yunsip | 004a0a2fc3afb0739e814fa0825899b3f326bbdc14e59ac399c7322335dd0ae5

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 12:51

Target

004a0a2fc3afb0739e814fa0825899b3f326bbdc14e59ac399c7322335dd0ae5_NeikiAnalytics.dll
Size

904KB
MD5

029f70de2975b7863926b5f5997c97f0
SHA1

4b92db71ac1749421311a86ea6aa9808109112bf
SHA256

004a0a2fc3afb0739e814fa0825899b3f326bbdc14e59ac399c7322335dd0ae5
SHA512

de80100e6b301070efbf27bd8eee74a144cd85c1bba16e78383c804daea74479fe3ddf1ef80863b6fe3a01c340625d9d0433b8a509eecb5866e00e75ea6f83c7
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYY2jjjjjjjjjjjjjjjjjjjjjj4:o6RI1Fo/wT3cJYYYYYYYYYYYYP

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2444 wrote to memory of 1272	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 1272	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 1272	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 1272	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 1272	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 1272	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 1272	2444	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\004a0a2fc3afb0739e814fa0825899b3f326bbdc14e59ac399c7322335dd0ae5_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\004a0a2fc3afb0739e814fa0825899b3f326bbdc14e59ac399c7322335dd0ae5_NeikiAnalytics.dll,#1
  2⤵
  PID:1272