yunsip | 1d20a650186d32fa75d7234762e75c8605748cd5990a2ff8607eaca9303c3721

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 22:35

Target

1d20a650186d32fa75d7234762e75c8605748cd5990a2ff8607eaca9303c3721_NeikiAnalytics.dll
Size

1.0MB
MD5

58933208b58b655c3e58244ea465b9a0
SHA1

3fda8d0bb00891e4a6b27778e535e3ce0c722cdf
SHA256

1d20a650186d32fa75d7234762e75c8605748cd5990a2ff8607eaca9303c3721
SHA512

f42022d91c6b41fd5bbeaad53eedbb64012c272f7e649ae5a58786c553f305bd688c6d8f8e8c0c53fa21524c28fa1939f5f932f6730a4743a5afb8a0fa5e83b4
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYY6:o6RI1Fo/wT3cJYYYYYYYYYYYY6

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2284	2172	rundll32.exe	28
PID 2172 wrote to memory of 2284	2172	rundll32.exe	28
PID 2172 wrote to memory of 2284	2172	rundll32.exe	28
PID 2172 wrote to memory of 2284	2172	rundll32.exe	28
PID 2172 wrote to memory of 2284	2172	rundll32.exe	28
PID 2172 wrote to memory of 2284	2172	rundll32.exe	28
PID 2172 wrote to memory of 2284	2172	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d20a650186d32fa75d7234762e75c8605748cd5990a2ff8607eaca9303c3721_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d20a650186d32fa75d7234762e75c8605748cd5990a2ff8607eaca9303c3721_NeikiAnalytics.dll,#1
  2⤵
  PID:2284