svcready | c642fe65240289bb327a1ac176feba91e851cfb87087bf0275e3381784374912 | Triage

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-07-2022 10:28

Sharing

Report Analysis Logs

General

Target

y78A9.tmp.dll
Size

872KB
MD5

e2b4bed66703ca923c3c1ef8a82a3ff7
SHA1

c3da7251c8098c0d94c38bde9409068351686c18
SHA256

c642fe65240289bb327a1ac176feba91e851cfb87087bf0275e3381784374912
SHA512

063fa9f3d54c2d8dd580fc81aa2aa77199fb0dc9a590b36eaa0ae83b883d2d97e311b04310489f3f4790423bfd24fd905d0f1135334e63d75d11e2bd80e577bd

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3892-131-0x0000000000400000-0x00000000004DE000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2208 wrote to memory of 3892	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 3892	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 3892	2208	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\y78A9.tmp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\y78A9.tmp.dll,#1
  2⤵
  PID:3892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3892-130-0x0000000000000000-mapping.dmp

Download
memory/3892-131-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3892-135-0x0000000001200000-0x0000000001206000-memory.dmp

Filesize
24KB

Download