svcready | 89d6b9a0f7d4f30f5021a893925dfbea12051a0d3e5f5845fd1bc45b74eed830

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2022 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample20220809-01.xls
Size

84KB
MD5

5bc2a4eefe16c8465f076bdfc3d38870
SHA1

71d800ce5f7cbd5f9d3ba9a16626c592bbc28c46
SHA256

89d6b9a0f7d4f30f5021a893925dfbea12051a0d3e5f5845fd1bc45b74eed830
SHA512

84b5ead8d2a3be2f86d3b568a1eaf22c425910d5bb7df75e31264aa4c79eb4b8e86f9728b8b7f6400026e782a6114a0626a8bb0f806e44ac688039077b6970c0

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1312-142-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 4880 regsvr32.exe
SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1312 regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4880	regsvr32.exe

pid	process
1312	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3148 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE
3148	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2152 wrote to memory of 1312	2152	regsvr32.exe	regsvr32.exe
PID 2152 wrote to memory of 1312	2152	regsvr32.exe	regsvr32.exe
PID 2152 wrote to memory of 1312	2152	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\sample20220809-01.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3148

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\Documents\10039.
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\Documents\10039.
2⤵
- Loads dropped DLL
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\10039
Filesize
1.2MB

MD5
6826bda418d4b39a0defd2c320895bf4

SHA1
7533cc0767670b14843fb2978a92f11175578b6a

SHA256
9ff005f5b6b3302b23ff4b3f08a9dffbb48d5da08a31538197606efca2e4dcd1

SHA512
8c58314cc1e2aca736f7ca3017416fb3b6e4230755f5aafb6e554565475f7abe243972dfc021b7c9f0dce46b7a0b385cac07d0ac99d9101e5bf12f5dfe9b18b7

Download Submit
C:\Users\Admin\Documents\10039
Filesize
1.2MB

MD5
6826bda418d4b39a0defd2c320895bf4

SHA1
7533cc0767670b14843fb2978a92f11175578b6a

SHA256
9ff005f5b6b3302b23ff4b3f08a9dffbb48d5da08a31538197606efca2e4dcd1

SHA512
8c58314cc1e2aca736f7ca3017416fb3b6e4230755f5aafb6e554565475f7abe243972dfc021b7c9f0dce46b7a0b385cac07d0ac99d9101e5bf12f5dfe9b18b7

Download Submit
memory/1312-140-0x0000000000000000-mapping.dmp

Download
memory/1312-142-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download
memory/3148-132-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/3148-133-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/3148-134-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/3148-135-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/3148-136-0x00007FFAC4490000-0x00007FFAC44A0000-memory.dmp

Filesize
64KB

Download
memory/3148-137-0x00007FFAC1B30000-0x00007FFAC1B40000-memory.dmp

Filesize
64KB

Download
memory/3148-138-0x00007FFAC1B30000-0x00007FFAC1B40000-memory.dmp

Filesize
64KB

Download