yunsip | 22fec6cbf94378c83c02cc24d8cfae5f22e9ed60addbf8f9f2507b35b4d002f7

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 19:30

Target

22fec6cbf94378c83c02cc24d8cfae5f22e9ed60addbf8f9f2507b35b4d002f7.dll
Size

515KB
MD5

4213f5e7a5f1638f13a8a41652b5055e
SHA1

7c10369c5efba5dd74377cb09c572ad6a1169519
SHA256

22fec6cbf94378c83c02cc24d8cfae5f22e9ed60addbf8f9f2507b35b4d002f7
SHA512

da90b88f951b40727bb0539172aac2d0d31a955a3dbb9b5dcf78cd98ce345cacb72952c45807f33b096ecd95a82723a0880a9bde4a05a464cb1d4bd9006da050
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0O:jDgtfRQUHPw06MoV2nwTBlhm8m

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3144 wrote to memory of 60	3144	rundll32.exe	rundll32.exe
PID 3144 wrote to memory of 60	3144	rundll32.exe	rundll32.exe
PID 3144 wrote to memory of 60	3144	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22fec6cbf94378c83c02cc24d8cfae5f22e9ed60addbf8f9f2507b35b4d002f7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22fec6cbf94378c83c02cc24d8cfae5f22e9ed60addbf8f9f2507b35b4d002f7.dll,#1
2⤵
PID:60