yunsip | 1ccae70f99772c6deecc9d4a57a87acfadad589029cc5e58ec22c5cac3a15bcb | Triage

Analysis

max time kernel
79s
max time network
135s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 17:51

Sharing

Report Analysis Logs

General

Target

1ccae70f99772c6deecc9d4a57a87acfadad589029cc5e58ec22c5cac3a15bcb.dll
Size

726KB
MD5

ea5ced276db1d8a346019ab29b730a29
SHA1

8a903462b29af9d741ea2c23771bd4446799d3ba
SHA256

1ccae70f99772c6deecc9d4a57a87acfadad589029cc5e58ec22c5cac3a15bcb
SHA512

671f9951b29cc3623cb4fffc53993e4f12c5b06c4231561c29b67d8e623ebf37c17e0c97c1c70361e37b08f7bd76b47674ff096ef6ca9d4eb0049e70f5b3963e

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 540 wrote to memory of 3416	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3416	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3416	540	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ccae70f99772c6deecc9d4a57a87acfadad589029cc5e58ec22c5cac3a15bcb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ccae70f99772c6deecc9d4a57a87acfadad589029cc5e58ec22c5cac3a15bcb.dll,#1
2⤵
PID:3416

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3416-0-0x0000000000000000-mapping.dmp

Download