yunsip | 59550f2ee68847ebbd53378d000602b31bd04da413eac0f68d1a7ac56eb66ff7

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 21:53

Target

59550f2ee68847ebbd53378d000602b31bd04da413eac0f68d1a7ac56eb66ff7.dll
Size

1.1MB
MD5

2de3d35b90e6d091585ab1050f45e386
SHA1

889f7bb958a23f5767e9d6065e67b46b4f498395
SHA256

59550f2ee68847ebbd53378d000602b31bd04da413eac0f68d1a7ac56eb66ff7
SHA512

3feaac8e98eb7ddcbc702833a29733cd421363abe39539abacedf217dd496294d8277cb9dfd8331e6caa9da336ce6dfde725cfb25b2be58d0459ce74fbd021ea
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDR:o6C5AXbMn7UI1FoV2gwTBlrIckPj

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2076	2992	rundll32.exe	28
PID 2992 wrote to memory of 2076	2992	rundll32.exe	28
PID 2992 wrote to memory of 2076	2992	rundll32.exe	28
PID 2992 wrote to memory of 2076	2992	rundll32.exe	28
PID 2992 wrote to memory of 2076	2992	rundll32.exe	28
PID 2992 wrote to memory of 2076	2992	rundll32.exe	28
PID 2992 wrote to memory of 2076	2992	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59550f2ee68847ebbd53378d000602b31bd04da413eac0f68d1a7ac56eb66ff7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\59550f2ee68847ebbd53378d000602b31bd04da413eac0f68d1a7ac56eb66ff7.dll,#1
  2⤵
  PID:2076