Loading ...

Play interactive tourEdit tour

Analysis Report shorefront.eps

Overview

General Information

Sample Name:shorefront.eps (renamed file extension from eps to dll)
Analysis ID:429225
MD5:b3526bc3c4a61f9f09ac31ee9a5fc8a5
SHA1:d92ac3fa9cca4ed8273111f767e24d8f53896787
SHA256:f4a464c2e5f14cd4c391a9b5ba60deca36ccaa6c1503a097eeb0c5070945d1fb
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6604 cmdline: loaddll32.exe 'C:\Users\user\Desktop\shorefront.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6612 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6640 cmdline: rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6628 cmdline: rundll32.exe C:\Users\user\Desktop\shorefront.dll,Child MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6700 cmdline: rundll32.exe C:\Users\user\Desktop\shorefront.dll,Forcearea MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6720 cmdline: rundll32.exe C:\Users\user\Desktop\shorefront.dll,Stationmeat MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 816 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6476 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4136 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "YO4ItoAHj27nQHcek0ajLmmby9wzIPBRe+hTTGA+vdmBx9WHGSmH+27G6fUvU8FIdumcsGzdR3nVucsR89Hrym0hEi/6912U3fz8nLZTmfMNITP1haHrjk4931u8AJbwFobO2OROdhnUSaxTMA4bUUhDQ512s4Mw9dwF+RVgzByOOXZjTb/8c7RAb5TF3S9udlcSUcG0UgRjjerDAkFDNoGfvrRUbQdmhzdTQTVlAQndB1/gGmNmYRjiDY3ZPIgGCxRg+L7+cRtLwnqkaPMhiWWYFszaBPeJgqFJ28z3OWmw84N+FITvVekj/sQLKPQHnW1Axm22vEhQb3UNvpyJEVFYrda06XMVSGm1E2H2wkQ=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "4500", "server": "580", "serpent_key": "46uoXhSnsCfVUpSs", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.3.rundll32.exe.3218d26.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.6c500000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.3.loaddll32.exe.538d26.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  6.3.rundll32.exe.30e8d26.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.2228d26.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "YO4ItoAHj27nQHcek0ajLmmby9wzIPBRe+hTTGA+vdmBx9WHGSmH+27G6fUvU8FIdumcsGzdR3nVucsR89Hrym0hEi/6912U3fz8nLZTmfMNITP1haHrjk4931u8AJbwFobO2OROdhnUSaxTMA4bUUhDQ512s4Mw9dwF+RVgzByOOXZjTb/8c7RAb5TF3S9udlcSUcG0UgRjjerDAkFDNoGfvrRUbQdmhzdTQTVlAQndB1/gGmNmYRjiDY3ZPIgGCxRg+L7+cRtLwnqkaPMhiWWYFszaBPeJgqFJ28z3OWmw84N+FITvVekj/sQLKPQHnW1Axm22vEhQb3UNvpyJEVFYrda06XMVSGm1E2H2wkQ=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "4500", "server": "580", "serpent_key": "46uoXhSnsCfVUpSs", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: app.buboleinov.comVirustotal: Detection: 6%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: shorefront.dllVirustotal: Detection: 46%Perma Link
                      Source: shorefront.dllReversingLabs: Detection: 54%
                      Machine Learning detection for sampleShow sources
                      Source: shorefront.dllJoe Sandbox ML: detected
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005035A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_005035A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047735A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_047735A1
                      Source: shorefront.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: shorefront.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\Original-shine\bat\Cat\page\Seven\Design.pdb source: loaddll32.exe, rundll32.exe, shorefront.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00504E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00504E9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04774E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_04774E9C
                      Source: unknownDNS traffic detected: queries for: app.buboleinov.com
                      Source: ~DF762A57E90D6A65CD.TMP.12.dr, {B147A470-C485-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: http://app.buboleinov.com/7dGVcD7hOw3lYt5/1yqoO_2BT5cAFQCvp3/7fGu2bPOM/Y70HlHuovLn2gp_2B2GH/4_2FYxaP
                      Source: {B147A472-C485-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: http://app.buboleinov.com/BHxjQVeA3bCRL3A0U_2Bhx/6Mf2XW6xM9nlO/OBBDiHLG/gVHcEz5iH6i5Er6PkMAnMWX/IOi2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005035A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_005035A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047735A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_047735A1

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C5018D1 GetProcAddress,NtCreateSection,memset,0_2_6C5018D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C501B89 NtMapViewOfSection,0_2_6C501B89
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C502485 NtQueryVirtualMemory,0_2_6C502485
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00503CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00503CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005081CD NtQueryVirtualMemory,0_2_005081CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04773CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04773CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047781CD NtQueryVirtualMemory,3_2_047781CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C5022640_2_6C502264
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005066090_2_00506609
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00507FA80_2_00507FA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C558C070_2_6C558C07
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C55A5880_2_6C55A588
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C548ED80_2_6C548ED8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C54C8D40_2_6C54C8D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C55139D0_2_6C55139D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_047766093_2_04776609
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04777FA83_2_04777FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C558C073_2_6C558C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C55A5883_2_6C55A588
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C548ED83_2_6C548ED8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C54C8D43_2_6C54C8D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C55139D3_2_6C55139D
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6C54B330 appears 40 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C54B330 appears 40 times
                      Source: shorefront.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal92.troj.winDLL@16/17@6/0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_005019E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_005019E7
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B147A46E-C485-11EB-90EB-ECF4BBEA1588}.datJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF896FBAE33087E32E.TMPJump to behavior
                      Source: shorefront.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Child
                      Source: shorefront.dllVirustotal: Detection: 46%
                      Source: shorefront.dllReversingLabs: Detection: 54%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\shorefront.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Child
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Forcearea
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,Stationmeat
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17414 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,ChildJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,ForceareaJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\shorefront.dll,StationmeatJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:816 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9d0-baf9-11ce-8c82-00aa004ba90b}\InprocServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: shorefront.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: shorefront.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\Original-shine\bat\Cat\page\Seven\Design.pdb source: loaddll32.exe, rundll32.exe, shorefront.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C501F31 LoadLibraryA,GetProcAddress,0_2_6C501F31
                      Source: shorefront.dllStatic PE information: real checksum: 0x6f44b should be: 0x6430b
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C502253 push ecx; ret 0_2_6C502263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C502200 push ecx; ret 0_2_6C502209
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0050B67C push ss; retf 0_2_0050B690
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00507C20 push ecx; ret 0_2_00507C29
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0050B163 push edx; iretd 0_2_0050B164
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00507F97 push ecx; ret 0_2_00507FA7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C51242B pushad ; ret 0_2_6C51242C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C510DDC push edi; ret 0_2_6C510DE4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C511F8E push esp; ret 0_2_6C511F8F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C546847 push ecx; ret 0_2_6C54685A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C54B375 push ecx; ret 0_2_6C54B388
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0477B67C push ss; retf 3_2_0477B690
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04777C20 push ecx; ret 3_2_04777C29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0477B163 push edx; iretd 3_2_0477B164
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04777F97 push ecx; ret 3_2_04777FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C51242B pushad ; ret 3_2_6C51242C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C510DDC push edi; ret 3_2_6C510DE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C511F8E push esp; ret 3_2_6C511F8F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C546847 push ecx; ret 3_2_6C54685A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C54B375 push ecx; ret 3_2_6C54B388

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C50FC64 str word ptr [eax+00h]0_2_6C50FC64
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00504E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00504E9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04774E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_04774E9C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C54DD9B IsDebuggerPresent,0_2_6C54DD9B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C55603F ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6C55603F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C501F31 LoadLibraryA,GetProcAddress,0_2_6C501F31
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C55F1E7 mov eax, dword ptr fs:[00000030h]0_2_6C55F1E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C55F11D mov eax, dword ptr fs:[00000030h]0_2_6C55F11D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C55ED24 push dword ptr fs:[00000030h]0_2_6C55ED24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C55F11D mov eax, dword ptr fs:[00000030h]3_2_6C55F11D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C55ED24 push dword ptr fs:[00000030h]3_2_6C55ED24
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C54B524 GetProcessHeap,0_2_6C54B524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C548B1A __call_reportfault,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6C548B1A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6C548B1A __call_reportfault,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C548B1A
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\shorefront.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.916973157.0000000000D20000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.917409862.0000000002D40000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.916973157.0000000000D20000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.917409862.0000000002D40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.916973157.0000000000D20000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.917409862.0000000002D40000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.916973157.0000000000D20000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.917409862.0000000002D40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00503946 cpuid 0_2_00503946
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_6C501566
                      Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_6C54ACFA
                      Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_6C556DEC
                      Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6C556F16
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_6C556FC3
                      Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_6C556843
                      Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_6C554020
                      Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,0_2_6C546A76
                      Source: C:\Windows\System32\loaddll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,0_2_6C553A1E
                      Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_6C553234
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6C54AAC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6C556AF7
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6C54AAFD
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6C556AB7
                      Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6C556B74
                      Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_6C556BF7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,3_2_6C54ACFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,3_2_6C556DEC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6C556F16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_6C556FC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,3_2_6C556843
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,3_2_6C554020
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,3_2_6C546A76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,3_2_6C553A1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_6C553234
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6C54AAC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6C556AF7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6C54AAFD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6C556AB7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6C556B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,3_2_6C556BF7
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C501979 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_6C501979
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00503946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_00503946
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6C50146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6C50146C
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.874866712.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876330514.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874909818.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874494648.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876188239.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874791903.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874837013.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.919920945.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876373518.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874942139.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876356161.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876088782.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874588381.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876229416.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.874885116.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.917892757.0000000002FE8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876297207.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.876268229.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6640, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6604, type: MEMORY
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.827452979.0000000000530000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.821591213.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.794830642.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.797710729.0000000002220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.813086420.0000000003210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5.3.rundll32.exe.3218d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6c500000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.538d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.30e8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2228d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.27f8d26.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6c500000.3.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery34Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 429225 Sample: shorefront.eps Startdate: 03/06/2021 Architecture: WINDOWS Score: 92 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 3 other signatures 2->38 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 53 2->10         started        process3 signatures4 40 Writes or reads registry keys via WMI 7->40 42 Writes registry values via WMI 7->42 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe