yunsip | e7b6455dadedb377bdb815dc52c9cd35fe6c149d15989cc98b2703a4b5ede945

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 02:19

Target

e7b6455dadedb377bdb815dc52c9cd35fe6c149d15989cc98b2703a4b5ede945.dll
Size

339KB
MD5

8cdca950c533d8609d907dd339945af3
SHA1

464e6a181aac696c712059eb33af619d38fd90de
SHA256

e7b6455dadedb377bdb815dc52c9cd35fe6c149d15989cc98b2703a4b5ede945
SHA512

3276ee2642497c0b8e4272c43b08f490ec3d35b44328ef2ce86b4c0b206a4a8cfcb57bd87838c0ba0d8b264c10072ef75429528cb5951cfe5bbca733f2b76950
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0F:jDgtfRQUHPw06MoV2nwTBlhm8N

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2940	2820	rundll32.exe	28
PID 2820 wrote to memory of 2940	2820	rundll32.exe	28
PID 2820 wrote to memory of 2940	2820	rundll32.exe	28
PID 2820 wrote to memory of 2940	2820	rundll32.exe	28
PID 2820 wrote to memory of 2940	2820	rundll32.exe	28
PID 2820 wrote to memory of 2940	2820	rundll32.exe	28
PID 2820 wrote to memory of 2940	2820	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7b6455dadedb377bdb815dc52c9cd35fe6c149d15989cc98b2703a4b5ede945.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7b6455dadedb377bdb815dc52c9cd35fe6c149d15989cc98b2703a4b5ede945.dll,#1
  2⤵
  PID:2940