yunsip | 6e0706b523a07a6166665406cee572ecb071a1bfe5d65ec94e3c2d70a0839c72

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 17:53

Target

NEAS.4a8de0761058e0b382df06eead1cc240.dll
Size

184KB
MD5

4a8de0761058e0b382df06eead1cc240
SHA1

edf9e931854246c11359cd5e30dd6dc0f544655c
SHA256

6e0706b523a07a6166665406cee572ecb071a1bfe5d65ec94e3c2d70a0839c72
SHA512

f3311d496b756cf87b08403084c5cb37afcd913471aa3bdb4bca5a1f87233119c78c0ea43872151b49f633b6451c41abf422c231e8970d49bdc65ba1ce885347
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0x:jDgtfRQUHPw06MoV2nwTBlhm8p

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2692 wrote to memory of 2620	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 2620	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 2620	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 2620	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 2620	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 2620	2692	rundll32.exe	rundll32.exe
PID 2692 wrote to memory of 2620	2692	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.4a8de0761058e0b382df06eead1cc240.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.4a8de0761058e0b382df06eead1cc240.dll,#1
  2⤵
  PID:2620