yunsip | 739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d

Analysis

max time kernel
90s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2022 16:16

Target

739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d.dll
Size

679KB
MD5

0ba88b28a3603f1702e4cf2db0aca8d0
SHA1

2d1846b8889ce9195cfcb1568a4626f763ca346e
SHA256

739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d
SHA512

43e426afe17e0b9527a5296f252db966e81efb089c54c082c703a9f7bd57373cedbe0350e362b1d1223bf22c192390384c38a0a1da810719176052449be30583
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDQ:o6C5AXbMn7UI1FoV2gwTBlrIckPm

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3564	4216	rundll32.exe	80
PID 4216 wrote to memory of 3564	4216	rundll32.exe	80
PID 4216 wrote to memory of 3564	4216	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d.dll,#1
  2⤵
  PID:3564