yunsip | dd1f709e758d60539cc0c967384c915b64596cf5af86be4cc912397da6870646

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 01:17

Target

dd1f709e758d60539cc0c967384c915b64596cf5af86be4cc912397da6870646.dll
Size

612KB
MD5

978d363476f3224d8509ba9a894185d6
SHA1

6b67bcc9a77e515b06ee3966ffc9f25a2e701e9b
SHA256

dd1f709e758d60539cc0c967384c915b64596cf5af86be4cc912397da6870646
SHA512

a86cc8b3f77d4fff0da6e37c3009090f98603eb4a4e91d15d8e5078e6dd93c75e87a3d35f0242920efeee8a58e92c4a3ccc506659e81b52f6c53afa5c3de276b
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYW:o6RI1Fo/wT3cJYYYYYYYYYYYYW

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1112	5032	rundll32.exe	93
PID 5032 wrote to memory of 1112	5032	rundll32.exe	93
PID 5032 wrote to memory of 1112	5032	rundll32.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd1f709e758d60539cc0c967384c915b64596cf5af86be4cc912397da6870646.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd1f709e758d60539cc0c967384c915b64596cf5af86be4cc912397da6870646.dll,#1
  2⤵
  PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:820