svcready | a9f95fd06a5444a4c5d0d4c553a81a4f5f421aea9e07f2bb6b270183f19b7a49 | Triage

Resubmissions

31-08-2022 20:26

220831-y73vvsbcfr 10

21-07-2022 06:01

220721-gq558adfdn 10

20-07-2022 17:02

220720-vj4wgacebl 10

Analysis

max time kernel
37s
max time network
42s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 17:02

Sharing

Report Analysis Logs

General

Target

svc.dll
Size

1.2MB
MD5

5a800c0c43e7ef2abca922ef59cbdb57
SHA1

541127b4c63917a8ad767cc5f9f7cb2f3ba35a4a
SHA256

a9f95fd06a5444a4c5d0d4c553a81a4f5f421aea9e07f2bb6b270183f19b7a49
SHA512

7d9bd3461fa5182f7b998253972f1916fb0adde7c55ae078b13db7af9ee1ed86881b2ffe9dfd8ed9e163323f38775b5ae0ea7d8d8e2658dba0f5aff161752f5e

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/968-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1916 968 WerFault.exe regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 288 wrote to memory of 968	288	regsvr32.exe	regsvr32.exe
PID 288 wrote to memory of 968	288	regsvr32.exe	regsvr32.exe
PID 288 wrote to memory of 968	288	regsvr32.exe	regsvr32.exe
PID 288 wrote to memory of 968	288	regsvr32.exe	regsvr32.exe
PID 288 wrote to memory of 968	288	regsvr32.exe	regsvr32.exe
PID 288 wrote to memory of 968	288	regsvr32.exe	regsvr32.exe
PID 288 wrote to memory of 968	288	regsvr32.exe	regsvr32.exe
PID 968 wrote to memory of 1916	968	regsvr32.exe	WerFault.exe
PID 968 wrote to memory of 1916	968	regsvr32.exe	WerFault.exe
PID 968 wrote to memory of 1916	968	regsvr32.exe	WerFault.exe
PID 968 wrote to memory of 1916	968	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\svc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\svc.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 312
    3⤵
    - Program crash
    PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/968-55-0x0000000000000000-mapping.dmp

Download
memory/968-56-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/968-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download
memory/1916-62-0x0000000000000000-mapping.dmp

Download