svcready | 615519a5865324398662b7a1d9cab1ac5ffbca4de78713d9a8813135d5c117f1 | Triage

Analysis

max time kernel
470s
max time network
420s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
26-07-2022 11:35

Sharing

Report Analysis Logs

General

Target

payload.dll
Size

1.3MB
MD5

f2b499f84ad9ebf8a399a44e28238523
SHA1

17ac7422766b613a649aecfe3c9da7cdbb941df9
SHA256

615519a5865324398662b7a1d9cab1ac5ffbca4de78713d9a8813135d5c117f1
SHA512

8bf2eee21938bebcd858a3b2a9f28e073b8a340426dc6bff4fd3fd2ef19a27a96d3918baa198d340ad516e5e56133c817dc93baab9aa2d543c628048dffc18bc

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1800 1992 WerFault.exe regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2008 wrote to memory of 1992	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1992	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1992	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1992	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1992	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1992	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1992	2008	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1800	1992	regsvr32.exe	WerFault.exe
PID 1992 wrote to memory of 1800	1992	regsvr32.exe	WerFault.exe
PID 1992 wrote to memory of 1800	1992	regsvr32.exe	WerFault.exe
PID 1992 wrote to memory of 1800	1992	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\payload.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\payload.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 312
    3⤵
    - Program crash
    PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-62-0x0000000000000000-mapping.dmp

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download
memory/1992-56-0x0000000075791000-0x0000000075793000-memory.dmp

Filesize
8KB

Download
memory/1992-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download
memory/2008-54-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download