yunsip | 3d0d7687f977c1640c836b08f194a7508d996e037d3bc57a9bdcac23753a32a3

Analysis

max time kernel
234s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 15:43

Target

3d0d7687f977c1640c836b08f194a7508d996e037d3bc57a9bdcac23753a32a3.dll
Size

416KB
MD5

cdd717d12ae8e22e65585f31dff6a640
SHA1

8d000d5119e709ac796496e17d496fa3397cc58b
SHA256

3d0d7687f977c1640c836b08f194a7508d996e037d3bc57a9bdcac23753a32a3
SHA512

8d0f6254e3427614a42dc3e29740b3944358c109c04aea7bf9a7dd684374097296b9cd5d413254eca06e91b7151acf4f118602d2c2018271d933081843e394d5
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDj:o6C5AXbMn7UI1FoV2gwTBlrIckPB

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1632 wrote to memory of 1172	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1172	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1172	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1172	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1172	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1172	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1172	1632	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d0d7687f977c1640c836b08f194a7508d996e037d3bc57a9bdcac23753a32a3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d0d7687f977c1640c836b08f194a7508d996e037d3bc57a9bdcac23753a32a3.dll,#1
2⤵
PID:1172

memory/1172-54-0x0000000000000000-mapping.dmp

Download
memory/1172-55-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download