Windows Analysis Report
wlbsctrl.dll

Overview

General Information

Sample Name: wlbsctrl.dll
Analysis ID: 651262
MD5: 8b2356cc4b0a382e79dcd4a844839e91
SHA1: ffb6a64c9996aa9e14ab69791f610babf98784c5
SHA256: 1e57baa7d7c987aebd09b43788e9388c89a1cb9e89b4cbad24a8662e606d62f2
Infos:

Detection

Score: 26
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to detect sleep reduction / modifications
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to detect sandboxes (mouse cursor move detection)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Source: wlbsctrl.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\lemmy\Desktop\shellcodeless\syscall-xll-SecMods\x64\DLL\WhackAMole.pdb source: loaddll64.exe, 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.264137592.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, wlbsctrl.dll
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\loaddll64.exe Code function: 4x nop then dec eax 0_2_000001F279C9B7BA
Source: C:\Windows\System32\rundll32.exe Code function: 4x nop then dec eax 2_2_000001D07AA0B7BA
Sample file is different than original file name gathered from version info
Source: wlbsctrl.dll Binary or memory string: OriginalFilenameOfficev1 vs wlbsctrl.dll
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE2721140 0_2_00007FFFE2721140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE272102D 0_2_00007FFFE272102D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001F279CA398A 0_2_000001F279CA398A
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001F279C9C0CA 0_2_000001F279C9C0CA
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001F279CAB46A 0_2_000001F279CAB46A
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001F279CA93DA 0_2_000001F279CA93DA
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_000001D07AA1B46A 2_2_000001D07AA1B46A
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_000001D07AA0C0CA 2_2_000001D07AA0C0CA
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_000001D07AA193DA 2_2_000001D07AA193DA
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_000001D07AA1398A 2_2_000001D07AA1398A
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE2721140 GetModuleHandleA,memset,GetCurrentProcess,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,CloseHandle, 0_2_00007FFFE2721140
Source: wlbsctrl.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 Jump to behavior
Source: classification engine Classification label: sus26.evad.winDLL@5/0@0/0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE2722B00 GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep, 0_2_00007FFFE2722B00
Source: wlbsctrl.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: wlbsctrl.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wlbsctrl.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wlbsctrl.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wlbsctrl.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wlbsctrl.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wlbsctrl.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: wlbsctrl.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: wlbsctrl.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\lemmy\Desktop\shellcodeless\syscall-xll-SecMods\x64\DLL\WhackAMole.pdb source: loaddll64.exe, 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.264137592.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, wlbsctrl.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000001F279CB2850 push ecx; retf 003Fh 0_2_000001F279CB28B0
Source: C:\Windows\System32\rundll32.exe Code function: 2_2_000001D07AA22850 push ecx; retf 003Fh 2_2_000001D07AA228B0
PE file contains sections with non-standard names
Source: wlbsctrl.dll Static PE information: section name: .00cfg
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE27211F9 0_2_00007FFFE27211F9
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 6292 Thread sleep time: -120000s >= -30000s Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\System32\loaddll64.exe Code function: GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep, 0_2_00007FFFE2722B00
Source: C:\Windows\System32\loaddll64.exe Code function: GetCursorPos,Sleep,GetCursorPos,IsProcessorFeaturePresent,capture_current_context, 0_2_00007FFFE2721219
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE27211F9 0_2_00007FFFE27211F9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE27211EA IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFFE27211EA
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE27211EA IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FFFE27211EA
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFFE2721186 __security_init_cookie,GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FFFE2721186
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 651262 Sample: wlbsctrl.dll Startdate: 23/06/2022 Architecture: WINDOWS Score: 26 6 loaddll64.exe 1 2->6         started        signatures3 13 Contains functionality to detect sleep reduction / modifications 6->13 9 cmd.exe 1 6->9         started        process4 process5 11 rundll32.exe 9->11         started       
No contacted IP infos