yunsip | a2b3de3937c076678272908110ab5b994396cc3ece724b90c8a4e7948193be9c | Triage

Analysis

max time kernel
0s
max time network
31s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 07:57

Sharing

Report Analysis Logs

General

Target

a2b3de3937c076678272908110ab5b994396cc3ece724b90c8a4e7948193be9c.dll
Size

911KB
MD5

9242365a36c26263c21ec70aa0916fda
SHA1

01abe39c9955ffe4b0c197c97a21b5296c4fc125
SHA256

a2b3de3937c076678272908110ab5b994396cc3ece724b90c8a4e7948193be9c
SHA512

d1ddaa11679f0d876837adab4d38a1af4f5e5d5f17a8edd08cb4a990b810da0715d078ae78a7f952ec2f3043ea123af1886cbb5031b7d21184d1efefee6a424d

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 676 wrote to memory of 1784	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1784	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1784	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1784	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1784	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1784	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1784	676	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2b3de3937c076678272908110ab5b994396cc3ece724b90c8a4e7948193be9c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2b3de3937c076678272908110ab5b994396cc3ece724b90c8a4e7948193be9c.dll,#1
2⤵
PID:1784

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-60-0x0000000000000000-mapping.dmp

Download
memory/1784-61-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download