svcready | bddea66a3234b3773af6aff828f02df1c894516a54cbd2ccea6ff722262d0fa5

Analysis

max time kernel
1688s
max time network
1612s
platform
windows10_x64
resource
win10-20220414-en
submitted
06-07-2022 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbdy_document_07.06.2022.docm
Size

2.8MB
MD5

d099b942e5e42a6f4cf0428a16d9e234
SHA1

f79cc392c65c3242ceac6314bcf86a5162a87208
SHA256

bddea66a3234b3773af6aff828f02df1c894516a54cbd2ccea6ff722262d0fa5
SHA512

b253d0d91e7415cea6f44f1cd72bcb86e3195aa8fc09e3a3a10aeb10429518963e218a7c271e467c37604ef447136d1d14452d938eacd2b02d9a1900f481f321

Score

10^/10

svcready loader suricata

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5028-325-0x0000000000400000-0x00000000004DE000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
suricata: ET MALWARE Observed Win32/SVCReady Loader User-Agent
suricata: ET MALWARE Observed Win32/SVCReady Loader User-Agent
suricata
suricata: ET MALWARE Win32/SVCReady Loader CnC Activity M2
suricata: ET MALWARE Win32/SVCReady Loader CnC Activity M2
suricata
Executes dropped EXE 1 IoCs

Processes:

rC3C3.tmp.exe

pid process

5028 rC3C3.tmp.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rC3C3.tmp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rC3C3.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

rC3C3.tmp.exe

pid process

5028 rC3C3.tmp.exe

pid	process
5028	rC3C3.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rC3C3.tmp.exe

pid	process
5028	rC3C3.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

rC3C3.tmp.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMajorRelease	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMinorRelease	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	rC3C3.tmp.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	rC3C3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rC3C3.tmp.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1348 systeminfo.exe

pid	process
1348	systeminfo.exe

Modifies registry class 2 IoCs

Processes:

rC3C3.tmp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}	rC3C3.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}\ = 0e0000005ac751876577a1aa7d34b3867f21ad406251b5792f90facb0043ca249ffaa265a59cb4ee411337a503b6a604e7d3	rC3C3.tmp.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2384 WINWORD.EXE
2384 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rC3C3.tmp.exe

pid process

5028 rC3C3.tmp.exe
5028 rC3C3.tmp.exe
5028 rC3C3.tmp.exe
5028 rC3C3.tmp.exe

pid	process
5028	rC3C3.tmp.exe
5028	rC3C3.tmp.exe
5028	rC3C3.tmp.exe
5028	rC3C3.tmp.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE
2384	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXErC3C3.tmp.exe

description	pid	process	target process
PID 2384 wrote to memory of 5028	2384	WINWORD.EXE	rC3C3.tmp.exe
PID 2384 wrote to memory of 5028	2384	WINWORD.EXE	rC3C3.tmp.exe
PID 2384 wrote to memory of 5028	2384	WINWORD.EXE	rC3C3.tmp.exe
PID 5028 wrote to memory of 1348	5028	rC3C3.tmp.exe	systeminfo.exe
PID 5028 wrote to memory of 1348	5028	rC3C3.tmp.exe	systeminfo.exe
PID 5028 wrote to memory of 1348	5028	rC3C3.tmp.exe	systeminfo.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bbdy_document_07.06.2022.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\rC3C3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\rC3C3.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\yC3C2.tmp.dll",DllRegisterServer
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\systeminfo.exe
C:\Windows\System32\systeminfo.exe
3⤵
- Gathers system information
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rC3C3.tmp.exe
Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC3C3.tmp.exe
Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yC3C2.tmp.dll
Filesize
872KB

MD5
b58d95a3f3aec8e9deebf8c78ca6a064

SHA1
4c7a68e412ce0a362ac9595462ce0c8676ce0953

SHA256
58cdbd0377fe68e45161aafc0dd6a2b1fd188b87c34bd44d92afe34ebb186123

SHA512
5a4bb554bab0dc8986aa8e061a17568dfe0adc55a563e7249d9a9fb43bcb30e5ac30aef57fad2173b223bae9e2591979450c45251a837bd4ac5217172d2b1735

Download Submit
\Users\Admin\AppData\Local\Temp\yC3C2.tmp.dll
Filesize
872KB

MD5
b58d95a3f3aec8e9deebf8c78ca6a064

SHA1
4c7a68e412ce0a362ac9595462ce0c8676ce0953

SHA256
58cdbd0377fe68e45161aafc0dd6a2b1fd188b87c34bd44d92afe34ebb186123

SHA512
5a4bb554bab0dc8986aa8e061a17568dfe0adc55a563e7249d9a9fb43bcb30e5ac30aef57fad2173b223bae9e2591979450c45251a837bd4ac5217172d2b1735

Download Submit
memory/1348-440-0x0000000000000000-mapping.dmp

Download
memory/2384-123-0x00007FF7CC230000-0x00007FF7CC240000-memory.dmp

Filesize
64KB

Download
memory/2384-119-0x00007FF7CFDA0000-0x00007FF7CFDB0000-memory.dmp

Filesize
64KB

Download
memory/2384-120-0x00007FF7CFDA0000-0x00007FF7CFDB0000-memory.dmp

Filesize
64KB

Download
memory/2384-118-0x00007FF7CFDA0000-0x00007FF7CFDB0000-memory.dmp

Filesize
64KB

Download
memory/2384-124-0x00007FF7CC230000-0x00007FF7CC240000-memory.dmp

Filesize
64KB

Download
memory/2384-280-0x0000023EDC5DD000-0x0000023EDC7C0000-memory.dmp

Filesize
1.9MB

Download
memory/2384-281-0x0000023EDC210000-0x0000023EDC306000-memory.dmp

Filesize
984KB

Download
memory/2384-282-0x0000023EDC310000-0x0000023EDC3EB000-memory.dmp

Filesize
876KB

Download
memory/2384-357-0x0000023EDC5DD000-0x0000023EDC7C0000-memory.dmp

Filesize
1.9MB

Download
memory/2384-117-0x00007FF7CFDA0000-0x00007FF7CFDB0000-memory.dmp

Filesize
64KB

Download
memory/2384-358-0x0000023EDC210000-0x0000023EDC306000-memory.dmp

Filesize
984KB

Download
memory/5028-309-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-318-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-288-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-289-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-290-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-291-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-292-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-293-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-294-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-295-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-296-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-297-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-298-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-302-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-303-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-304-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-305-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-306-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-307-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-308-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-286-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-310-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-311-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-312-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-313-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-314-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-316-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-317-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-315-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-287-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-320-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-321-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-322-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-319-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-323-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-324-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-325-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/5028-329-0x0000000002DB0000-0x0000000002DB6000-memory.dmp

Filesize
24KB

Download
memory/5028-330-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-331-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-285-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-332-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-413-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-414-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-415-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-416-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-417-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-418-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-419-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-421-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-422-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-423-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-424-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-425-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-426-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-427-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-283-0x0000000000000000-mapping.dmp

Download