yunsip | f82ac5fdd56256de80f8fd57abfabd87ca69b852c1fc23bf3eac479d862c28c0

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 07:26

Target

8370ce6477c987e921dbea688f8abc20N.dll
Size

705KB
MD5

8370ce6477c987e921dbea688f8abc20
SHA1

15bc64ff126f72d7dae3ff08f3bc0b776c683d5d
SHA256

f82ac5fdd56256de80f8fd57abfabd87ca69b852c1fc23bf3eac479d862c28c0
SHA512

e49f225dbf390e8df8af1ffd38a7ff18572468659b6a4de931f7237457407afc6b7721a87e780830748782fd603cdf4e5b265007313ec3ca5a105afb179c3cfb
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYm:o6RI1Fo/wT3cJYYYYYYYYYYYYm

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2308	1440	rundll32.exe	31
PID 1440 wrote to memory of 2308	1440	rundll32.exe	31
PID 1440 wrote to memory of 2308	1440	rundll32.exe	31
PID 1440 wrote to memory of 2308	1440	rundll32.exe	31
PID 1440 wrote to memory of 2308	1440	rundll32.exe	31
PID 1440 wrote to memory of 2308	1440	rundll32.exe	31
PID 1440 wrote to memory of 2308	1440	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8370ce6477c987e921dbea688f8abc20N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8370ce6477c987e921dbea688f8abc20N.dll,#1
  2⤵
  PID:2308