yunsip | 9096b6721d66f813803f85071233ab8f62dc97621d334b7b300245ed4a82e719 | Triage

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 18:16

Sharing

Report Analysis Logs

General

Target

9096b6721d66f813803f85071233ab8f62dc97621d334b7b300245ed4a82e719.dll
Size

714KB
MD5

e7fbf674d71e6360b7b46105fa8aa346
SHA1

dc78d049dd87ae8b15c8f2895def2c815ddc7fca
SHA256

9096b6721d66f813803f85071233ab8f62dc97621d334b7b300245ed4a82e719
SHA512

2b391d43cf42678691da55882febad18998dcad43863acfdb832447bfdc0e13708961fedaaab00c217c2c7283e5f9a67f0649b7b2085eab9cd032ca1b6a756ab

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 288 wrote to memory of 1612	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1612	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1612	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1612	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1612	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1612	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1612	288	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9096b6721d66f813803f85071233ab8f62dc97621d334b7b300245ed4a82e719.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9096b6721d66f813803f85071233ab8f62dc97621d334b7b300245ed4a82e719.dll,#1
2⤵
PID:1612

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-0-0x0000000000000000-mapping.dmp

Download