yunsip | a575d615df8bfbaa6ee4ce8967d86239ced7df713cffe97fa379f4555d506620

Analysis

max time kernel
187s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 08:42

Target

a575d615df8bfbaa6ee4ce8967d86239ced7df713cffe97fa379f4555d506620.dll
Size

413KB
MD5

42095a27c6261fa58973d2fd5a7544af
SHA1

7a97ab6c0ff5749b02e1412f78d0376375192f82
SHA256

a575d615df8bfbaa6ee4ce8967d86239ced7df713cffe97fa379f4555d506620
SHA512

77c9b1e542bfc1e2b4bd91b8bb2cda53daf2ea0cbbb615d640700fdcbfef510fc8d1d384b44637ebfaf06d64fca55776f252384f26850f6b1419df04db4be40c
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0A:jDgtfRQUHPw06MoV2nwTBlhm84

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 5016	1192	rundll32.exe	82
PID 1192 wrote to memory of 5016	1192	rundll32.exe	82
PID 1192 wrote to memory of 5016	1192	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a575d615df8bfbaa6ee4ce8967d86239ced7df713cffe97fa379f4555d506620.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a575d615df8bfbaa6ee4ce8967d86239ced7df713cffe97fa379f4555d506620.dll,#1
  2⤵
  PID:5016