yunsip | 2ec45d8202ab2babef99afb55a659341597ac2bf16914b181489ffc77a36b808

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 03:00

Target

2ec45d8202ab2babef99afb55a659341597ac2bf16914b181489ffc77a36b808.dll
Size

691KB
MD5

31823231a8fea44db137de235cfdc670
SHA1

92ebb2acf76d2afc77ba8c1ab33ab460aae468bf
SHA256

2ec45d8202ab2babef99afb55a659341597ac2bf16914b181489ffc77a36b808
SHA512

b95d8d5218c98cb23798aa9f091b27c758a62ca0acdf96a218d46341942a52c6653639fb69cbe4a4d7a34a96c25af783d2c44e9c59f9cff63af7a181b2c665c8
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0P:jDgtfRQUHPw06MoV2nwTBlhm8X

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 812 wrote to memory of 656	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 656	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 656	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 656	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 656	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 656	812	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 656	812	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ec45d8202ab2babef99afb55a659341597ac2bf16914b181489ffc77a36b808.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ec45d8202ab2babef99afb55a659341597ac2bf16914b181489ffc77a36b808.dll,#1
2⤵
PID:656

memory/656-54-0x0000000000000000-mapping.dmp

Download
memory/656-55-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download