yunsip | cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1

Analysis

max time kernel
163s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 21:59

Target

cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1.dll
Size

317KB
MD5

33dfb1986a1003f8d7fcb91804ba1988
SHA1

b4c1f201cf24c9b23dfc1e4572d831d6fdeab69a
SHA256

cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1
SHA512

b5372d098ce593b5e239e74622daf18650f55c0d80ae49bbb4ea3961d0f0ae11eb90cb6a59396e8c70bbb7ed70fb0a78d0fa65ec6cec32a29fef982b2f991a1c
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q08:jDgtfRQUHPw06MoV2nwTBlhm8k

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4456	4020	rundll32.exe	82
PID 4020 wrote to memory of 4456	4020	rundll32.exe	82
PID 4020 wrote to memory of 4456	4020	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd7caf601f2621dbff929f67d15a49c482f66cf348bfb8ab7a273b35632a76e1.dll,#1
  2⤵
  PID:4456