svcready | 7a5ef2562d7e5c7bdf582fc65b3b9e29eeee1acbfd7679070baf22fd88e18cfc

Analysis

max time kernel
51s
max time network
56s
platform
windows10_x64
resource
win10-20220414-en
submitted
23-06-2022 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tst.docm
Size

2.6MB
MD5

47a9a2a519731faa421cf0a0f4ab9a8d
SHA1

54d9286231811e3fd38e179b9202a59ef4bd651d
SHA256

7a5ef2562d7e5c7bdf582fc65b3b9e29eeee1acbfd7679070baf22fd88e18cfc
SHA512

39a54d3cd397ebe5230323a68b114bc19511cba5d6a10aeddff47b24c1414b3de4cf003f35bb7e419c782d6637dbe9766bf664e21be139ed67361456e70d124c

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1928-323-0x0000000000400000-0x00000000004D0000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Executes dropped EXE 1 IoCs

Processes:

r7F86.tmp.exe

pid process

1928 r7F86.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

r7F86.tmp.exe

pid process

1928 r7F86.tmp.exe

pid	process
1928	r7F86.tmp.exe

pid	process
1928	r7F86.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3904 WINWORD.EXE
3904 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3904 WINWORD.EXE
3904 WINWORD.EXE
3904 WINWORD.EXE
3904 WINWORD.EXE
3904 WINWORD.EXE
3904 WINWORD.EXE
3904 WINWORD.EXE

pid	process
3904	WINWORD.EXE
3904	WINWORD.EXE

pid	process
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3904 wrote to memory of 1928	3904	WINWORD.EXE	r7F86.tmp.exe
PID 3904 wrote to memory of 1928	3904	WINWORD.EXE	r7F86.tmp.exe
PID 3904 wrote to memory of 1928	3904	WINWORD.EXE	r7F86.tmp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tst.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\r7F86.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\r7F86.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\y7F85.tmp.dll",DllRegisterServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\r7F86.tmp.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7F86.tmp.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7F85.tmp.dll

Filesize
820KB

MD5
e9334bc1f6db1fe8db13e17c47299c74

SHA1
da12f863b1c4f437efc8a5faa8e04e32439eb479

SHA256
a7628a09046bc9f9144ecf506ef5a399befb8a985b028db8032a40ae0f96cf86

SHA512
b2e10ccb89dc2ec23a824cf9c39d76c698f3f1f4a3498c1fcc7b68a73a9a15e28aac512a010c769582b965d544ee558cfdc2e59a672dd7e782826e9776640d95

Download Submit
\Users\Admin\AppData\Local\Temp\y7F85.tmp.dll

Filesize
820KB

MD5
e9334bc1f6db1fe8db13e17c47299c74

SHA1
da12f863b1c4f437efc8a5faa8e04e32439eb479

SHA256
a7628a09046bc9f9144ecf506ef5a399befb8a985b028db8032a40ae0f96cf86

SHA512
b2e10ccb89dc2ec23a824cf9c39d76c698f3f1f4a3498c1fcc7b68a73a9a15e28aac512a010c769582b965d544ee558cfdc2e59a672dd7e782826e9776640d95

Download Submit
memory/1928-308-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-328-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-311-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-312-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-285-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-286-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-287-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-288-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-289-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-290-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-291-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-292-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-293-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-294-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-341-0x0000000004E80000-0x0000000004E86000-memory.dmp

Filesize
24KB

Download
memory/1928-298-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-330-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-329-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-300-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-301-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-295-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-305-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-306-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-307-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-313-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-309-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-283-0x0000000000000000-mapping.dmp

Download
memory/1928-327-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-323-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1928-315-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-317-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-318-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-320-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-322-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-321-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-319-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-316-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-314-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-310-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3904-119-0x00007FF941370000-0x00007FF941380000-memory.dmp

Filesize
64KB

Download
memory/3904-296-0x000001F21188C000-0x000001F211A6F000-memory.dmp

Filesize
1.9MB

Download
memory/3904-120-0x00007FF941370000-0x00007FF941380000-memory.dmp

Filesize
64KB

Download
memory/3904-299-0x000001F2115B0000-0x000001F21167E000-memory.dmp

Filesize
824KB

Download
memory/3904-359-0x000001F2114B0000-0x000001F2115A6000-memory.dmp

Filesize
984KB

Download
memory/3904-122-0x00007FF941370000-0x00007FF941380000-memory.dmp

Filesize
64KB

Download
memory/3904-121-0x00007FF941370000-0x00007FF941380000-memory.dmp

Filesize
64KB

Download
memory/3904-126-0x00007FF93E820000-0x00007FF93E830000-memory.dmp

Filesize
64KB

Download
memory/3904-297-0x000001F2114B0000-0x000001F2115A6000-memory.dmp

Filesize
984KB

Download
memory/3904-358-0x000001F21188C000-0x000001F211A6F000-memory.dmp

Filesize
1.9MB

Download
memory/3904-125-0x00007FF93E820000-0x00007FF93E830000-memory.dmp

Filesize
64KB

Download
memory/3904-446-0x00007FF941370000-0x00007FF941380000-memory.dmp

Filesize
64KB

Download
memory/3904-447-0x00007FF941370000-0x00007FF941380000-memory.dmp

Filesize
64KB

Download
memory/3904-448-0x00007FF941370000-0x00007FF941380000-memory.dmp

Filesize
64KB

Download
memory/3904-449-0x00007FF941370000-0x00007FF941380000-memory.dmp

Filesize
64KB

Download