yunsip | 7a68663cbd952285199edf4ba458a5a17605b248254502c6ab8e6c1d993fbdda

Analysis

max time kernel
141s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 23:59

Target

588c3cf5bee608ad5b553fe397525fd0_NeikiAnalytics.dll
Size

642KB
MD5

588c3cf5bee608ad5b553fe397525fd0
SHA1

5763bba4b0ac60c1e41fdd73b5face0ff3e1ccf6
SHA256

7a68663cbd952285199edf4ba458a5a17605b248254502c6ab8e6c1d993fbdda
SHA512

6c8f83b65fdb72db7925ba683cecdd393b7c1695fe542d7d9826319ef591437398cb25329f4eebddbbf91585b56022fdbf6a2ffcd9ef90583d34e9c5d14ae923
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0x:jDgtfRQUHPw06MoV2nwTBlhm8p

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4268	868	rundll32.exe	91
PID 868 wrote to memory of 4268	868	rundll32.exe	91
PID 868 wrote to memory of 4268	868	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\588c3cf5bee608ad5b553fe397525fd0_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\588c3cf5bee608ad5b553fe397525fd0_NeikiAnalytics.dll,#1
  2⤵
  PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3828 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:2252