yunsip | 71bb83cc504a55897df953eb6be31d973456b9631fac854aa5970eebd023cf9b

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 12:26

Target

c245dc27df475ed07c170e48fa067680N.dll
Size

807KB
MD5

c245dc27df475ed07c170e48fa067680
SHA1

127db070e6822aa17522be163f5c1a0ec4948bb8
SHA256

71bb83cc504a55897df953eb6be31d973456b9631fac854aa5970eebd023cf9b
SHA512

bb00d6a7676d707e2572174964108d6212b86f8806a12bc5f66798cb3f9cc7a59e7cd14f8400cf45acd3e85d34f2908563cffa1a15ce48cc85a5e7fcce1c0a9c
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYd:o6RI1Fo/wT3cJYYYYYYYYYYYYd

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2776	2712	rundll32.exe	31
PID 2712 wrote to memory of 2776	2712	rundll32.exe	31
PID 2712 wrote to memory of 2776	2712	rundll32.exe	31
PID 2712 wrote to memory of 2776	2712	rundll32.exe	31
PID 2712 wrote to memory of 2776	2712	rundll32.exe	31
PID 2712 wrote to memory of 2776	2712	rundll32.exe	31
PID 2712 wrote to memory of 2776	2712	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c245dc27df475ed07c170e48fa067680N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c245dc27df475ed07c170e48fa067680N.dll,#1
  2⤵
  PID:2776