yunsip | ed2a4a788ac132e84301a8ffcaa349ad96113e2537a527ab117f53c81d354085

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 17:21

Target

ed2a4a788ac132e84301a8ffcaa349ad96113e2537a527ab117f53c81d354085.dll
Size

759KB
MD5

1183d3b942708b53e0a2ecc394e951d0
SHA1

e9fad67672a0976ae7964ee20d1435c5b7f2a237
SHA256

ed2a4a788ac132e84301a8ffcaa349ad96113e2537a527ab117f53c81d354085
SHA512

c4fd0b3d1bcf14330a75c961a1e9ef291655b56a087f8749654017e470baaa2673576ab998b48c442fbbb0db8be6fee92a2c317bffbdb4ce53b447134b2e23a7
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDr:o6C5AXbMn7UI1FoV2gwTBlrIckPl

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1584	1364	rundll32.exe	83
PID 1364 wrote to memory of 1584	1364	rundll32.exe	83
PID 1364 wrote to memory of 1584	1364	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed2a4a788ac132e84301a8ffcaa349ad96113e2537a527ab117f53c81d354085.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed2a4a788ac132e84301a8ffcaa349ad96113e2537a527ab117f53c81d354085.dll,#1
  2⤵
  PID:1584