yunsip | 8dfe7f792929d71a9700d1a381ac63e82500b6f7b79fd030c699cf30db02308b

Analysis

max time kernel
162s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 00:03

Target

8dfe7f792929d71a9700d1a381ac63e82500b6f7b79fd030c699cf30db02308b.dll
Size

767KB
MD5

8a79c4afa6382b7c76cac3feaef85975
SHA1

daf57719e48d11c7a5bce7181bf8125627d4a71d
SHA256

8dfe7f792929d71a9700d1a381ac63e82500b6f7b79fd030c699cf30db02308b
SHA512

3d5a04ce54870ccf2d401d83cdab3ce6d65a6d36f4966ea20643e6ef701a5f9d5a3c9b22eef13d34087f56820312b65ce17ec9248bf69a9dfd1d15a5557680bf
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYM:o6RI1Fo/wT3cJYYYYYYYYYYYYM

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4576	3964	rundll32.exe	90
PID 3964 wrote to memory of 4576	3964	rundll32.exe	90
PID 3964 wrote to memory of 4576	3964	rundll32.exe	90

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dfe7f792929d71a9700d1a381ac63e82500b6f7b79fd030c699cf30db02308b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dfe7f792929d71a9700d1a381ac63e82500b6f7b79fd030c699cf30db02308b.dll,#1
  2⤵
  PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:1812