yunsip | 749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778

Analysis

max time kernel
24s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:54

Target

749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778.dll
Size

249KB
MD5

6988b6d11cb1427fe3380a024bc99d16
SHA1

72f908656fe4d17c4e79b2b0c5355e5a173d6f18
SHA256

749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778
SHA512

742e73def3d691e1b88b064be296cd9e62a9e43eb737a4083824e596bd5bd6e073adcbec3584d5851bd0f928ed2b818e37c374029ae15524bcd774c62dc2a025
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0k:jDgtfRQUHPw06MoV2nwTBlhm8M

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1932 wrote to memory of 2008	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 2008	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 2008	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 2008	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 2008	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 2008	1932	rundll32.exe	rundll32.exe
PID 1932 wrote to memory of 2008	1932	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\749a0eb81a7fb2c9f1bcac521be52b63fc01d7f28ec93a422cd924e0c76d9778.dll,#1
2⤵
PID:2008

memory/2008-54-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download