yunsip | 27b1af39137fcb63d95d172f8a2480b4fa19bd87cacdbcf047039e164390b8bf

Analysis

max time kernel
240s
max time network
282s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 17:24

Target

NEAS.9ec65ce7de9c5a045cac2743649f8fd0.dll
Size

1022KB
MD5

9ec65ce7de9c5a045cac2743649f8fd0
SHA1

dfaf3175c126e9ae9c414a66ae0dbff2041a985e
SHA256

27b1af39137fcb63d95d172f8a2480b4fa19bd87cacdbcf047039e164390b8bf
SHA512

e2f1653d4ce1cbe50e6f4d0938b1534e09cceb1e445c0860db9c49416e7495f737455342edc8738193668328c3333d40b7d394b147c07ea48d7c40bd89b852c8
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYy:o6RI1Fo/wT3cJYYYYYYYYYYYYy

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2288	2840	rundll32.exe	27
PID 2840 wrote to memory of 2288	2840	rundll32.exe	27
PID 2840 wrote to memory of 2288	2840	rundll32.exe	27
PID 2840 wrote to memory of 2288	2840	rundll32.exe	27
PID 2840 wrote to memory of 2288	2840	rundll32.exe	27
PID 2840 wrote to memory of 2288	2840	rundll32.exe	27
PID 2840 wrote to memory of 2288	2840	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.9ec65ce7de9c5a045cac2743649f8fd0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.9ec65ce7de9c5a045cac2743649f8fd0.dll,#1
  2⤵
  PID:2288