yunsip | 354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 18:54

Target

354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a.dll
Size

737KB
MD5

3f922f03ad1079988ee73564861764fa
SHA1

115a232205c030eb0632e938fc6ef0c20fe36373
SHA256

354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a
SHA512

ad1f7b31c5119a125d2b1c0e3cf11b808375d459a97a0d3363d9e71a787e9db5d5adb2282d14da5e422e46bc552abda6b2c529d36391dc26a355cf1a1b607e9d
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYG:o6RI1Fo/wT3cJYYYYYYYYYYYYG

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 4384	1420	rundll32.exe	96
PID 1420 wrote to memory of 4384	1420	rundll32.exe	96
PID 1420 wrote to memory of 4384	1420	rundll32.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\354f5d2ab8051c82e457800a19a7fca42857a10db2ce7cda10978884f026cf7a.dll,#1
  2⤵
  PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4760