yunsip | 7e255dfec31311b7b1bd40573fd83feee8e972ff3a61ec4c99eaddd55f8fc15e

Analysis

max time kernel
252s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 08:07

Target

7e255dfec31311b7b1bd40573fd83feee8e972ff3a61ec4c99eaddd55f8fc15e.dll
Size

620KB
MD5

3a64b27b346aa6ba7f6ca133cc970c40
SHA1

ddeaae3aca11b540801ff7ee568fee321da6c072
SHA256

7e255dfec31311b7b1bd40573fd83feee8e972ff3a61ec4c99eaddd55f8fc15e
SHA512

05c045e029e321b8e2e8beb186cd2c4e6a42d3734bf1a5da2836a8f6f5e7de2df0eb592382d3f3d96472040bcea00ec05d368ca0e1b7c2da496d4c557aef5eeb
SSDEEP

3072:oDKpt9sSR0HUHPwZWLnWVfEAzV2INwTBftZmc+z+f3Q03:oDgtfRQUHPw06MoV2swTBlxm8/

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 1468	4220	rundll32.exe	81
PID 4220 wrote to memory of 1468	4220	rundll32.exe	81
PID 4220 wrote to memory of 1468	4220	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e255dfec31311b7b1bd40573fd83feee8e972ff3a61ec4c99eaddd55f8fc15e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e255dfec31311b7b1bd40573fd83feee8e972ff3a61ec4c99eaddd55f8fc15e.dll,#1
  2⤵
  PID:1468