yunsip | e8dc54c406550a9f9ce00c5e37ed02bec6d79c52c4dbc306dc217e737fc6e196 | Triage

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 12:50

Sharing

Report Analysis Logs

General

Target

e8dc54c406550a9f9ce00c5e37ed02bec6d79c52c4dbc306dc217e737fc6e196.dll
Size

794KB
MD5

cd1f97fcb7827b4130ecba7cb6c6bc66
SHA1

b42d1eb0958c6cee3c2600d923cc66c9ba832021
SHA256

e8dc54c406550a9f9ce00c5e37ed02bec6d79c52c4dbc306dc217e737fc6e196
SHA512

58601a57712b228b62219fe5695ac152d130815a0b8706e248c5e739c4294cc8fca58e2f7e40e17efe333bfd8b333186c8c32d62ebedcc11db4c900005b8a1c6

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1088 wrote to memory of 1908	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1908	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1908	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1908	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1908	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1908	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1908	1088	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8dc54c406550a9f9ce00c5e37ed02bec6d79c52c4dbc306dc217e737fc6e196.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8dc54c406550a9f9ce00c5e37ed02bec6d79c52c4dbc306dc217e737fc6e196.dll,#1
2⤵
PID:1908

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-60-0x0000000000000000-mapping.dmp

Download
memory/1908-61-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download