yunsip | dbf262eb236b79628f71b99d75d1310de48704bad08c0413f5220bc8d1bff09c

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 22:03

Target

70e5a6665b8b1ca95582faa2cccb9310_NeikiAnalytics.dll
Size

622KB
MD5

70e5a6665b8b1ca95582faa2cccb9310
SHA1

0f2cbc26366a9e365c8e15a2c07fc2ad174dfcdb
SHA256

dbf262eb236b79628f71b99d75d1310de48704bad08c0413f5220bc8d1bff09c
SHA512

2e7942326690d82aa835134e2e2566034b2d81dc643fa3c5266948b6e96648ab7b2c3725cb1a4aed31cd6d0b4b805adea53efbb2b9b7d5e77b9d0a2c3594c44e
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYA:o6RI1Fo/wT3cJYYYYYYYYYYYYA

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3592 wrote to memory of 3212	3592	rundll32.exe	rundll32.exe
PID 3592 wrote to memory of 3212	3592	rundll32.exe	rundll32.exe
PID 3592 wrote to memory of 3212	3592	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70e5a6665b8b1ca95582faa2cccb9310_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\70e5a6665b8b1ca95582faa2cccb9310_NeikiAnalytics.dll,#1
  2⤵
  PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:2036