yunsip | 6cf7f36abbf2f07b63d98028ba8ae42a968ca76a61ce85974f287801ad957423

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 02:12

Target

30328bf432ee4916fa71be105d8d1c50N.dll
Size

815KB
MD5

30328bf432ee4916fa71be105d8d1c50
SHA1

2bd77ff33610973965d6ed4ea47d93de7e4b64e1
SHA256

6cf7f36abbf2f07b63d98028ba8ae42a968ca76a61ce85974f287801ad957423
SHA512

cab943ae0d5801954e62c260f8801025a61a12c64b56ee7f09eeb18742597b235441f761cab7550a6aeaa08ae3723d6965042cc5873d954a927108b309e890a8
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYV:o6RI1Fo/wT3cJYYYYYYYYYYYYV

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2724 wrote to memory of 2216	2724	rundll32.exe	rundll32.exe
PID 2724 wrote to memory of 2216	2724	rundll32.exe	rundll32.exe
PID 2724 wrote to memory of 2216	2724	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30328bf432ee4916fa71be105d8d1c50N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30328bf432ee4916fa71be105d8d1c50N.dll,#1
2⤵
PID:2216