yunsip | 1a083ff2e8ed62b27c30f3db8fed26f2e0b2492420e2f0c3bacbb09d8ed6c538

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 01:57

Target

1a083ff2e8ed62b27c30f3db8fed26f2e0b2492420e2f0c3bacbb09d8ed6c538.dll
Size

433KB
MD5

417401e4044554d4be7103a52d33f530
SHA1

b16740c050183e06c4a4c464ff4f48fc3661cd08
SHA256

1a083ff2e8ed62b27c30f3db8fed26f2e0b2492420e2f0c3bacbb09d8ed6c538
SHA512

26d942f42ca80354b9f75e0ace5aed38fe677baf4a64c87e03cb518e97e982c366c48f3cca037a5dcb6c00e55ac242ec3e3b718577cfec5d0be1819385acd755
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0q:jDgtfRQUHPw06MoV2nwTBlhm8i

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5072 wrote to memory of 4972	5072	rundll32.exe	rundll32.exe
PID 5072 wrote to memory of 4972	5072	rundll32.exe	rundll32.exe
PID 5072 wrote to memory of 4972	5072	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a083ff2e8ed62b27c30f3db8fed26f2e0b2492420e2f0c3bacbb09d8ed6c538.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a083ff2e8ed62b27c30f3db8fed26f2e0b2492420e2f0c3bacbb09d8ed6c538.dll,#1
2⤵
PID:4972