svcready | 4e9014051b9fdca12579b66a2933233db9a065918420c9f2d031b2b2b262a592 | Triage

Analysis

max time kernel
44s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-08-2022 08:04

Sharing

Report Analysis Logs

General

Target

JUqEqDce.dll
Size

1.4MB
MD5

b77a0f2cc69d5c81f31be7bd73155c14
SHA1

0983a4bca3784c76e2ab50d90c03039a4461b33e
SHA256

4e9014051b9fdca12579b66a2933233db9a065918420c9f2d031b2b2b262a592
SHA512

9f9dbbdc77a411f3849eeb4d9f2df7e070657cdfe86757e2a97eac257819b5f45cf5a37f6c09e66c3e4172a56f93d3a91fbee415475be0aced2ef9a449efca30

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1032-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

908 1032 WerFault.exe regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 380 wrote to memory of 1032	380	regsvr32.exe	regsvr32.exe
PID 380 wrote to memory of 1032	380	regsvr32.exe	regsvr32.exe
PID 380 wrote to memory of 1032	380	regsvr32.exe	regsvr32.exe
PID 380 wrote to memory of 1032	380	regsvr32.exe	regsvr32.exe
PID 380 wrote to memory of 1032	380	regsvr32.exe	regsvr32.exe
PID 380 wrote to memory of 1032	380	regsvr32.exe	regsvr32.exe
PID 380 wrote to memory of 1032	380	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 908	1032	regsvr32.exe	WerFault.exe
PID 1032 wrote to memory of 908	1032	regsvr32.exe	WerFault.exe
PID 1032 wrote to memory of 908	1032	regsvr32.exe	WerFault.exe
PID 1032 wrote to memory of 908	1032	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JUqEqDce.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\JUqEqDce.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 300
3⤵
- Program crash
PID:908

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-54-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Filesize
8KB

Download
memory/908-62-0x0000000000000000-mapping.dmp

Download
memory/1032-55-0x0000000000000000-mapping.dmp

Download
memory/1032-56-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1032-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download