svcready | 1e181b6df8eea97f71ad43403bd2338b74677bd4e8b4471181614f084b53982f

Analysis

max time kernel
111s
max time network
157s
platform
windows10_x64
resource
win10-20220414-en
submitted
22-06-2022 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c71fa657d1264aeab2d3f657edc70a4455893d1cf7f3502adb7c7d4ca8e9335e.docm
Size

2.6MB
MD5

5bd1110589e70c5f9203a3a1d8839b1e
SHA1

a496221115d08aabcbf5e09245544195cc8d543c
SHA256

c71fa657d1264aeab2d3f657edc70a4455893d1cf7f3502adb7c7d4ca8e9335e
SHA512

b69e5704f06f2e67c38563f7ea6cce9cb2b8f2ce80ad33b3a350d12661cb9473fcc08466ea0de253b7fc495b38381827e7c527925e67b584d0748340bcf8c111

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4836-322-0x0000000000860000-0x0000000000930000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready

Executes dropped EXE 1 IoCs

Processes:

rC384.tmp.exe

pid	Process
4836	rC384.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

rC384.tmp.exe

pid	Process
4836	rC384.tmp.exe
4836	rC384.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
2692	WINWORD.EXE
2692	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid	Process
2692	WINWORD.EXE
2692	WINWORD.EXE
2692	WINWORD.EXE
2692	WINWORD.EXE
2692	WINWORD.EXE
2692	WINWORD.EXE
2692	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	Process	procid_target
PID 2692 wrote to memory of 4836	2692	WINWORD.EXE	69
PID 2692 wrote to memory of 4836	2692	WINWORD.EXE	69
PID 2692 wrote to memory of 4836	2692	WINWORD.EXE	69

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c71fa657d1264aeab2d3f657edc70a4455893d1cf7f3502adb7c7d4ca8e9335e.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\rC384.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\rC384.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\yC374.tmp.dll",DllRegisterServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rC384.tmp.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC384.tmp.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yC374.tmp.dll

Filesize
820KB

MD5
e9334bc1f6db1fe8db13e17c47299c74

SHA1
da12f863b1c4f437efc8a5faa8e04e32439eb479

SHA256
a7628a09046bc9f9144ecf506ef5a399befb8a985b028db8032a40ae0f96cf86

SHA512
b2e10ccb89dc2ec23a824cf9c39d76c698f3f1f4a3498c1fcc7b68a73a9a15e28aac512a010c769582b965d544ee558cfdc2e59a672dd7e782826e9776640d95

Download Submit
\Users\Admin\AppData\Local\Temp\yC374.tmp.dll

Filesize
820KB

MD5
e9334bc1f6db1fe8db13e17c47299c74

SHA1
da12f863b1c4f437efc8a5faa8e04e32439eb479

SHA256
a7628a09046bc9f9144ecf506ef5a399befb8a985b028db8032a40ae0f96cf86

SHA512
b2e10ccb89dc2ec23a824cf9c39d76c698f3f1f4a3498c1fcc7b68a73a9a15e28aac512a010c769582b965d544ee558cfdc2e59a672dd7e782826e9776640d95

Download Submit
\Users\Admin\AppData\Local\Temp\yC374.tmp.dll

Filesize
820KB

MD5
e9334bc1f6db1fe8db13e17c47299c74

SHA1
da12f863b1c4f437efc8a5faa8e04e32439eb479

SHA256
a7628a09046bc9f9144ecf506ef5a399befb8a985b028db8032a40ae0f96cf86

SHA512
b2e10ccb89dc2ec23a824cf9c39d76c698f3f1f4a3498c1fcc7b68a73a9a15e28aac512a010c769582b965d544ee558cfdc2e59a672dd7e782826e9776640d95

Download Submit
memory/2692-426-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-355-0x0000017924D40000-0x0000017924F23000-memory.dmp

Filesize
1.9MB

Download
memory/2692-123-0x00007FFB5A630000-0x00007FFB5A640000-memory.dmp

Filesize
64KB

Download
memory/2692-428-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-427-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-294-0x0000017924960000-0x0000017924A56000-memory.dmp

Filesize
984KB

Download
memory/2692-356-0x0000017924960000-0x0000017924A56000-memory.dmp

Filesize
984KB

Download
memory/2692-429-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-122-0x00007FFB5A630000-0x00007FFB5A640000-memory.dmp

Filesize
64KB

Download
memory/2692-119-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-116-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-118-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-117-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-293-0x0000017924D40000-0x0000017924F23000-memory.dmp

Filesize
1.9MB

Download
memory/2692-295-0x0000017924A60000-0x0000017924B2E000-memory.dmp

Filesize
824KB

Download
memory/4836-289-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-317-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-292-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-297-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-298-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-303-0x0000000000860000-0x0000000000930000-memory.dmp

Filesize
832KB

Download
memory/4836-304-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-305-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-306-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-307-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-309-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-308-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-310-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-311-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-312-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-313-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-291-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-314-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-316-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-296-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-318-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-319-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-320-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-321-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-315-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-290-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-288-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-287-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-322-0x0000000000860000-0x0000000000930000-memory.dmp

Filesize
832KB

Download
memory/4836-326-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-327-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-328-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-329-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-333-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/4836-286-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-285-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-284-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-283-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-282-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-280-0x0000000000000000-mapping.dmp

Download