yunsip | 6de56a95e5a075e683b8c4a851ce703e765dc9ec2e3cbfe3af3730408a730b29

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 17:13

Target

6de56a95e5a075e683b8c4a851ce703e765dc9ec2e3cbfe3af3730408a730b29.dll
Size

677KB
MD5

2a884da315c063983b48fb600205c018
SHA1

e6584eaa1e33186ed9ac45702eb1e0a9c2ffa4a9
SHA256

6de56a95e5a075e683b8c4a851ce703e765dc9ec2e3cbfe3af3730408a730b29
SHA512

dfd7de9bb9df871561ed5923c5bba126e2bb693d2362f6d0356e5703d0e2992faaa978d668e923362b299efa5cf6a42b2bff9b705d22edbb033dd19aad48b945
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0Z:jDgtfRQUHPw06MoV2nwTBlhm8R

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5088 wrote to memory of 3292	5088	rundll32.exe	rundll32.exe
PID 5088 wrote to memory of 3292	5088	rundll32.exe	rundll32.exe
PID 5088 wrote to memory of 3292	5088	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6de56a95e5a075e683b8c4a851ce703e765dc9ec2e3cbfe3af3730408a730b29.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6de56a95e5a075e683b8c4a851ce703e765dc9ec2e3cbfe3af3730408a730b29.dll,#1
2⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4312