svcready | 338d326973acb3c5260a943498ee13668c86d6d375e0005251392bef54b4aadc | Triage

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
09-08-2022 09:52

Sharing

Report Analysis Logs

General

Target

62f22e2c25958.dll
Size

1.2MB
MD5

a40bf122a2f0617e31a60e0122b41b73
SHA1

761a6c8fa9b2f119f3d99a77a37a24a9783e3d6b
SHA256

338d326973acb3c5260a943498ee13668c86d6d375e0005251392bef54b4aadc
SHA512

abe6492ce5fdc3d6a5a835f75a7d017e12256a1c9c80dda02c047e4ff8e61632a29d9158536e7f110b7521ed66accb749be215d8fad547d5d440c7e243c18d9e

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1004-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2040 1004 WerFault.exe regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1908 wrote to memory of 1004	1908	regsvr32.exe	regsvr32.exe
PID 1908 wrote to memory of 1004	1908	regsvr32.exe	regsvr32.exe
PID 1908 wrote to memory of 1004	1908	regsvr32.exe	regsvr32.exe
PID 1908 wrote to memory of 1004	1908	regsvr32.exe	regsvr32.exe
PID 1908 wrote to memory of 1004	1908	regsvr32.exe	regsvr32.exe
PID 1908 wrote to memory of 1004	1908	regsvr32.exe	regsvr32.exe
PID 1908 wrote to memory of 1004	1908	regsvr32.exe	regsvr32.exe
PID 1004 wrote to memory of 2040	1004	regsvr32.exe	WerFault.exe
PID 1004 wrote to memory of 2040	1004	regsvr32.exe	WerFault.exe
PID 1004 wrote to memory of 2040	1004	regsvr32.exe	WerFault.exe
PID 1004 wrote to memory of 2040	1004	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62f22e2c25958.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\62f22e2c25958.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 296
    3⤵
    - Program crash
    PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-55-0x0000000000000000-mapping.dmp

Download
memory/1004-56-0x0000000074DB1000-0x0000000074DB3000-memory.dmp

Filesize
8KB

Download
memory/1004-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download
memory/1908-54-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmp

Filesize
8KB

Download
memory/2040-62-0x0000000000000000-mapping.dmp

Download