yunsip | 1a7324389128d47b3f281d380e60adf2db1f2a6b4fe788c47bfc894b700fc123

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 10:05

Target

1a7324389128d47b3f281d380e60adf2db1f2a6b4fe788c47bfc894b700fc123.dll
Size

752KB
MD5

31f76fecf08a93e9b82ee858089c3960
SHA1

444ed07d4916f0b1d232c975a635170cc78d5f25
SHA256

1a7324389128d47b3f281d380e60adf2db1f2a6b4fe788c47bfc894b700fc123
SHA512

2d1ef65202389751cda78c849c11a06fde9b7342aaf12283de2d4f39e8ac6e2f8b1e95920b1a98b0dc129cc71796cc76bd98a729e41b0ed60447249c1cab7305
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0N:jDgtfRQUHPw06MoV2nwTBlhm8V

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 852 wrote to memory of 1760	852	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 1760	852	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 1760	852	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 1760	852	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 1760	852	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 1760	852	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 1760	852	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a7324389128d47b3f281d380e60adf2db1f2a6b4fe788c47bfc894b700fc123.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a7324389128d47b3f281d380e60adf2db1f2a6b4fe788c47bfc894b700fc123.dll,#1
2⤵
PID:1760

memory/1760-54-0x0000000000000000-mapping.dmp

Download
memory/1760-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download