yunsip | 10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e

Analysis

max time kernel
3s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 23:22

Target

10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e.dll
Size

235KB
MD5

5cd727e841ec16a5518faed39b5789a0
SHA1

a58a64b93068997c5bcbd0c6df788658116e64d2
SHA256

10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e
SHA512

05561c772026ea519e8750cffcb7786761213787196c6e6a6778f52023e008248cf30f74177549d4616ef9a976d037a45a7448a4a61de50a610485f8cc4aa341
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q07:jDgtfRQUHPw06MoV2nwTBlhm8D

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 584	772	rundll32.exe	28
PID 772 wrote to memory of 584	772	rundll32.exe	28
PID 772 wrote to memory of 584	772	rundll32.exe	28
PID 772 wrote to memory of 584	772	rundll32.exe	28
PID 772 wrote to memory of 584	772	rundll32.exe	28
PID 772 wrote to memory of 584	772	rundll32.exe	28
PID 772 wrote to memory of 584	772	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e.dll,#1
  2⤵
  PID:584

memory/584-55-0x0000000076B51000-0x0000000076B53000-memory.dmp

Filesize
8KB

Download