yunsip | ecb4d6d28f1df593fc832cb107e3d491cdeba72fecd83ef4685a1f07756023cf | Triage

Analysis

max time kernel
122s
max time network
121s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 12:34

Sharing

Report Analysis Logs

General

Target

ecb4d6d28f1df593fc832cb107e3d491cdeba72fecd83ef4685a1f07756023cf.dll
Size

435KB
MD5

57b23b00c1692c6b0b63fe744c12bcf0
SHA1

4bb0fc1eff139cf9a69afd176a341795cc212031
SHA256

ecb4d6d28f1df593fc832cb107e3d491cdeba72fecd83ef4685a1f07756023cf
SHA512

faf78314b1713951fd7824ddf55aea70d88622868ae5503f536460e6f37375b518f734b09be005719714ccf6b3079e4a1b92d4ba817264c88c37964b4d882e37

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1640 wrote to memory of 1180	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1180	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1180	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1180	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1180	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1180	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1180	1640	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecb4d6d28f1df593fc832cb107e3d491cdeba72fecd83ef4685a1f07756023cf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecb4d6d28f1df593fc832cb107e3d491cdeba72fecd83ef4685a1f07756023cf.dll,#1
2⤵
PID:1180

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-60-0x0000000000000000-mapping.dmp

Download
memory/1180-61-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download