yunsip | d7058b7bff10634297c3f0da38746ceca4f12e361977ef94b7a1f171a981a5dc | Triage

Analysis

max time kernel
123s
max time network
124s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 18:13

Sharing

Report Analysis Logs

General

Target

d7058b7bff10634297c3f0da38746ceca4f12e361977ef94b7a1f171a981a5dc.dll
Size

728KB
MD5

b4c438d9d61124b4509af1e964a9efff
SHA1

9a2114c1745a165fbd837776a589cb4eff711f9a
SHA256

d7058b7bff10634297c3f0da38746ceca4f12e361977ef94b7a1f171a981a5dc
SHA512

bbf2ce5b47f8c3a22789c82cba8d0480ddb8517771dd2e307705e2ce95c351d836fa8c6a8fbbdf3ee85a3864e83701d393cb1b6a786d0d4ff76941b43f6b8a02

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 484 wrote to memory of 1944	484	rundll32.exe	rundll32.exe
PID 484 wrote to memory of 1944	484	rundll32.exe	rundll32.exe
PID 484 wrote to memory of 1944	484	rundll32.exe	rundll32.exe
PID 484 wrote to memory of 1944	484	rundll32.exe	rundll32.exe
PID 484 wrote to memory of 1944	484	rundll32.exe	rundll32.exe
PID 484 wrote to memory of 1944	484	rundll32.exe	rundll32.exe
PID 484 wrote to memory of 1944	484	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7058b7bff10634297c3f0da38746ceca4f12e361977ef94b7a1f171a981a5dc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7058b7bff10634297c3f0da38746ceca4f12e361977ef94b7a1f171a981a5dc.dll,#1
2⤵
PID:1944

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-0-0x0000000000000000-mapping.dmp

Download