yunsip | 7da29bce270c70442b4a5d11e3a06747a2a208a8b77b3993fc8f371b9594600c

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 00:35

Target

7da29bce270c70442b4a5d11e3a06747a2a208a8b77b3993fc8f371b9594600c.dll
Size

1.2MB
MD5

e6d905b1987409865b770b0a2a2348c9
SHA1

24ec693cb90f70a2a656999dce012d8b546e9c14
SHA256

7da29bce270c70442b4a5d11e3a06747a2a208a8b77b3993fc8f371b9594600c
SHA512

8c70f141ef075ea925a936e4e65d88119b195ab2b323e14183715dc6c236e55728261d632ee994c9b1096fc504036ffb54dada34ff00fb3bbe46fa427c11640e
SSDEEP

12288:jDgN6MoIwT3qOOOOOOOOOOOOOOOOOOOOOOz:jTtT3qOOOOOOOOOOOOOOOOOOOOOOz

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3896	4160	rundll32.exe	82
PID 4160 wrote to memory of 3896	4160	rundll32.exe	82
PID 4160 wrote to memory of 3896	4160	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7da29bce270c70442b4a5d11e3a06747a2a208a8b77b3993fc8f371b9594600c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7da29bce270c70442b4a5d11e3a06747a2a208a8b77b3993fc8f371b9594600c.dll,#1
  2⤵
  PID:3896