yunsip | cc120374cf21512c109d7075ef7493cdd9809a9dce2ab567e9b6f8de21af7a2e

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 10:42

Target

aa6978c4528109a4f2cb51f15ba4a480N.dll
Size

608KB
MD5

aa6978c4528109a4f2cb51f15ba4a480
SHA1

f67b47c6a70ac9b51980729e17e1b5ee9a72e09e
SHA256

cc120374cf21512c109d7075ef7493cdd9809a9dce2ab567e9b6f8de21af7a2e
SHA512

bfcac5df069d5b2808da95b8ef54e8f05885d8689fa057c31ddcb4ee7facce4770ef1ccb1c2f1f3d80889c97024e709fd7f6c95c3e9af9e4b1278887e98967ac
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYP:o6RI1Fo/wT3cJYYYYYYYYYYYYP

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3560 wrote to memory of 2460	3560	rundll32.exe	rundll32.exe
PID 3560 wrote to memory of 2460	3560	rundll32.exe	rundll32.exe
PID 3560 wrote to memory of 2460	3560	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa6978c4528109a4f2cb51f15ba4a480N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa6978c4528109a4f2cb51f15ba4a480N.dll,#1
  2⤵
  PID:2460