svcready | 16851d915aaddf29fa2069b79d50fe3a81ecaafd28cde5b77cb531fe5a4e6742 | Triage

Analysis

max time kernel
39s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-06-2022 11:35

Sharing

Report Analysis Logs

General

Target

y31FF.tmp.dll
Size

558KB
MD5

6cd2a93c20957124f5878204ec3ed726
SHA1

853c8a814279422abd0dded0e001011401b12826
SHA256

16851d915aaddf29fa2069b79d50fe3a81ecaafd28cde5b77cb531fe5a4e6742
SHA512

28069434730710ef08321e1c934d1da8a0f649ed38b9d53a8c3ecc044a747c7f641d022bed42ccb43d912c4447515d9418340ffa778a2a901778360ecb6ee80f

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-56-0x0000000074480000-0x0000000074511000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1868 wrote to memory of 1888	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1888	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1888	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1888	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1888	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1888	1868	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 1888	1868	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\y31FF.tmp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\y31FF.tmp.dll,#1
  2⤵
  PID:1888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-54-0x0000000000000000-mapping.dmp

Download
memory/1888-55-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download
memory/1888-56-0x0000000074480000-0x0000000074511000-memory.dmp

Filesize
580KB

Download