yunsip | ac5ae3a58ee96e3cdff501e081b73a4ba8ff8f0ac1eca2bf07f08f5a8f749181

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 06:55

Target

49743fcb2e027d6e389d9b5aaa0b55e0_NeikiAnalytics.dll
Size

624KB
MD5

49743fcb2e027d6e389d9b5aaa0b55e0
SHA1

82b9cc0a862802471aad899c53d7bb3d3dc49382
SHA256

ac5ae3a58ee96e3cdff501e081b73a4ba8ff8f0ac1eca2bf07f08f5a8f749181
SHA512

94b25794460feb41b953c0f2531a1a33484d952e77d8d3a3be19fed952ae18b2ea297e59063e052f277108adaef0e2b3c7550ebaca10bac2ada3e167171f3175
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYJ:o6RI1Fo/wT3cJYYYYYYYYYYYYJ

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2388	1448	rundll32.exe	93
PID 1448 wrote to memory of 2388	1448	rundll32.exe	93
PID 1448 wrote to memory of 2388	1448	rundll32.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49743fcb2e027d6e389d9b5aaa0b55e0_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\49743fcb2e027d6e389d9b5aaa0b55e0_NeikiAnalytics.dll,#1
  2⤵
  PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3608