svcready | 235720bec0797367013cbdc1fe9bbdde1c5d325235920a1a3e9499485fb72dba | Triage

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-05-2022 14:31

Sharing

Report Analysis Logs

General

Target

next_stage.dll
Size

558KB
MD5

6eeb4d8cd43879a7b8fb4cf2a2753106
SHA1

2bd84ed774ef2a9c789fc5f27cebe1a115fcc1e0
SHA256

235720bec0797367013cbdc1fe9bbdde1c5d325235920a1a3e9499485fb72dba
SHA512

17447013a73470b4b58cd327da724a703c1105c4fa086a33a7cfa0033d0f79265ceacd7986aadb2f7cddabc8fd2641b90d97b3f28045b1ebb628306c7bc033fb

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1664-56-0x0000000074C20000-0x0000000074CB1000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1948 wrote to memory of 1664	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1664	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1664	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1664	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1664	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1664	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1664	1948	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\next_stage.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\next_stage.dll,#1
  2⤵
  PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-54-0x0000000000000000-mapping.dmp

Download
memory/1664-55-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1664-56-0x0000000074C20000-0x0000000074CB1000-memory.dmp

Filesize
580KB

Download