svcready | b3ebe1f830bf9881e2160ea2b0f9d798f21b2c0ba110f8192eabad46ff837b8f

Analysis

max time kernel
145s
max time network
147s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
22-07-2022 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gruppofrancescomaggini_invoice_22.07.2022.docm
Size

3.3MB
MD5

254af7966fbfb605e37a87aced2ca222
SHA1

5274e328b810cd31e7fa58624efe8ecc192a0d33
SHA256

b3ebe1f830bf9881e2160ea2b0f9d798f21b2c0ba110f8192eabad46ff837b8f
SHA512

20c4256c5a4a0101d035aefefed34205338e1dbef55813e3dc1c8465378bc874cf02260be5b3b8f9b3104fb7d49445072180d9351810af6e68a2202fb666d201

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4416-314-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Executes dropped EXE 1 IoCs

Processes:

rAE18.tmp.exe

pid process

4416 rAE18.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

rAE18.tmp.exe

pid process

4416 rAE18.tmp.exe

pid	process
4416	rAE18.tmp.exe

pid	process
4416	rAE18.tmp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2656 WINWORD.EXE
2656 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

2656 WINWORD.EXE
2656 WINWORD.EXE
2656 WINWORD.EXE
2656 WINWORD.EXE
2656 WINWORD.EXE
2656 WINWORD.EXE
2656 WINWORD.EXE

pid	process
2656	WINWORD.EXE
2656	WINWORD.EXE

pid	process
2656	WINWORD.EXE
2656	WINWORD.EXE
2656	WINWORD.EXE
2656	WINWORD.EXE
2656	WINWORD.EXE
2656	WINWORD.EXE
2656	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2656 wrote to memory of 4416	2656	WINWORD.EXE	rAE18.tmp.exe
PID 2656 wrote to memory of 4416	2656	WINWORD.EXE	rAE18.tmp.exe
PID 2656 wrote to memory of 4416	2656	WINWORD.EXE	rAE18.tmp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\gruppofrancescomaggini_invoice_22.07.2022.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\rAE18.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\rAE18.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\yAE07.tmp.dll",DllRegisterServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rAE18.tmp.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAE18.tmp.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAE07.tmp.dll

Filesize
1.2MB

MD5
9f537bff41c6457c9c0f837cb90a851d

SHA1
64685f0a3b473cd58b681727666ca2b686f173ea

SHA256
6bb5677022d56577ad259984a162835d9421da76bd95a1d8cc8965fddf71fd53

SHA512
0a346ff6f4cba597d747bc30f58cab819a8498909bfd3d0d8bd32cbba9e328fc7f8d8d0dd04822bf319fac5b270d0b6178268a9f9bbdef64c731176d33a99a66

Download Submit
\Users\Admin\AppData\Local\Temp\yAE07.tmp.dll

Filesize
1.2MB

MD5
9f537bff41c6457c9c0f837cb90a851d

SHA1
64685f0a3b473cd58b681727666ca2b686f173ea

SHA256
6bb5677022d56577ad259984a162835d9421da76bd95a1d8cc8965fddf71fd53

SHA512
0a346ff6f4cba597d747bc30f58cab819a8498909bfd3d0d8bd32cbba9e328fc7f8d8d0dd04822bf319fac5b270d0b6178268a9f9bbdef64c731176d33a99a66

Download Submit
memory/2656-121-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

Filesize
64KB

Download
memory/2656-125-0x00007FF994370000-0x00007FF994380000-memory.dmp

Filesize
64KB

Download
memory/2656-349-0x000001F156F30000-0x000001F157026000-memory.dmp

Filesize
984KB

Download
memory/2656-124-0x00007FF994370000-0x00007FF994380000-memory.dmp

Filesize
64KB

Download
memory/2656-348-0x000001F157302000-0x000001F1574E5000-memory.dmp

Filesize
1.9MB

Download
memory/2656-292-0x000001F157302000-0x000001F1574E5000-memory.dmp

Filesize
1.9MB

Download
memory/2656-120-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

Filesize
64KB

Download
memory/2656-119-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

Filesize
64KB

Download
memory/2656-297-0x000001F157170000-0x000001F1572A8000-memory.dmp

Filesize
1.2MB

Download
memory/2656-118-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

Filesize
64KB

Download
memory/2656-294-0x000001F156F30000-0x000001F157026000-memory.dmp

Filesize
984KB

Download
memory/4416-291-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-303-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-290-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-288-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-287-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-295-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-293-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-286-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-296-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-285-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-283-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-300-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-301-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-302-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-284-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-289-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-305-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-304-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-306-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-307-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-309-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-308-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-310-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-311-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-312-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-313-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-314-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download
memory/4416-282-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-320-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-281-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-279-0x0000000000000000-mapping.dmp

Download