Edit tour

Windows Analysis Report
wlbsctrl.dll

Overview

General Information

Sample Name:	wlbsctrl.dll
Analysis ID:	651262
MD5:	8b2356cc4b0a382e79dcd4a844839e91
SHA1:	ffb6a64c9996aa9e14ab69791f610babf98784c5
SHA256:	1e57baa7d7c987aebd09b43788e9388c89a1cb9e89b4cbad24a8662e606d62f2
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to detect sleep reduction / modifications

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to call native functions

Contains functionality to detect sandboxes (mouse cursor move detection)

May check if the current machine is a sandbox (GetTickCount - Sleep)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample may be VM or Sandbox-aware, try analysis on a native machine

Process Tree

System is w10x64

loaddll64.exe (PID: 6288 cmdline: loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 6296 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6316 cmdline: rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: wlbsctrl.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\lemmy\Desktop\shellcodeless\syscall-xll-SecMods\x64\DLL\WhackAMole.pdb source: loaddll64.exe, 00000000.00000002.260656685.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000002.264137592.00007FFFE272A000.00000002.00000001.01000000.00000003.sdmp, wlbsctrl.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 4x nop then dec eax
Source: C:\Windows\System32\rundll32.exe	Code function: 4x nop then dec eax

Source: wlbsctrl.dll

Binary or memory string: OriginalFilenameOfficev1 vs wlbsctrl.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFFE2721140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFFE272102D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F279CA398A
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F279C9C0CA
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F279CAB46A
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F279CA93DA
Source: C:\Windows\System32\rundll32.exe	Code function: 2_2_000001D07AA1B46A
Source: C:\Windows\System32\rundll32.exe	Code function: 2_2_000001D07AA0C0CA
Source: C:\Windows\System32\rundll32.exe	Code function: 2_2_000001D07AA193DA
Source: C:\Windows\System32\rundll32.exe	Code function: 2_2_000001D07AA1398A

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFFE2721140 GetModuleHandleA,memset,GetCurrentProcess,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,NtAddBootEntry,CloseHandle,

Source: wlbsctrl.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1

Source: classification engine

Classification label: sus26.evad.winDLL@5/0@0/0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFFE2722B00 GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep,

Source: wlbsctrl.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wlbsctrl.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wlbsctrl.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: wlbsctrl.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001F279CB2850 push ecx; retf 003Fh
Source: C:\Windows\System32\rundll32.exe	Code function: 2_2_000001D07AA22850 push ecx; retf 003Fh

Source: wlbsctrl.dll

Static PE information: section name: .00cfg

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFFE27211F9

Source: C:\Windows\System32\loaddll64.exe TID: 6292

Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\loaddll64.exe	Code function: GetTickCount,Sleep,GetCursorPos,Sleep,GetCursorPos,GetDiskFreeSpaceExA,GetModuleHandleA,GetProcAddress,GlobalMemoryStatusEx,K32EnumProcesses,EnumProcesses,Sleep,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetCursorPos,Sleep,GetCursorPos,IsProcessorFeaturePresent,capture_current_context,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFFE27211F9

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFFE27211EA IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFFE2721186 __security_init_cookie,GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	12 Virtualization/Sandbox Evasion	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	651262
Start date and time: 23/06/202218:13:12	2022-06-23 18:13:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	wlbsctrl.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus26.evad.winDLL@5/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 19.6% (good quality ratio 3.5%) Quality average: 13.8% Quality standard deviation: 31.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Sleeps bigger than 300000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	2.301165268606333
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	wlbsctrl.dll
File size:	775168
MD5:	8b2356cc4b0a382e79dcd4a844839e91
SHA1:	ffb6a64c9996aa9e14ab69791f610babf98784c5
SHA256:	1e57baa7d7c987aebd09b43788e9388c89a1cb9e89b4cbad24a8662e606d62f2
SHA512:	273c11f50ce23d01108c7edf484f10fc7d318cd89fcc51baf7f2721f1655340b0167214498f5e08a9e7fdae9e656f6f516a7eff7a25e7151e1f0ea5fc5d71ba0
SSDEEP:	12288:FjwnXutNmopfRYxaKHFiPTLJsaVHct37frld/ibWcccccccccI6gRThD:
TLSH:	59F4B75A0823D211D8244C3196377AC66F1672E9776C27D3F6A92FA2C1390C1AD77F3A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{Fv.(Fv.(Fv.(O.k(Bv.(...)Dv.(R..)Cv.(Fv.(pv.(...)Jv.(...)Nv.(...)Bv.(...)Gv.(...(Gv.(Fvo(Gv.(...)Gv.(RichFv.(...............

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x18000100a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x62ACC1D8 [Fri Jun 17 18:03:04 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	05dcd6eab6e64f86dc1e816425be7b14

Entrypoint Preview

Instruction
jmp 00007F7144AA6612h
jmp 00007F7144AA6AF9h
jmp 00007F7144AA568Ch
jmp 00007F7144AA6B67h
jmp 00007F7144AA5852h
jmp 00007F7144AA7385h
jmp 00007F7144AA75A4h
jmp 00007F7144AA44F3h
jmp 00007F7144AA6DA2h
jmp 00007F7144AA6B4Dh
jmp 00007F7144AAA9C4h
jmp 00007F7144AA7583h
jmp 00007F7144AA7592h
jmp 00007F7144AA5595h
jmp 00007F7144AAA990h
jmp 00007F7144AA87CBh
jmp 00007F7144AA5B82h
jmp 00007F7144AAAA01h
jmp 00007F7144AA60FCh
jmp 00007F7144AA731Bh
jmp 00007F7144AA7562h
jmp 00007F7144AA6C6Dh
jmp 00007F7144AA8788h
jmp 00007F7144AA6053h
jmp 00007F7144AA7546h
jmp 00007F7144AAAA39h
jmp 00007F7144AA597Ch
jmp 00007F7144AA5F37h
jmp 00007F7144AAA8EAh
jmp 00007F7144AA6E59h
jmp 00007F7144AA7534h
jmp 00007F7144AA6A67h
jmp 00007F7144AAA886h
jmp 00007F7144AA6A59h
jmp 00007F7144AA6CBCh
jmp 00007F7144AA4EC7h
jmp 00007F7144AAAA22h
jmp 00007F7144AA6AC9h
jmp 00007F7144AA56CCh
jmp 00007F7144AA4203h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe3b0	0x78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc1000	0x890	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xbd000	0x420	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0x40	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xab64	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb0a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xaba0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xbe000	0x3b0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89b5	0x8a00	False	0.24363111413043478	data	3.5100227973693183	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x1f62	0x2000	False	0.1304931640625	data	1.5044615193257005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xb0539	0xafe00	False	0.1482459355010661	data	2.016608344146886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xbd000	0x5ac	0x600	False	0.3919270833333333	data	3.213440260810703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0xbe000	0xe3d	0x1000	False	0.23828125	data	3.0459227597586005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xbf000	0x309	0x400	False	0.021484375	data	0.011173818721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0xc0000	0x151	0x200	False	0.0546875	data	0.330964730370671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc1000	0x890	0xa00	False	0.2640625	data	2.6030848233720585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0x1f1	0x200	False	0.14453125	data	0.7368777605793444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc11c0	0x354	data	English	United States
RT_MANIFEST	0xc1518	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileA, GetDiskFreeSpaceExA, CloseHandle, Sleep, GetCurrentProcess, GetTickCount, GetModuleHandleA, GetProcAddress, CreateFileMappingA, K32EnumProcesses, K32GetModuleInformation, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dll	GetCursorPos
VCRUNTIME140.dll	memset, __C_specific_handler, __current_exception, __current_exception_context, __std_type_info_destroy_list
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __stdio_common_vfprintf
api-ms-win-crt-runtime-l1-1-0.dll	terminate, _initterm_e, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _crt_at_quick_exit, _cexit, _initterm

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	18:14:12
Start date:	23/06/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\wlbsctrl.dll"
Imagebase:	0x7ff6d4fc0000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 6296, Parent PID: 6288

General

Target ID:	1
Start time:	18:14:13
Start date:	23/06/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Imagebase:	0x7ff7bb450000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6316, Parent PID: 6296

General

Target ID:	2
Start time:	18:14:13
Start date:	23/06/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\wlbsctrl.dll",#1
Imagebase:	0x7ff675c30000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wlbsctrl.dll

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 6288, Parent PID: 5528

General

Analysis Process: cmd.exePID: 6296, Parent PID: 6288

General

Analysis Process: rundll32.exePID: 6316, Parent PID: 6296

General

Disassembly

Windows Analysis Report
wlbsctrl.dll