yunsip | c0ec7a291999dd1806fe4422a7224aacbee0b93be4bb6636f575963e4f1a8300 | Triage

Analysis

max time kernel
29s
max time network
52s
platform
windows10_x64
resource
win10v20210408
submitted
18-05-2021 10:57

Sharing

Report Analysis Logs

General

Target

c0ec7a291999dd1806fe4422a7224aacbee0b93be4bb6636f575963e4f1a8300.dll
Size

793KB
MD5

dc109d379f5789d6029c406fd21fa37f
SHA1

4bfe380aeef46be8bfe11c897c33a001a5250e00
SHA256

c0ec7a291999dd1806fe4422a7224aacbee0b93be4bb6636f575963e4f1a8300
SHA512

0e9e7aa3961beb370b57ea1e1f40705dc5ca090f00c72beffdb856426013d0534f740e277be0bbd1abd36a6b8b3bc9d791d1e765c02cab25180b70fc3c9c3e71

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 636 wrote to memory of 1480	636	rundll32.exe	rundll32.exe
PID 636 wrote to memory of 1480	636	rundll32.exe	rundll32.exe
PID 636 wrote to memory of 1480	636	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0ec7a291999dd1806fe4422a7224aacbee0b93be4bb6636f575963e4f1a8300.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0ec7a291999dd1806fe4422a7224aacbee0b93be4bb6636f575963e4f1a8300.dll,#1
2⤵
PID:1480

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-114-0x0000000000000000-mapping.dmp

Download