yunsip | 042d538a97b2af71b30bcb16c3df4aa7474a63943dd124f81b956bd746fba32b | Triage

Analysis

max time kernel
4s
max time network
11s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 11:31

Sharing

Report Analysis Logs

General

Target

6ec362b9c0b523db2cac2cba365b0470.dll
Size

433KB
MD5

160663d58531b09f248b9defe0fe69b9
SHA1

e25d1f154d3c618b9d758dd759a34c2e07e227ec
SHA256

042d538a97b2af71b30bcb16c3df4aa7474a63943dd124f81b956bd746fba32b
SHA512

ad240e3111a42498589e6c3180a798442da1084729e5f6c9468f59e2a361a2355c0c8d63a322a3f59a563488a0c6d03d736a254d47f9f42d58c9df9384d77f5d

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1128 wrote to memory of 1984	1128	rundll32.exe	rundll32.exe
PID 1128 wrote to memory of 1984	1128	rundll32.exe	rundll32.exe
PID 1128 wrote to memory of 1984	1128	rundll32.exe	rundll32.exe
PID 1128 wrote to memory of 1984	1128	rundll32.exe	rundll32.exe
PID 1128 wrote to memory of 1984	1128	rundll32.exe	rundll32.exe
PID 1128 wrote to memory of 1984	1128	rundll32.exe	rundll32.exe
PID 1128 wrote to memory of 1984	1128	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ec362b9c0b523db2cac2cba365b0470.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ec362b9c0b523db2cac2cba365b0470.dll,#1
2⤵
PID:1984

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1984-0-0x0000000000000000-mapping.dmp

Download