yunsip | 97fb6dbcc6cbf0c202142a7419534fe763f67ad4c70043dd1bb5a6690be00ba8

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 15:05

Target

97fb6dbcc6cbf0c202142a7419534fe763f67ad4c70043dd1bb5a6690be00ba8.dll
Size

762KB
MD5

0cfb895d0aed770dee33b6db14c97f80
SHA1

cd8381d5ac4b3ad41efd2b6c06df261b0da7f4ab
SHA256

97fb6dbcc6cbf0c202142a7419534fe763f67ad4c70043dd1bb5a6690be00ba8
SHA512

13ecfe4bea81e4bde240968cf2b9fc1aed9f9e17c29e2fa3073f10c6963a054fe7dff75d8498b335ab192f7fd1d62afe58175da86aaf605a9d2a9352a8a96c3b
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q00:jDgtfRQUHPw06MoV2nwTBlhm8s

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 640	4972	rundll32.exe	80
PID 4972 wrote to memory of 640	4972	rundll32.exe	80
PID 4972 wrote to memory of 640	4972	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97fb6dbcc6cbf0c202142a7419534fe763f67ad4c70043dd1bb5a6690be00ba8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\97fb6dbcc6cbf0c202142a7419534fe763f67ad4c70043dd1bb5a6690be00ba8.dll,#1
  2⤵
  PID:640