svcready | 96fbcbc57ca0b207ad0c1c3069b9eeab87b34fb27fb135be4979245852852434

Analysis

max time kernel
135s
max time network
153s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
16-07-2022 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

comune.pozzoleone.vi document 17.06.docm
Size

2.6MB
MD5

6238cf8f3223ca8cd3424d4b0845b979
SHA1

b9d1b3be74d8b659f3bd0dc4f0f079c9c70822d4
SHA256

96fbcbc57ca0b207ad0c1c3069b9eeab87b34fb27fb135be4979245852852434
SHA512

e08d5b7c8b5f175ee0e0308cb6fa10efb167e93a2012b07e5a187980d8c658faa716b79fbd25adac02bbf0e3fdb1e685904813b4593753a57a530a92fe877f0d

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3804-320-0x0000000000980000-0x0000000000A50000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Executes dropped EXE 1 IoCs

Processes:

r938B.tmp.exe

pid process

3804 r938B.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

r938B.tmp.exe

pid process

3804 r938B.tmp.exe
3804 r938B.tmp.exe

pid	process
3804	r938B.tmp.exe

pid	process
3804	r938B.tmp.exe
3804	r938B.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4552 WINWORD.EXE
4552 WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4552 wrote to memory of 3804	4552	WINWORD.EXE	r938B.tmp.exe
PID 4552 wrote to memory of 3804	4552	WINWORD.EXE	r938B.tmp.exe
PID 4552 wrote to memory of 3804	4552	WINWORD.EXE	r938B.tmp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\comune.pozzoleone.vi document 17.06.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\r938B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\r938B.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\y938A.tmp.dll",DllRegisterServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\r938B.tmp.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\r938B.tmp.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y938A.tmp.dll

Filesize
820KB

MD5
e9334bc1f6db1fe8db13e17c47299c74

SHA1
da12f863b1c4f437efc8a5faa8e04e32439eb479

SHA256
a7628a09046bc9f9144ecf506ef5a399befb8a985b028db8032a40ae0f96cf86

SHA512
b2e10ccb89dc2ec23a824cf9c39d76c698f3f1f4a3498c1fcc7b68a73a9a15e28aac512a010c769582b965d544ee558cfdc2e59a672dd7e782826e9776640d95

Download Submit
\Users\Admin\AppData\Local\Temp\y938A.tmp.dll

Filesize
820KB

MD5
e9334bc1f6db1fe8db13e17c47299c74

SHA1
da12f863b1c4f437efc8a5faa8e04e32439eb479

SHA256
a7628a09046bc9f9144ecf506ef5a399befb8a985b028db8032a40ae0f96cf86

SHA512
b2e10ccb89dc2ec23a824cf9c39d76c698f3f1f4a3498c1fcc7b68a73a9a15e28aac512a010c769582b965d544ee558cfdc2e59a672dd7e782826e9776640d95

Download Submit
\Users\Admin\AppData\Local\Temp\y938A.tmp.dll

Filesize
820KB

MD5
e9334bc1f6db1fe8db13e17c47299c74

SHA1
da12f863b1c4f437efc8a5faa8e04e32439eb479

SHA256
a7628a09046bc9f9144ecf506ef5a399befb8a985b028db8032a40ae0f96cf86

SHA512
b2e10ccb89dc2ec23a824cf9c39d76c698f3f1f4a3498c1fcc7b68a73a9a15e28aac512a010c769582b965d544ee558cfdc2e59a672dd7e782826e9776640d95

Download Submit
memory/3804-302-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-314-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-303-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-280-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-282-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-328-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

Filesize
24KB

Download
memory/3804-305-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-327-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-285-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-286-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-287-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-288-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-289-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-290-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-291-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-292-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-293-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-294-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-304-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-296-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-326-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-301-0x0000000000980000-0x0000000000A50000-memory.dmp

Filesize
832KB

Download
memory/3804-325-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-324-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-295-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-320-0x0000000000980000-0x0000000000A50000-memory.dmp

Filesize
832KB

Download
memory/3804-319-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-318-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-317-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-306-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-307-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-308-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-309-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-310-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-311-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-312-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-313-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-278-0x0000000000000000-mapping.dmp

Download
memory/3804-315-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/3804-316-0x00000000773E0000-0x000000007756E000-memory.dmp

Filesize
1.6MB

Download
memory/4552-119-0x00007FF9103D0000-0x00007FF9103E0000-memory.dmp

Filesize
64KB

Download
memory/4552-120-0x00007FF9103D0000-0x00007FF9103E0000-memory.dmp

Filesize
64KB

Download
memory/4552-351-0x00000272444A7000-0x000002724468A000-memory.dmp

Filesize
1.9MB

Download
memory/4552-284-0x00000272441C0000-0x000002724428E000-memory.dmp

Filesize
824KB

Download
memory/4552-121-0x00007FF9103D0000-0x00007FF9103E0000-memory.dmp

Filesize
64KB

Download
memory/4552-118-0x00007FF9103D0000-0x00007FF9103E0000-memory.dmp

Filesize
64KB

Download
memory/4552-124-0x00007FF90CA10000-0x00007FF90CA20000-memory.dmp

Filesize
64KB

Download
memory/4552-281-0x00000272444A7000-0x000002724468A000-memory.dmp

Filesize
1.9MB

Download
memory/4552-283-0x00000272440C0000-0x00000272441B6000-memory.dmp

Filesize
984KB

Download
memory/4552-125-0x00007FF90CA10000-0x00007FF90CA20000-memory.dmp

Filesize
64KB

Download
memory/4552-352-0x00000272440C0000-0x00000272441B6000-memory.dmp

Filesize
984KB

Download