yunsip | 27f2ca99bb8d0c16ec5fdcd954512275fa4a9746ab4880fbf7239b7a31728885

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:32

Target

NEAS.9664e12fa47c1343e869f47ed6016520.dll
Size

721KB
MD5

9664e12fa47c1343e869f47ed6016520
SHA1

2cccbb9feb628f00f822106992cd67a378528dbf
SHA256

27f2ca99bb8d0c16ec5fdcd954512275fa4a9746ab4880fbf7239b7a31728885
SHA512

f9c5b396e65379344808908280411b66a61a3f3b1b7c52bac66eda86cefb39782e430291c91cdd78c69ed951788a4e2abd25ba0f926c9463bc36366792f96e11
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYc:o6RI1Fo/wT3cJYYYYYYYYYYYYc

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2804 wrote to memory of 2956	2804	rundll32.exe	rundll32.exe
PID 2804 wrote to memory of 2956	2804	rundll32.exe	rundll32.exe
PID 2804 wrote to memory of 2956	2804	rundll32.exe	rundll32.exe
PID 2804 wrote to memory of 2956	2804	rundll32.exe	rundll32.exe
PID 2804 wrote to memory of 2956	2804	rundll32.exe	rundll32.exe
PID 2804 wrote to memory of 2956	2804	rundll32.exe	rundll32.exe
PID 2804 wrote to memory of 2956	2804	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.9664e12fa47c1343e869f47ed6016520.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.9664e12fa47c1343e869f47ed6016520.dll,#1
  2⤵
  PID:2956