yunsip | 4388805b3402136c142866119b46a132a5e29dd5c1b98c2140f7b216064be31d

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 19:28

Target

20566f106f3d371c05a58d752af4ff80_NeikiAnalytics.dll
Size

490KB
MD5

20566f106f3d371c05a58d752af4ff80
SHA1

f26952209056fb6fdb2efd3fcf12268ce502d9da
SHA256

4388805b3402136c142866119b46a132a5e29dd5c1b98c2140f7b216064be31d
SHA512

00a1f8a55ae66876cd937af312e33a0be1391674970791f6d5c82710375907a751a924495263a889c67dd33b47aa20eee339b9c9566dadfe722ccd41a040d567
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0G:jDgtfRQUHPw06MoV2nwTBlhm8e

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3588 wrote to memory of 4188	3588	rundll32.exe	rundll32.exe
PID 3588 wrote to memory of 4188	3588	rundll32.exe	rundll32.exe
PID 3588 wrote to memory of 4188	3588	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\20566f106f3d371c05a58d752af4ff80_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\20566f106f3d371c05a58d752af4ff80_NeikiAnalytics.dll,#1
2⤵
PID:4188