yunsip | dbf262eb236b79628f71b99d75d1310de48704bad08c0413f5220bc8d1bff09c

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 22:03

Target

70e5a6665b8b1ca95582faa2cccb9310_NeikiAnalytics.dll
Size

622KB
MD5

70e5a6665b8b1ca95582faa2cccb9310
SHA1

0f2cbc26366a9e365c8e15a2c07fc2ad174dfcdb
SHA256

dbf262eb236b79628f71b99d75d1310de48704bad08c0413f5220bc8d1bff09c
SHA512

2e7942326690d82aa835134e2e2566034b2d81dc643fa3c5266948b6e96648ab7b2c3725cb1a4aed31cd6d0b4b805adea53efbb2b9b7d5e77b9d0a2c3594c44e
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYA:o6RI1Fo/wT3cJYYYYYYYYYYYYA

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1440	1704	rundll32.exe	28
PID 1704 wrote to memory of 1440	1704	rundll32.exe	28
PID 1704 wrote to memory of 1440	1704	rundll32.exe	28
PID 1704 wrote to memory of 1440	1704	rundll32.exe	28
PID 1704 wrote to memory of 1440	1704	rundll32.exe	28
PID 1704 wrote to memory of 1440	1704	rundll32.exe	28
PID 1704 wrote to memory of 1440	1704	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70e5a6665b8b1ca95582faa2cccb9310_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\70e5a6665b8b1ca95582faa2cccb9310_NeikiAnalytics.dll,#1
  2⤵
  PID:1440