yunsip | d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a

Analysis

max time kernel
162s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 21:59

Target

d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a.dll
Size

200KB
MD5

bce60ef8fe41e9c4ad1312e28e922000
SHA1

b369a5144f86f5064a6307c17e6b4a039ad847d3
SHA256

d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a
SHA512

cd639a7ba7a48272d805959b064b69cdc23aa947dc72055ca32eb0a84a30e8d7fcd657f8f21a1f7e496e5e12425e495fc4dd1eee362a46a451b378b84fa6c472
SSDEEP

3072:ZDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q03:ZDgtfRQUHPw06MoV2nwTBlhm8P

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1268	1728	rundll32.exe	79
PID 1728 wrote to memory of 1268	1728	rundll32.exe	79
PID 1728 wrote to memory of 1268	1728	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d163d4765113fcf0a5c5e7a6e4d777082d10cf52db711afc698416ccb714b55a.dll,#1
  2⤵
  PID:1268