yunsip | cf9b4b9769c8634cfa0d47be91cd1f7a6ff0d717d105e6db9b1d23f04d5d5709

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:50

Target

cf9b4b9769c8634cfa0d47be91cd1f7a6ff0d717d105e6db9b1d23f04d5d5709.dll
Size

324KB
MD5

b4a3b1e6c0ec6da0f026172ea91a3dc0
SHA1

701f011f57980e716b55c5cc771ce2232e01aee5
SHA256

cf9b4b9769c8634cfa0d47be91cd1f7a6ff0d717d105e6db9b1d23f04d5d5709
SHA512

ff5d7717fc9cf30d0d6be037e56b7b92531c9ff5494909842d507c307149721dc04ce626f061ec877e79ae34963e60001c345e3bec061ee5eeea3049aa1f219a
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0c:jDgtfRQUHPw06MoV2nwTBlhm8E

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1368 wrote to memory of 1700	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1700	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1700	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1700	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1700	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1700	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1700	1368	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf9b4b9769c8634cfa0d47be91cd1f7a6ff0d717d105e6db9b1d23f04d5d5709.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf9b4b9769c8634cfa0d47be91cd1f7a6ff0d717d105e6db9b1d23f04d5d5709.dll,#1
2⤵
PID:1700

memory/1700-54-0x0000000000000000-mapping.dmp

Download
memory/1700-55-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download