svcready | af94ea70ed0693bd753648d593bb53ce6a6a6075d8be37b5e09788e50d2189e6 | Triage

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
22-07-2022 16:15

Sharing

Report Analysis Logs

General

Target

yDF97.tmp.dll
Size

1.2MB
MD5

80ca8219bc7b0d6d1ad5c24362e50487
SHA1

267db840b0c45e46320c95e1df05b8f641b2a4d6
SHA256

af94ea70ed0693bd753648d593bb53ce6a6a6075d8be37b5e09788e50d2189e6
SHA512

c76a7954fb8817937cbd50d676403977ff6e0d187b442e3d968d18a32cba107114536e55beb61eef4e20181446ce265b62f78aebdab7c6ed9c507c19dbd25040

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1760-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1328 1760 WerFault.exe regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1592 wrote to memory of 1760	1592	regsvr32.exe	regsvr32.exe
PID 1592 wrote to memory of 1760	1592	regsvr32.exe	regsvr32.exe
PID 1592 wrote to memory of 1760	1592	regsvr32.exe	regsvr32.exe
PID 1592 wrote to memory of 1760	1592	regsvr32.exe	regsvr32.exe
PID 1592 wrote to memory of 1760	1592	regsvr32.exe	regsvr32.exe
PID 1592 wrote to memory of 1760	1592	regsvr32.exe	regsvr32.exe
PID 1592 wrote to memory of 1760	1592	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 1328	1760	regsvr32.exe	WerFault.exe
PID 1760 wrote to memory of 1328	1760	regsvr32.exe	WerFault.exe
PID 1760 wrote to memory of 1328	1760	regsvr32.exe	WerFault.exe
PID 1760 wrote to memory of 1328	1760	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\yDF97.tmp.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\yDF97.tmp.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 300
    3⤵
    - Program crash
    PID:1328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-62-0x0000000000000000-mapping.dmp

Download
memory/1592-54-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1760-55-0x0000000000000000-mapping.dmp

Download
memory/1760-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1760-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download