yunsip | 1f4c2415b407acbcf1770e9f56d6c9570e3cfd390d03e311470d8687fa92acc7

Analysis

max time kernel
26s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 03:20

Target

1f4c2415b407acbcf1770e9f56d6c9570e3cfd390d03e311470d8687fa92acc7.dll
Size

351KB
MD5

15eb9c60887b5a84c17c77b6534e2c70
SHA1

a2243781315365a49e17ab4193c0f1be231cfb3a
SHA256

1f4c2415b407acbcf1770e9f56d6c9570e3cfd390d03e311470d8687fa92acc7
SHA512

917fb2d5179278ea28d8c80beb0b8a9df6353e97af32e7b305ab616e5628a1bb63c1bd7ae658828b08d8e4542358c026472299dab29c7494928933160de3c2de
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDp:o6C5AXbMn7UI1FoV2gwTBlrIckP7

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 996	1904	rundll32.exe	27
PID 1904 wrote to memory of 996	1904	rundll32.exe	27
PID 1904 wrote to memory of 996	1904	rundll32.exe	27
PID 1904 wrote to memory of 996	1904	rundll32.exe	27
PID 1904 wrote to memory of 996	1904	rundll32.exe	27
PID 1904 wrote to memory of 996	1904	rundll32.exe	27
PID 1904 wrote to memory of 996	1904	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f4c2415b407acbcf1770e9f56d6c9570e3cfd390d03e311470d8687fa92acc7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f4c2415b407acbcf1770e9f56d6c9570e3cfd390d03e311470d8687fa92acc7.dll,#1
  2⤵
  PID:996

memory/996-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download