yunsip | 171f2ae98ea7a4dd9d7801a06cea46a15fe91c937c3bae01d1e6937ed880cee6

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 15:06

Target

171f2ae98ea7a4dd9d7801a06cea46a15fe91c937c3bae01d1e6937ed880cee6.dll
Size

742KB
MD5

08f54da040229e0fba57386a0372b300
SHA1

c0ff2234969669aabdde03eaf412a861818e8750
SHA256

171f2ae98ea7a4dd9d7801a06cea46a15fe91c937c3bae01d1e6937ed880cee6
SHA512

7a530b4adbc96258945fcf687bc9a1930b464012892dabf04894638ba35f5aff33029507c23a40be8a04af380854cef3fd98ea762be2d1a40045ae66b9239332
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0K:jDgtfRQUHPw06MoV2nwTBlhm8S

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1356 wrote to memory of 2016	1356	rundll32.exe	rundll32.exe
PID 1356 wrote to memory of 2016	1356	rundll32.exe	rundll32.exe
PID 1356 wrote to memory of 2016	1356	rundll32.exe	rundll32.exe
PID 1356 wrote to memory of 2016	1356	rundll32.exe	rundll32.exe
PID 1356 wrote to memory of 2016	1356	rundll32.exe	rundll32.exe
PID 1356 wrote to memory of 2016	1356	rundll32.exe	rundll32.exe
PID 1356 wrote to memory of 2016	1356	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\171f2ae98ea7a4dd9d7801a06cea46a15fe91c937c3bae01d1e6937ed880cee6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\171f2ae98ea7a4dd9d7801a06cea46a15fe91c937c3bae01d1e6937ed880cee6.dll,#1
2⤵
PID:2016

memory/2016-54-0x0000000000000000-mapping.dmp

Download
memory/2016-55-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download