yunsip | 8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 08:43

Target

8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16.dll
Size

209KB
MD5

1cf8f0a7d0ec06561c2135e2f527c705
SHA1

6ce3fc29d7b26115ce7b5967b2cebce7064fc640
SHA256

8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16
SHA512

c6c91a771104f5cf33bcb7a0727244c9bda17acfb2ece342677de740bb641c492b815bd6d5b5a309593bc77362c66f62d07fd45cd8e95a1e849f4cc902c4862f
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0T:jDgtfRQUHPw06MoV2nwTBlhm8L

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 4208	2164	rundll32.exe	80
PID 2164 wrote to memory of 4208	2164	rundll32.exe	80
PID 2164 wrote to memory of 4208	2164	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f0af7aaeec74445d2eed7aafaa3953918149bc714bbf8cb13a721ca0b469f16.dll,#1
  2⤵
  PID:4208