yunsip | e23f5f7cb12b08bcb0102fc9254a0574f9974ae65c521b18d926a9e8bdc03dff

Analysis

max time kernel
11s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 22:27

Target

e23f5f7cb12b08bcb0102fc9254a0574f9974ae65c521b18d926a9e8bdc03dff.dll
Size

418KB
MD5

60c5c2ebff1f8f88159e851b4285f740
SHA1

32bca0a7f0bbb7b1726fa3f09ff5a8b4ac874981
SHA256

e23f5f7cb12b08bcb0102fc9254a0574f9974ae65c521b18d926a9e8bdc03dff
SHA512

e45369f5191f2a2bf23c7010b4640fc59a223bb6e8c196eb9c86a727e74a89b9325e9d4cec334c0c0bf152efbdaa77da8e5d76899e2a756f53cbaae87c1fc4d2
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0W:jDgtfRQUHPw06MoV2nwTBlhm8e

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1932 wrote to memory of 1104	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 1104	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 1104	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 1104	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 1104	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 1104	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 1104	1932	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e23f5f7cb12b08bcb0102fc9254a0574f9974ae65c521b18d926a9e8bdc03dff.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e23f5f7cb12b08bcb0102fc9254a0574f9974ae65c521b18d926a9e8bdc03dff.dll,#1
2⤵
PID:1104

memory/1104-54-0x0000000000000000-mapping.dmp

Download
memory/1104-55-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download