yunsip | ca16826a60648bde7e5bfef4a7e7f8cd43b7d463e585171e7b08c90b6d721e0f

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 14:21

Target

c3866488eba95df803944be97fcfe960_NeikiAnalytics.dll
Size

1.2MB
MD5

c3866488eba95df803944be97fcfe960
SHA1

9647bc104281aea48a1fe4e872fe38a2f954a4f1
SHA256

ca16826a60648bde7e5bfef4a7e7f8cd43b7d463e585171e7b08c90b6d721e0f
SHA512

691e741c1af463282280071a3267c8e40a840d2b9e0cdcc8f73b86cc8f2514590e7fd20905f7e70d30ab8d889cd33b87a3f232b1609142d180dd614202dae1ef
SSDEEP

12288:jDgN6MoIwT3qOOOOOOOOOOOOOOOOOOOOOO:jTtT3qOOOOOOOOOOOOOOOOOOOOOO

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 4336	2072	rundll32.exe	89
PID 2072 wrote to memory of 4336	2072	rundll32.exe	89
PID 2072 wrote to memory of 4336	2072	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3866488eba95df803944be97fcfe960_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3866488eba95df803944be97fcfe960_NeikiAnalytics.dll,#1
  2⤵
  PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:1384