yunsip | 03befcdb8d94be58b48692779bf7465b3111a4602bbaaf3bf02963b52eae10ff

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 17:13

Target

03befcdb8d94be58b48692779bf7465b3111a4602bbaaf3bf02963b52eae10ff.dll
Size

185KB
MD5

365108df170fffeafec6b0a4b468f4ca
SHA1

e671672af5b64c796ca9fc35bd261691409b28b0
SHA256

03befcdb8d94be58b48692779bf7465b3111a4602bbaaf3bf02963b52eae10ff
SHA512

a5e67cafded9223408add223580310967778600533550cfec2334857721b827608e01f3ab71c311bf9c1a50cdefcae119dc4fa74de48a195ac60003b1e7ebde3
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0L:jDgtfRQUHPw06MoV2nwTBlhm8z

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3984	2228	rundll32.exe	96
PID 2228 wrote to memory of 3984	2228	rundll32.exe	96
PID 2228 wrote to memory of 3984	2228	rundll32.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03befcdb8d94be58b48692779bf7465b3111a4602bbaaf3bf02963b52eae10ff.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\03befcdb8d94be58b48692779bf7465b3111a4602bbaaf3bf02963b52eae10ff.dll,#1
  2⤵
  PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4668