yunsip | 6cf7f36abbf2f07b63d98028ba8ae42a968ca76a61ce85974f287801ad957423

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 02:12

Target

30328bf432ee4916fa71be105d8d1c50N.dll
Size

815KB
MD5

30328bf432ee4916fa71be105d8d1c50
SHA1

2bd77ff33610973965d6ed4ea47d93de7e4b64e1
SHA256

6cf7f36abbf2f07b63d98028ba8ae42a968ca76a61ce85974f287801ad957423
SHA512

cab943ae0d5801954e62c260f8801025a61a12c64b56ee7f09eeb18742597b235441f761cab7550a6aeaa08ae3723d6965042cc5873d954a927108b309e890a8
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYV:o6RI1Fo/wT3cJYYYYYYYYYYYYV

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2692	1652	rundll32.exe	30
PID 1652 wrote to memory of 2692	1652	rundll32.exe	30
PID 1652 wrote to memory of 2692	1652	rundll32.exe	30
PID 1652 wrote to memory of 2692	1652	rundll32.exe	30
PID 1652 wrote to memory of 2692	1652	rundll32.exe	30
PID 1652 wrote to memory of 2692	1652	rundll32.exe	30
PID 1652 wrote to memory of 2692	1652	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30328bf432ee4916fa71be105d8d1c50N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\30328bf432ee4916fa71be105d8d1c50N.dll,#1
  2⤵
  PID:2692