yunsip | d786520ee49e66d61e55f40fbf60e7d9bd79148589a1bfa9d9e2d1cc6ae539c7

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 23:47

Target

d786520ee49e66d61e55f40fbf60e7d9bd79148589a1bfa9d9e2d1cc6ae539c7.dll
Size

299KB
MD5

24a24158f68ccaa514bd4502f1ccf940
SHA1

c3a76de5b5e4980d70411d9e9da0f75e1eef13e3
SHA256

d786520ee49e66d61e55f40fbf60e7d9bd79148589a1bfa9d9e2d1cc6ae539c7
SHA512

b690745761b8b7f747faf934f2788d7d04b537739764822aa3dc69b67d1d9752f786acfabcdb9f8a0e3884ff3af677d8e1b4e81f5f0693f7aa052ea4ee43b4c3
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDR:o6C5AXbMn7UI1FoV2gwTBlrIckP7

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1900 wrote to memory of 1692	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 1692	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 1692	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 1692	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 1692	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 1692	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 1692	1900	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d786520ee49e66d61e55f40fbf60e7d9bd79148589a1bfa9d9e2d1cc6ae539c7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d786520ee49e66d61e55f40fbf60e7d9bd79148589a1bfa9d9e2d1cc6ae539c7.dll,#1
2⤵
PID:1692

memory/1692-54-0x0000000000000000-mapping.dmp

Download
memory/1692-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download