yunsip | a1966f628ae2489ac73b826a8f760883e4e12a9346dad4b945d47d73cb502892

Analysis

max time kernel
159s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2022 16:16

Target

a1966f628ae2489ac73b826a8f760883e4e12a9346dad4b945d47d73cb502892.dll
Size

489KB
MD5

0e2bdb92920c966046b84b26d83ba620
SHA1

39fc03a47a6c7d3d300a2b4d30a13d56fabe6f4f
SHA256

a1966f628ae2489ac73b826a8f760883e4e12a9346dad4b945d47d73cb502892
SHA512

2fa24d590b6a2532ca47a02fbb5273a16b7c2b98849e75023fa9ddb126069c854a073718618849926f9fea565358455b0376fcb9febde0b653e726b858bb3731
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDT:o6C5AXbMn7UI1FoV2gwTBlrIckPV

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3196	3156	rundll32.exe	80
PID 3156 wrote to memory of 3196	3156	rundll32.exe	80
PID 3156 wrote to memory of 3196	3156	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1966f628ae2489ac73b826a8f760883e4e12a9346dad4b945d47d73cb502892.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1966f628ae2489ac73b826a8f760883e4e12a9346dad4b945d47d73cb502892.dll,#1
  2⤵
  PID:3196