yunsip | 660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11

Analysis

max time kernel
22s
max time network
100s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 04:31

Target

660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11.dll
Size

760KB
MD5

0f2a462af8a9193da9ce31eeef254cba
SHA1

c2fc6cb00a6f3ae892d9547697c2394e59660f78
SHA256

660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11
SHA512

5396627011f29df04c415ff073e3fcbd77884b35c93bc2538e38fa402f6e4785509f77e4c2fbd6407f064f7a2003e29ba4e4a8264f3e2853c2bd67e71f73cf70
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDs:o6C5AXbMn7UI1FoV2gwTBlrIckPu

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1492	1940	rundll32.exe	27
PID 1940 wrote to memory of 1492	1940	rundll32.exe	27
PID 1940 wrote to memory of 1492	1940	rundll32.exe	27
PID 1940 wrote to memory of 1492	1940	rundll32.exe	27
PID 1940 wrote to memory of 1492	1940	rundll32.exe	27
PID 1940 wrote to memory of 1492	1940	rundll32.exe	27
PID 1940 wrote to memory of 1492	1940	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11.dll,#1
  2⤵
  PID:1492

memory/1492-55-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download