yunsip | f665f0a2d2a3bc7e0ae5ac03bf1eb6b95000e8dc91de0f6c7c1686e25fefd79d

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 17:21

Target

f665f0a2d2a3bc7e0ae5ac03bf1eb6b95000e8dc91de0f6c7c1686e25fefd79d.dll
Size

504KB
MD5

1674d14c8bf8f3839fb8ec8a288f6e20
SHA1

79719d869e9ecd4fe877894a3fa10705adb6d1f6
SHA256

f665f0a2d2a3bc7e0ae5ac03bf1eb6b95000e8dc91de0f6c7c1686e25fefd79d
SHA512

8a37bf1db86cbbf455170a7a189ae4dfc06052b16f93b3c24f2bb1d16e16cdb4ec8299b58d459419d8d8d2c0df649440a7faa6b100f04ddc4f0bea6489aa8af3
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDk:o6C5AXbMn7UI1FoV2gwTBlrIckPO

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2044 wrote to memory of 2016	2044	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 2016	2044	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 2016	2044	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 2016	2044	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 2016	2044	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 2016	2044	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 2016	2044	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f665f0a2d2a3bc7e0ae5ac03bf1eb6b95000e8dc91de0f6c7c1686e25fefd79d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f665f0a2d2a3bc7e0ae5ac03bf1eb6b95000e8dc91de0f6c7c1686e25fefd79d.dll,#1
2⤵
PID:2016

memory/2016-54-0x0000000000000000-mapping.dmp

Download
memory/2016-55-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download