svcready | a9f95fd06a5444a4c5d0d4c553a81a4f5f421aea9e07f2bb6b270183f19b7a49

Analysis

max time kernel
1591s
max time network
1610s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svc.dll
Size

1.2MB
MD5

5a800c0c43e7ef2abca922ef59cbdb57
SHA1

541127b4c63917a8ad767cc5f9f7cb2f3ba35a4a
SHA256

a9f95fd06a5444a4c5d0d4c553a81a4f5f421aea9e07f2bb6b270183f19b7a49
SHA512

7d9bd3461fa5182f7b998253972f1916fb0adde7c55ae078b13db7af9ee1ed86881b2ffe9dfd8ed9e163323f38775b5ae0ea7d8d8e2658dba0f5aff161752f5e

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

resource	yara_rule
behavioral1/memory/1424-162-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	regsvr32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMajorRelease	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMinorRelease	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	regsvr32.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3080	systeminfo.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000_Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}\ = 2800000058c65e8f7878aebd6326eeca792e1679a313fce86f12c25dcabdc58c3b9c385ea4c97fe34a39d2f4f928ad4ff15a176bf6ca25b98b3c4e1ccd1dfc1d8580be4cd989564e7fc48aa4	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1424	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 1424	3956	regsvr32.exe	67
PID 3956 wrote to memory of 1424	3956	regsvr32.exe	67
PID 3956 wrote to memory of 1424	3956	regsvr32.exe	67
PID 1424 wrote to memory of 3080	1424	regsvr32.exe	70
PID 1424 wrote to memory of 3080	1424	regsvr32.exe	70
PID 1424 wrote to memory of 3080	1424	regsvr32.exe	70

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\svc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\svc.dll
  2⤵
  - Checks BIOS information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\systeminfo.exe
    C:\Windows\System32\systeminfo.exe
    3⤵
    - Gathers system information
    PID:3080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1424-119-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-120-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-121-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-122-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-123-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-124-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-125-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-126-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-127-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-128-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-129-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-130-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-131-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-132-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-133-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-134-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-135-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-136-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-137-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-138-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-139-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-140-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-141-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-142-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-143-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-144-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-145-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-146-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-147-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-148-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-149-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-150-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-151-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-152-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-153-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-154-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-155-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-156-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-157-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-158-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-159-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-160-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-161-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-162-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download
memory/1424-167-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-168-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-169-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-170-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-171-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-172-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-173-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-174-0x0000000006310000-0x00000000063AC000-memory.dmp

Filesize
624KB

Download
memory/1424-175-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-176-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-177-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-178-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-179-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-180-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-181-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1424-182-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download