yunsip | 27afd94ecea791c80b11c939222a17f82046a1cf4bc2520e5df38f198e1e1b07 | Triage

Analysis

max time kernel
114s
max time network
114s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 11:23

Sharing

Report Analysis Logs

General

Target

27afd94ecea791c80b11c939222a17f82046a1cf4bc2520e5df38f198e1e1b07.dll
Size

677KB
MD5

45dfe2c5e98d7d5739eeaab796443955
SHA1

a29abdf5bcc6f5e3287e1ce73e60292cd2a92d51
SHA256

27afd94ecea791c80b11c939222a17f82046a1cf4bc2520e5df38f198e1e1b07
SHA512

c56ff516ec3052933a9b05fbf5053ab21025068ed96fd11c015451791bcc49e4b84eb463a1df80246750a639d19ae3ee22dae05746fdcd41f6b6bab6423ab7d3

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1816 wrote to memory of 1844	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1844	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1844	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1844	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1844	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1844	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1844	1816	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27afd94ecea791c80b11c939222a17f82046a1cf4bc2520e5df38f198e1e1b07.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27afd94ecea791c80b11c939222a17f82046a1cf4bc2520e5df38f198e1e1b07.dll,#1
2⤵
PID:1844

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1844-61-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1844-60-0x0000000000000000-mapping.dmp

Download