrefs: 00000220E1E8BF86
i, xrefs: 00000220E1E8BF9F

Memory Dump Source

Source File: 00000004.00000002.276392010.00000220E1E8B000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000220E1E8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220e1e8b000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: 2$3$a$a$d$i$p$v
API String ID: 1029625771-1673513319
Opcode ID: 886938e3ccb0d6dbac8807b67c971d65b303b8bc3fbc6529e8d30fe2f3ad3af2
Instruction ID: 73b0eb3d5a86de254641e031df22e17ef8ab15814eee39bf8dd2eab42361b6cd
Opcode Fuzzy Hash: 886938e3ccb0d6dbac8807b67c971d65b303b8bc3fbc6529e8d30fe2f3ad3af2
Instruction Fuzzy Hash: DBE1E634518A889FD799EB68C089B5AB7E1FB98304F65085DB199C72B2C775DC82CF02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00000220E1E8F016 Relevance: 19.8, APIs: 13, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000220E1E8F03E
__scrt_acquire_startup_lock.LIBCMT ref: 00000220E1E8F0A4
_RTC_Initialize.LIBCMT ref: 00000220E1E8F0D2
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00000220E1E8F0DC
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000220E1E8F0F8
__scrt_release_startup_lock.LIBCMT ref: 00000220E1E8F123
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00000220E1E8F142
__scrt_fastfail.LIBCMT ref: 00000220E1E8F178
__scrt_acquire_startup_lock.LIBCMT ref: 00000220E1E8F1BA
_RTC_Initialize.LIBCMT ref: 00000220E1E8F1D9
__scrt_release_startup_lock.LIBCMT ref: 00000220E1E8F1EC
__scrt_uninitialize_crt.LIBCMT ref: 00000220E1E8F1F6
__scrt_fastfail.LIBCMT ref: 00000220E1E8F209

Memory Dump Source

Source File: 00000004.00000002.276392010.00000220E1E8B000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000220E1E8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220e1e8b000_rundll32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
String ID:
API String ID: 1988982384-0
Opcode ID: 59a5b4de44f6355801b1f155b58871900563701d3536bb07b74828003180b5cb
Instruction ID: 950ad2f0216337ac4de54ad1613e9a270bf58829e25d855635e011548d7d3c11
Opcode Fuzzy Hash: 59a5b4de44f6355801b1f155b58871900563701d3536bb07b74828003180b5cb
Instruction Fuzzy Hash: 82918430614A056FF7ACBBA8D8C97D9B2D1EB99700F5A4919B405C33B7DAB4CCC58782

Uniqueness

Uniqueness Score: -1.00%

Function 00000220E1E9C482 Relevance: 9.2, APIs: 6, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000220E1E9C4DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000220E1E9C543
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000220E1E9C5A7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000220E1E9C60B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000220E1E9C66F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000220E1E9C6D3

Memory Dump Source

Source File: 00000004.00000002.276392010.00000220E1E8B000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000220E1E8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220e1e8b000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 7fbaef9c46b0c8ee2a82887f37f94b9b3dc8bc5b9c15c2ff3529230b087d5f66
Instruction ID: 71b2e47a57ead39e90acf8e6317a5c34f3898c926eb07d6181e7cc2f86bb797a
Opcode Fuzzy Hash: 7fbaef9c46b0c8ee2a82887f37f94b9b3dc8bc5b9c15c2ff3529230b087d5f66
Instruction Fuzzy Hash: 3961C320524D8D5AFB0DB7B8A88EBA8B391F3D8304F908954E045C72F7E9BD6DC48744

Uniqueness

Uniqueness Score: -1.00%

Function 00000220E1E91FDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000220E1E90866: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 00000220E1E9086A

__DestructExceptionObject.LIBVCRUNTIME ref: 00000220E1E92004
__DestructExceptionObject.LIBVCRUNTIME ref: 00000220E1E9208E

Strings

csm, xrefs: 00000220E1E92061

Memory Dump Source

Source File: 00000004.00000002.276392010.00000220E1E8B000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000220E1E8B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220e1e8b000_rundll32.jbxd

Similarity

API ID: DestructExceptionObject$__vcrt_getptd_noexit
String ID: csm
API String ID: 3780691363-1018135373
Opcode ID: 7c86f85e02e1cf17e2d905d46dea6ba077f0d3649df00ce6c101bcd2a45804e8
Instruction ID: e83d82eeda790f4554738da3ddeb5a9c4774596243705f06ec7521d2735f1a84
Opcode Fuzzy Hash: 7c86f85e02e1cf17e2d905d46dea6ba077f0d3649df00ce6c101bcd2a45804e8
Instruction Fuzzy Hash: 4E315475118A049FDB68EF58D485B69B3E1FBD8710F51095CE48A87363C771ED81CB82

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wlbsctrl.dll

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 5068, Parent PID: 3892

General

Chronological Activities

Analysis Process: cmd.exePID: 3352, Parent PID: 5068

General

Chronological Activities

Analysis Process: rundll32.exePID: 5828, Parent PID: 3352

Windows Analysis Report
wlbsctrl.dll

Function 00007FFFF00E2B00 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 127
sleeplibraryloaderCOMMON

Function 00007FFFF00E102D Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 303
filelibraryloaderCOMMON

Function 00007FFFF00E1140 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 191
nativeCOMMON

Function 00007FFFF00E3AD4 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 204
libraryloaderCOMMON

Function 000002DCB240B1D6 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 198
libraryCOMMON

Function 000002DCB240BC3A Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 370
libraryCOMMON

Function 00007FFFF00E2140 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112
librarymemoryloaderCOMMON

Function 00007FFFF00E11EA Relevance: 13.6, APIs: 9, Instructions: 73
COMMON

Function 00007FFFF00E1219 Relevance: 7.6, APIs: 5, Instructions: 90
sleepCOMMON

Function 000002DCB240F016 Relevance: 19.8, APIs: 13, Instructions: 310
COMMON

Function 000002DCB241C482 Relevance: 9.2, APIs: 6, Instructions: 234
COMMON

Function 000002DCB2411FDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92
COMMON

Function 00007FFFF00E1127 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
libraryloaderCOMMON

Function 00000220E1E8B1D6 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 198
libraryCOMMON

Function 00000220E1E8BC3A Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 370
libraryCOMMON

Function 00000220E1E8F016 Relevance: 19.8, APIs: 13, Instructions: 310
COMMON

Function 00000220E1E9C482 Relevance: 9.2, APIs: 6, Instructions: 234
COMMON

Function 00000220E1E91FDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92
COMMON