yunsip | dee8670f692ddccff91c41a0fb0046fca861eb181aa3863624fa884b749809c1

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 23:04

Target

2557a956af76f7f0fb9f075f8a0aa620_NeikiAnalytics.dll
Size

661KB
MD5

2557a956af76f7f0fb9f075f8a0aa620
SHA1

9533852ea0214ad3bb01dc13cc158f6f5d64a565
SHA256

dee8670f692ddccff91c41a0fb0046fca861eb181aa3863624fa884b749809c1
SHA512

723f405a71ca541061901e4c98fa01c69821e550ca6fc4bf3c9063c9f828b9bd23e57874beaf5ad756addabfe27718c66f7d319505a6d32686e8e92efa18e614
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYc:o6RI1Fo/wT3cJYYYYYYYYYYYYc

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1660 wrote to memory of 2128	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 2128	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 2128	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 2128	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 2128	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 2128	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 2128	1660	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2557a956af76f7f0fb9f075f8a0aa620_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2557a956af76f7f0fb9f075f8a0aa620_NeikiAnalytics.dll,#1
2⤵
PID:2128