yunsip | 660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11

Analysis

max time kernel
170s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 04:31

Target

660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11.dll
Size

760KB
MD5

0f2a462af8a9193da9ce31eeef254cba
SHA1

c2fc6cb00a6f3ae892d9547697c2394e59660f78
SHA256

660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11
SHA512

5396627011f29df04c415ff073e3fcbd77884b35c93bc2538e38fa402f6e4785509f77e4c2fbd6407f064f7a2003e29ba4e4a8264f3e2853c2bd67e71f73cf70
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDs:o6C5AXbMn7UI1FoV2gwTBlrIckPu

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 2016	1436	rundll32.exe	79
PID 1436 wrote to memory of 2016	1436	rundll32.exe	79
PID 1436 wrote to memory of 2016	1436	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\660e96ce446d580b49354fa6b9e86efe28ba19de79283be9fa3840e7ca846b11.dll,#1
  2⤵
  PID:2016