yunsip | 168f29f10d9d5bace166fe82fe0ae1d63e4de0658bc21e606e615e34f4555ab2

Analysis

max time kernel
150s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 17:43

Target

168f29f10d9d5bace166fe82fe0ae1d63e4de0658bc21e606e615e34f4555ab2.dll
Size

181KB
MD5

2b158e10981db4362648ff36f5050a32
SHA1

3c7559077170be28f204722fced4508626cca3ec
SHA256

168f29f10d9d5bace166fe82fe0ae1d63e4de0658bc21e606e615e34f4555ab2
SHA512

df169a20551cc5e30a0b258b96641486a9404d49f8f397177a6f37738430ab8cca8b8a245a5572a7cca69d2a6bb87afeb0edaaf701e025e16837c8ad681beff7
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0R:jDgtfRQUHPw06MoV2nwTBlhm8Z

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2028 wrote to memory of 4204	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 4204	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 4204	2028	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\168f29f10d9d5bace166fe82fe0ae1d63e4de0658bc21e606e615e34f4555ab2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\168f29f10d9d5bace166fe82fe0ae1d63e4de0658bc21e606e615e34f4555ab2.dll,#1
2⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=748 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
1⤵
PID:1952