yunsip | 668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4 | Triage

Analysis

max time kernel
0s
max time network
39s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 08:08

Sharing

Report Analysis Logs

General

Target

668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4.dll
Size

667KB
MD5

63cb5fd5731c8c93387c439616dc55c7
SHA1

ef4f186e6015c43ce944ccdbeabaff2dded9d4fd
SHA256

668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4
SHA512

b2db13745f93d28dd9144a82f24a9bf48b3450a45ade7541bee4688fe30dbfd8b94329c2521dcb4d61dbe79d126a55522193918432b0ca83dc56649f087322e0

Score

10^/10

yunsip banker trojan

Malware Config

Signatures

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 520 wrote to memory of 1484	520	rundll32.exe	rundll32.exe
PID 520 wrote to memory of 1484	520	rundll32.exe	rundll32.exe
PID 520 wrote to memory of 1484	520	rundll32.exe	rundll32.exe
PID 520 wrote to memory of 1484	520	rundll32.exe	rundll32.exe
PID 520 wrote to memory of 1484	520	rundll32.exe	rundll32.exe
PID 520 wrote to memory of 1484	520	rundll32.exe	rundll32.exe
PID 520 wrote to memory of 1484	520	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\668cd5d5dd94fdaa745891f0883d2858a692cf2ee00f7ce72f751734e30f84a4.dll,#1
2⤵
PID:1484

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1484-60-0x0000000000000000-mapping.dmp

Download
memory/1484-61-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download