yunsip | 31a62a4c480d1d124e3c23e6419806a154573381fdc7b9ab6573ac7ea405b139

Analysis

max time kernel
227s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:56

Target

31a62a4c480d1d124e3c23e6419806a154573381fdc7b9ab6573ac7ea405b139.dll
Size

364KB
MD5

08f94b7ef14f1afa30170c57e3a604a0
SHA1

cf77d2b481e37c8c7393c53c80f652184e6a3259
SHA256

31a62a4c480d1d124e3c23e6419806a154573381fdc7b9ab6573ac7ea405b139
SHA512

b81d6c5d0dd3ccc3984406c9543e1d12683f3c205a54c7a8ee5d7625f4269468f00939e2aff8b2be2892ca8db5b8de9bdd42121da3d2089b2b806f02196270f5
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0k:jDgtfRQUHPw06MoV2nwTBlhm8c

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2036	1028	rundll32.exe	28
PID 1028 wrote to memory of 2036	1028	rundll32.exe	28
PID 1028 wrote to memory of 2036	1028	rundll32.exe	28
PID 1028 wrote to memory of 2036	1028	rundll32.exe	28
PID 1028 wrote to memory of 2036	1028	rundll32.exe	28
PID 1028 wrote to memory of 2036	1028	rundll32.exe	28
PID 1028 wrote to memory of 2036	1028	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\31a62a4c480d1d124e3c23e6419806a154573381fdc7b9ab6573ac7ea405b139.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\31a62a4c480d1d124e3c23e6419806a154573381fdc7b9ab6573ac7ea405b139.dll,#1
  2⤵
  PID:2036

memory/2036-55-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download