yunsip | d43d2f3de3c32a8805ba041d2fe7f4db9e4b1de52836067d437029ffb1699a70

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 05:51

Target

7a0eed0f256ca1894bd9f448bedeb540N.dll
Size

759KB
MD5

7a0eed0f256ca1894bd9f448bedeb540
SHA1

a92509962c184b87170c6dac6479b2ea85ca8cb0
SHA256

d43d2f3de3c32a8805ba041d2fe7f4db9e4b1de52836067d437029ffb1699a70
SHA512

b9f5d117e2f80d4af88c320d6e2cc5f5de74822843024b92b3c44a1b95d54d48f7d2e4cfd05046328eec92d0621f9e72526965690ec43759bc1dd3141fe66680
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYY/:o6RI1Fo/wT3cJYYYYYYYYYYYY/

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2524	2400	rundll32.exe	30
PID 2400 wrote to memory of 2524	2400	rundll32.exe	30
PID 2400 wrote to memory of 2524	2400	rundll32.exe	30
PID 2400 wrote to memory of 2524	2400	rundll32.exe	30
PID 2400 wrote to memory of 2524	2400	rundll32.exe	30
PID 2400 wrote to memory of 2524	2400	rundll32.exe	30
PID 2400 wrote to memory of 2524	2400	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a0eed0f256ca1894bd9f448bedeb540N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a0eed0f256ca1894bd9f448bedeb540N.dll,#1
  2⤵
  PID:2524