yunsip | e5f241338456d8bb21f5e5cd1cb39ffe64ecadfc09dd3003afcc14fa48150556

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 17:21

Target

e5f241338456d8bb21f5e5cd1cb39ffe64ecadfc09dd3003afcc14fa48150556.dll
Size

704KB
MD5

09ca79ea116cddbbb6939426481adde0
SHA1

74bac539c9172128f45900cc2a14d4063e7cc6f4
SHA256

e5f241338456d8bb21f5e5cd1cb39ffe64ecadfc09dd3003afcc14fa48150556
SHA512

41deaa702a3602812dbfd023b8bda80f88bb93f9b6de2f7f249bed3dd57e61031421f125892a35594577b732dc0aa533a779ed011d8415bfc80be7e3ef8991e8
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDW:o6C5AXbMn7UI1FoV2gwTBlrIckPI

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 604 wrote to memory of 1148	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 1148	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 1148	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 1148	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 1148	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 1148	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 1148	604	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5f241338456d8bb21f5e5cd1cb39ffe64ecadfc09dd3003afcc14fa48150556.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5f241338456d8bb21f5e5cd1cb39ffe64ecadfc09dd3003afcc14fa48150556.dll,#1
2⤵
PID:1148

memory/1148-54-0x0000000000000000-mapping.dmp

Download
memory/1148-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download