yunsip | 10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e

Analysis

max time kernel
147s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 23:22

Target

10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e.dll
Size

235KB
MD5

5cd727e841ec16a5518faed39b5789a0
SHA1

a58a64b93068997c5bcbd0c6df788658116e64d2
SHA256

10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e
SHA512

05561c772026ea519e8750cffcb7786761213787196c6e6a6778f52023e008248cf30f74177549d4616ef9a976d037a45a7448a4a61de50a610485f8cc4aa341
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q07:jDgtfRQUHPw06MoV2nwTBlhm8D

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1516 wrote to memory of 5080	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 5080	1516	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 5080	1516	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10ac27835003b05644aff4f4959a4f7f9785c16c3037340db8ad8542d481e50e.dll,#1
2⤵
PID:5080