yunsip | 762ccea2c53ba132997f8632030e076494c0d8d77bdc8200289105cfafd8786d

Analysis

max time kernel
34s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 08:45

Target

762ccea2c53ba132997f8632030e076494c0d8d77bdc8200289105cfafd8786d.dll
Size

228KB
MD5

9c6f19654624c466c6b3539e7a1acd58
SHA1

a12f6e16fe3fa17f3e7fe60bd16cb58ec31f2b51
SHA256

762ccea2c53ba132997f8632030e076494c0d8d77bdc8200289105cfafd8786d
SHA512

7a82a7d472bd13ef5bb8f3bd762d5659082eabdb4b7984c9beaf079c6b36da95ac8f95312dee8e3851e517a112fbe2bbc6eb0ae2d4aa5f412bfb979753848b39
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0N:jDgtfRQUHPw06MoV2nwTBlhm8F

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1136	1112	rundll32.exe	27
PID 1112 wrote to memory of 1136	1112	rundll32.exe	27
PID 1112 wrote to memory of 1136	1112	rundll32.exe	27
PID 1112 wrote to memory of 1136	1112	rundll32.exe	27
PID 1112 wrote to memory of 1136	1112	rundll32.exe	27
PID 1112 wrote to memory of 1136	1112	rundll32.exe	27
PID 1112 wrote to memory of 1136	1112	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\762ccea2c53ba132997f8632030e076494c0d8d77bdc8200289105cfafd8786d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\762ccea2c53ba132997f8632030e076494c0d8d77bdc8200289105cfafd8786d.dll,#1
  2⤵
  PID:1136

memory/1136-55-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download