Overview

overview

10

Static

static

cpi-racing...2.docm

windows7_x64

10

cpi-racing...2.docm

windows10-2004_x64

10

Resubmissions

23-06-2022 07:41

220623-jjfyvsehh6 10

07-06-2022 11:23

220607-ng5xesdhf2 8

Analysis

  • max time kernel
    147s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-06-2022 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cpi-racing.document.03.06.2022.docm

  • Size

    2.6MB

  • MD5

    9bef40c0f63ed916cadd8c8bb39e3c5b

  • SHA1

    ec231f8358d806240fa7781df4e13c34c0ae0716

  • SHA256

    501d971e548139153c64037d07b4e3fea2c1735a37774531c88cfa95ba660ec3

  • SHA512

    743dcadf3e69f4e855194fe13384e5c5d71a76060a78760f38c34f96892a71c5c0d1b8d726aa741b3772f393ff3725b562c85db48c6cac8cbbd2c2bcd8a2bf7e

Score
10/10
svcreadyloader

Malware Config

Signatures

  • Detects SVCReady loader 5 IoCs
  • SVCReady

    SVCReady is a malware loader first seen in April 2022.

    loadersvcready
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cpi-racing.document.03.06.2022.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Users\Admin\AppData\Local\Temp\r80EE.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\r80EE.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\y80DD.tmp.dll",CallFunction
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 340
        3⤵
        • Program crash
        PID:2712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 368
        3⤵
        • Program crash
        PID:3932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 552
        3⤵
        • Program crash
        PID:4648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 572
        3⤵
        • Program crash
        PID:3824
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 556
        3⤵
        • Program crash
        PID:3784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 552
        3⤵
        • Program crash
        PID:924
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3108 -ip 3108
    1⤵
      PID:444
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3108 -ip 3108
      1⤵
        PID:2576
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3108 -ip 3108
        1⤵
          PID:1028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3108 -ip 3108
          1⤵
            PID:4348
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3108 -ip 3108
            1⤵
              PID:1336
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3108 -ip 3108
              1⤵
                PID:4592

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\r80EE.tmp.exe
                Filesize

                60KB

                MD5

                889b99c52a60dd49227c5e485a016679

                SHA1

                8fa889e456aa646a4d0a4349977430ce5fa5e2d7

                SHA256

                6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

                SHA512

                08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\y80DD.tmp.dll
                Filesize

                559KB

                MD5

                6eefce6e0b2c458abf2665663cb73c2b

                SHA1

                563b082e19594876e8b84f22cb49b0fc4eb66a25

                SHA256

                39c955c9e906075c11948edd79ffc6d6fcc5b5e3ac336231f52c3b03e718371e

                SHA512

                44fe4de02f3b21a62e3e0f3f4b49f071028e28d9748caa137c9f9ac3fbb7f59b6daa18592a661471dedc3f78c5fc451e9f503cf1a847b578b695e106f5cb4dfe

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\y80DD.tmp.dll
                Filesize

                559KB

                MD5

                6eefce6e0b2c458abf2665663cb73c2b

                SHA1

                563b082e19594876e8b84f22cb49b0fc4eb66a25

                SHA256

                39c955c9e906075c11948edd79ffc6d6fcc5b5e3ac336231f52c3b03e718371e

                SHA512

                44fe4de02f3b21a62e3e0f3f4b49f071028e28d9748caa137c9f9ac3fbb7f59b6daa18592a661471dedc3f78c5fc451e9f503cf1a847b578b695e106f5cb4dfe

                Download Submit

              • memory/3108-142-0x0000000010000000-0x0000000010091000-memory.dmp

                Filesize

                580KB

                Download

              • memory/3108-141-0x0000000010000000-0x0000000010091000-memory.dmp

                Filesize

                580KB

                Download

              • memory/4792-132-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4792-136-0x00007FFC9A050000-0x00007FFC9A060000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4792-133-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4792-131-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4792-134-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4792-135-0x00007FFC9A050000-0x00007FFC9A060000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4792-130-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4792-205-0x000001EA7CB5D000-0x000001EA7CD40000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/4792-206-0x000001EA7C3A0000-0x000001EA7C496000-memory.dmp

                Filesize

                984KB

                Download

              • memory/4792-207-0x000001EA7C4A0000-0x000001EA7C52D000-memory.dmp

                Filesize

                564KB

                Download

              • memory/4792-208-0x000001EA7CB5D000-0x000001EA7CD40000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/4792-209-0x000001EA7C3A0000-0x000001EA7C496000-memory.dmp

                Filesize

                984KB

                Download