yunsip | 05fceb5c5153af91cb5af88fa34cbc1c82aa2cd1da4582271699a543035a0b26 | Triage

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 18:06

Sharing

Report Analysis Logs

General

Target

05fceb5c5153af91cb5af88fa34cbc1c82aa2cd1da4582271699a543035a0b26.dll
Size

672KB
MD5

0eff3685df878d82b52e6c1cceb19753
SHA1

f79a28a640f220ba1fdf5ed358ede00062b776f3
SHA256

05fceb5c5153af91cb5af88fa34cbc1c82aa2cd1da4582271699a543035a0b26
SHA512

f36fb342053cfe0e0659ffedbff0843ef8600c8f8b6fb6b617b8709e65db3fb17f20ee9ac93fd229a8f9d1e223fda34e2241fb74e6f8992fde92d92849617a9c

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1056 wrote to memory of 1920	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1920	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1920	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1920	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1920	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1920	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1920	1056	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05fceb5c5153af91cb5af88fa34cbc1c82aa2cd1da4582271699a543035a0b26.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05fceb5c5153af91cb5af88fa34cbc1c82aa2cd1da4582271699a543035a0b26.dll,#1
2⤵
PID:1920

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1920-0-0x0000000000000000-mapping.dmp

Download