yunsip | 6e7ff6982eb0b7de99d80aebc8c9b8517440a327c7f52cb95528c75d36b8e573 | Triage

Analysis

max time kernel
91s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 18:16

Sharing

Report Analysis Logs

General

Target

6e7ff6982eb0b7de99d80aebc8c9b8517440a327c7f52cb95528c75d36b8e573.dll
Size

726KB
MD5

17493ee156bc46aa910df941242c08a5
SHA1

b72504a9c347760871aaf450159893cfe7bd6761
SHA256

6e7ff6982eb0b7de99d80aebc8c9b8517440a327c7f52cb95528c75d36b8e573
SHA512

e18f96740d3b20da13151cb57d0e0bcb8c287fccae036ee4146458c48a6dfa5e85a2e2a82df77cc2d1332c77b5fcb060fd0312aa74cd941e071dd0e7b0a7dca2

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 492 wrote to memory of 1360	492	rundll32.exe	rundll32.exe
PID 492 wrote to memory of 1360	492	rundll32.exe	rundll32.exe
PID 492 wrote to memory of 1360	492	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e7ff6982eb0b7de99d80aebc8c9b8517440a327c7f52cb95528c75d36b8e573.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e7ff6982eb0b7de99d80aebc8c9b8517440a327c7f52cb95528c75d36b8e573.dll,#1
2⤵
PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-0-0x0000000000000000-mapping.dmp

Download