yunsip | 546eb54977d90e8ab142a20f83ce013a9da48fc37433033d91bfbd40404e03c8

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2022 13:39

Target

546eb54977d90e8ab142a20f83ce013a9da48fc37433033d91bfbd40404e03c8.dll
Size

455KB
MD5

5799550bd059c4947dd54f713afe3289
SHA1

af5be036efeaa79f2c81bdb9ebdec1bcc5bf330f
SHA256

546eb54977d90e8ab142a20f83ce013a9da48fc37433033d91bfbd40404e03c8
SHA512

e441da7a62447a89965dbfa564db9b6045b9983b738b620634bbb578b6511a2442d6d863bc93b71bcacb03b5334f6a880de74a735cc2d40e1f7ecbdbff203218
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDK:o6C5AXbMn7UI1FoV2gwTBlrIckP4

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4776	4948	rundll32.exe	85
PID 4948 wrote to memory of 4776	4948	rundll32.exe	85
PID 4948 wrote to memory of 4776	4948	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\546eb54977d90e8ab142a20f83ce013a9da48fc37433033d91bfbd40404e03c8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\546eb54977d90e8ab142a20f83ce013a9da48fc37433033d91bfbd40404e03c8.dll,#1
  2⤵
  PID:4776