yunsip | fc95ab52b972ce0076904332e06c190407916bddd17d694e2fe64ea54cf4e16f

Analysis

max time kernel
140s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 06:34

Target

fc95ab52b972ce0076904332e06c190407916bddd17d694e2fe64ea54cf4e16f.dll
Size

605KB
MD5

73a53666479c63c75801e6dfb52c8aea
SHA1

374bd2984cd5c7360946fefb290d268bf2f9c5c1
SHA256

fc95ab52b972ce0076904332e06c190407916bddd17d694e2fe64ea54cf4e16f
SHA512

29a11f6be1caa99d6408e58564556e9257e8091b81b2bc16fafb5d63eca1795ba8431fb77fb8d8d91407ccbdb25c4a84cf49ed9c2fc5e89ed3eb15b8f2d5da54
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYm:o6RI1Fo/wT3cJYYYYYYYYYYYYm

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1856	3532	rundll32.exe	91
PID 3532 wrote to memory of 1856	3532	rundll32.exe	91
PID 3532 wrote to memory of 1856	3532	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc95ab52b972ce0076904332e06c190407916bddd17d694e2fe64ea54cf4e16f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc95ab52b972ce0076904332e06c190407916bddd17d694e2fe64ea54cf4e16f.dll,#1
  2⤵
  PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:572