svcready | dfb1999d927d7d9282035fba300ba292b2d86cd8e36c100932a29f6caa1060e6

Analysis

max time kernel
38s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-08-2022 15:37

Target

285907f6d9b6ec584763d0ef320ee6a2.dll
Size

1.3MB
MD5

285907f6d9b6ec584763d0ef320ee6a2
SHA1

2ed949dbe247b0f16fa8ef52270b0738b25910fd
SHA256

dfb1999d927d7d9282035fba300ba292b2d86cd8e36c100932a29f6caa1060e6
SHA512

fb8627044619e26bbb622cac0d82986ca09525a2a9192e94760865ba02822676f6a6955945d73cd6488c72e2dbae19687e15d4f9169ae9e638fe1ad4a62dcbe3

Score

10^/10

svcready loader

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1488-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
948	1488	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	Process	procid_target
PID 1368 wrote to memory of 1488	1368	regsvr32.exe	27
PID 1368 wrote to memory of 1488	1368	regsvr32.exe	27
PID 1368 wrote to memory of 1488	1368	regsvr32.exe	27
PID 1368 wrote to memory of 1488	1368	regsvr32.exe	27
PID 1368 wrote to memory of 1488	1368	regsvr32.exe	27
PID 1368 wrote to memory of 1488	1368	regsvr32.exe	27
PID 1368 wrote to memory of 1488	1368	regsvr32.exe	27
PID 1488 wrote to memory of 948	1488	regsvr32.exe	28
PID 1488 wrote to memory of 948	1488	regsvr32.exe	28
PID 1488 wrote to memory of 948	1488	regsvr32.exe	28
PID 1488 wrote to memory of 948	1488	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\285907f6d9b6ec584763d0ef320ee6a2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\285907f6d9b6ec584763d0ef320ee6a2.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 300
    3⤵
    - Program crash
    PID:948

memory/948-62-0x0000000000000000-mapping.dmp

Download
memory/1368-54-0x000007FEFBC71000-0x000007FEFBC73000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000000000000-mapping.dmp

Download
memory/1488-56-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1488-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download