yunsip | 6a39f101f52c356cc286ff2534317ea7b99571c7a5202a4a7da0217697a0788d

Analysis

max time kernel
143s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 23:52

Target

6a39f101f52c356cc286ff2534317ea7b99571c7a5202a4a7da0217697a0788d.dll
Size

714KB
MD5

972f43aeaacb87a5ff3065792036f81f
SHA1

1d53f39a0e78ba39db3f49f13e48c82672d64d67
SHA256

6a39f101f52c356cc286ff2534317ea7b99571c7a5202a4a7da0217697a0788d
SHA512

7cca3719018ef1fcd8007b0803a91d574170ad2b0e133540cfc63596f02fc33dc208744ec2a87df197caa5a0f040a0c6c4d58df1ebbc31082ab11aa53ca4d6a3
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYk:o6RI1Fo/wT3cJYYYYYYYYYYYYk

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 4660	1188	rundll32.exe	89
PID 1188 wrote to memory of 4660	1188	rundll32.exe	89
PID 1188 wrote to memory of 4660	1188	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a39f101f52c356cc286ff2534317ea7b99571c7a5202a4a7da0217697a0788d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a39f101f52c356cc286ff2534317ea7b99571c7a5202a4a7da0217697a0788d.dll,#1
  2⤵
  PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:832