svcready | 4ee95bea87b8ee810c23526b2c63138adc5d88a0937df45e16d54dc941a75fcb

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-08-2022 15:20

Target

4ee95bea87b8ee810c23526b2c63138adc5d88a0937df45e16d54dc941a75fcb.dll
Size

1.3MB
MD5

c291e3103b80ba215fc0e37200532596
SHA1

c10bbdae6887bacd30db8a96c4a1b25f0c05a84f
SHA256

4ee95bea87b8ee810c23526b2c63138adc5d88a0937df45e16d54dc941a75fcb
SHA512

cd57505bdce25d9c797309a951f0eadb1abd21159f75f3c3bf5805b6b99f7e6b0a7010213d10e00f2e9710f1de2723434541c753f2a6f7bc728c3546a25866f8

Score

10^/10

svcready loader

Detects SVCReady loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/912-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

952 912 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
952	912	WerFault.exe	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1988 wrote to memory of 912	1988	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 912	1988	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 912	1988	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 912	1988	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 912	1988	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 912	1988	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 912	1988	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 952	912	regsvr32.exe	WerFault.exe
PID 912 wrote to memory of 952	912	regsvr32.exe	WerFault.exe
PID 912 wrote to memory of 952	912	regsvr32.exe	WerFault.exe
PID 912 wrote to memory of 952	912	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4ee95bea87b8ee810c23526b2c63138adc5d88a0937df45e16d54dc941a75fcb.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4ee95bea87b8ee810c23526b2c63138adc5d88a0937df45e16d54dc941a75fcb.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 300
    3⤵
    - Program crash
    PID:952

memory/912-55-0x0000000000000000-mapping.dmp

Download
memory/912-56-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/912-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download
memory/952-62-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download