yunsip | 9e57821d1fa121a27b4501cc858ad3721d939b4f3a30220efadd97d8cb212d12 | Triage

Analysis

max time kernel
143s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 09:41

Sharing

Report Analysis Logs

General

Target

9e57821d1fa121a27b4501cc858ad3721d939b4f3a30220efadd97d8cb212d12.dll
Size

1008KB
MD5

19c55abeba7ddb4c86040fc8edbe5bcb
SHA1

423ed985869c91806cc3d7c3d3696c856b0bc92b
SHA256

9e57821d1fa121a27b4501cc858ad3721d939b4f3a30220efadd97d8cb212d12
SHA512

18f98a32a71f077c225efd9391a3acc871bbad644bc004fde1fe1774e4e01e722d9785dc651754fcafa8f4b0e8052e3d1b10a43a7bb54f41286c05deff799a50

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1696 wrote to memory of 2732	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 2732	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 2732	1696	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9e57821d1fa121a27b4501cc858ad3721d939b4f3a30220efadd97d8cb212d12.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9e57821d1fa121a27b4501cc858ad3721d939b4f3a30220efadd97d8cb212d12.dll,#1
2⤵
PID:2732

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-114-0x0000000000000000-mapping.dmp

Download