yunsip | 3e7ad72cfab2a91befb65bc76a25cf9f388e38e347a36aafaeb6b9eaeff110e4

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 20:53

Target

3e7ad72cfab2a91befb65bc76a25cf9f388e38e347a36aafaeb6b9eaeff110e4.dll
Size

769KB
MD5

a0791849b0f3ba49283f591f1b861a75
SHA1

a00f22860508dcc7812b4a0aaf27da52fcd28293
SHA256

3e7ad72cfab2a91befb65bc76a25cf9f388e38e347a36aafaeb6b9eaeff110e4
SHA512

cea219f6960a92e3b94bf858da0e30cec223b5ac0868106d705546a303a4542016f90f0f67343d88a01bf58345af7a22e3349ab0db0b2d84a1c511b8032a3614
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYK:o6RI1Fo/wT3cJYYYYYYYYYYYYK

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3672 wrote to memory of 4764	3672	rundll32.exe	rundll32.exe
PID 3672 wrote to memory of 4764	3672	rundll32.exe	rundll32.exe
PID 3672 wrote to memory of 4764	3672	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e7ad72cfab2a91befb65bc76a25cf9f388e38e347a36aafaeb6b9eaeff110e4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e7ad72cfab2a91befb65bc76a25cf9f388e38e347a36aafaeb6b9eaeff110e4.dll,#1
2⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4604