yunsip | 9ead68bcd4cc823b0ca243da1f7ecc986d1e1e9ec1c8d01a913017e7c40ac1c4

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 10:04

Target

9ead68bcd4cc823b0ca243da1f7ecc986d1e1e9ec1c8d01a913017e7c40ac1c4.dll
Size

336KB
MD5

41e20c5b92cfcf712baa88645e9de3ea
SHA1

eb5c180e4121f4079c26a3170a6946df9dd255cd
SHA256

9ead68bcd4cc823b0ca243da1f7ecc986d1e1e9ec1c8d01a913017e7c40ac1c4
SHA512

9f6d6812dfc4bacbbe721d05b1f7858077df6b4b795d6b202c1adef24199733d16c227e1f88263797503124d0fd0e4bbd9ba9d8a81fa82ee9e8d16c27674005e
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0o:jDgtfRQUHPw06MoV2nwTBlhm8w

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1448 wrote to memory of 1480	1448	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 1480	1448	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 1480	1448	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 1480	1448	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 1480	1448	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 1480	1448	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 1480	1448	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ead68bcd4cc823b0ca243da1f7ecc986d1e1e9ec1c8d01a913017e7c40ac1c4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ead68bcd4cc823b0ca243da1f7ecc986d1e1e9ec1c8d01a913017e7c40ac1c4.dll,#1
2⤵
PID:1480

memory/1480-54-0x0000000000000000-mapping.dmp

Download
memory/1480-55-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download