yunsip | 9f19cb96e25fd5eec8205571ef36254238216720e2f40858cd2c196fa7abb0db

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 19:14

Target

04a79de582cc7c99d7cbf2678021c150_NeikiAnalytics.dll
Size

617KB
MD5

04a79de582cc7c99d7cbf2678021c150
SHA1

093ceba0a2ea5939b9deb5a0868778275497d092
SHA256

9f19cb96e25fd5eec8205571ef36254238216720e2f40858cd2c196fa7abb0db
SHA512

26d32966152a4276ede86b9c8422038ea419fb68d8ca46c7f86e0f733877331c56a0cecdf55f8436150c2ff3d33d6b38cfde1e2974ec0d3c508c3c98a555a2cf
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYV:o6RI1Fo/wT3cJYYYYYYYYYYYYV

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2096	2820	rundll32.exe	28
PID 2820 wrote to memory of 2096	2820	rundll32.exe	28
PID 2820 wrote to memory of 2096	2820	rundll32.exe	28
PID 2820 wrote to memory of 2096	2820	rundll32.exe	28
PID 2820 wrote to memory of 2096	2820	rundll32.exe	28
PID 2820 wrote to memory of 2096	2820	rundll32.exe	28
PID 2820 wrote to memory of 2096	2820	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04a79de582cc7c99d7cbf2678021c150_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\04a79de582cc7c99d7cbf2678021c150_NeikiAnalytics.dll,#1
  2⤵
  PID:2096