yunsip | d0ba2bd4d4df9b03521819b14f8c0f17afb43d88d16d8725aa948a8d46d40534

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 17:21

Target

d0ba2bd4d4df9b03521819b14f8c0f17afb43d88d16d8725aa948a8d46d40534.dll
Size

634KB
MD5

13962f530d12c8ecba9c1747a29f33e0
SHA1

ac4a117e12bfd28200cf5e123d1e09697ce047bc
SHA256

d0ba2bd4d4df9b03521819b14f8c0f17afb43d88d16d8725aa948a8d46d40534
SHA512

4fdb9de30d1e67992b4a5c417585ce1f36f7860eec85dc67e33dc137ca8a6b596667e7b57d7fcab0d378d1eeeb2e673db3140eb1218a173d32a7809061a49186
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDU:o6C5AXbMn7UI1FoV2gwTBlrIckPi

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1812 wrote to memory of 1728	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 1728	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 1728	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 1728	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 1728	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 1728	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 1728	1812	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0ba2bd4d4df9b03521819b14f8c0f17afb43d88d16d8725aa948a8d46d40534.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0ba2bd4d4df9b03521819b14f8c0f17afb43d88d16d8725aa948a8d46d40534.dll,#1
2⤵
PID:1728

memory/1728-54-0x0000000000000000-mapping.dmp

Download
memory/1728-55-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download