svcready | a9f95fd06a5444a4c5d0d4c553a81a4f5f421aea9e07f2bb6b270183f19b7a49 | Triage

Resubmissions

31-08-2022 20:26

220831-y73vvsbcfr 10

21-07-2022 06:01

220721-gq558adfdn 10

20-07-2022 17:02

220720-vj4wgacebl 10

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31-08-2022 20:26

Sharing

Report Analysis Logs

General

Target

svc.dll
Size

1.2MB
MD5

5a800c0c43e7ef2abca922ef59cbdb57
SHA1

541127b4c63917a8ad767cc5f9f7cb2f3ba35a4a
SHA256

a9f95fd06a5444a4c5d0d4c553a81a4f5f421aea9e07f2bb6b270183f19b7a49
SHA512

7d9bd3461fa5182f7b998253972f1916fb0adde7c55ae078b13db7af9ee1ed86881b2ffe9dfd8ed9e163323f38775b5ae0ea7d8d8e2658dba0f5aff161752f5e
SSDEEP

24576:tvYZQAI/107QOq8flhywxenHOeI/TaL19sHW+yp59aRph/rpDcbzWROTq:tv

Score

10^/10

svcready loader

Malware Config

Signatures

Detects SVCReady loader 1 IoCs

resource	yara_rule
behavioral1/memory/2004-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1516	2004	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2004	1772	regsvr32.exe	27
PID 1772 wrote to memory of 2004	1772	regsvr32.exe	27
PID 1772 wrote to memory of 2004	1772	regsvr32.exe	27
PID 1772 wrote to memory of 2004	1772	regsvr32.exe	27
PID 1772 wrote to memory of 2004	1772	regsvr32.exe	27
PID 1772 wrote to memory of 2004	1772	regsvr32.exe	27
PID 1772 wrote to memory of 2004	1772	regsvr32.exe	27
PID 2004 wrote to memory of 1516	2004	regsvr32.exe	28
PID 2004 wrote to memory of 1516	2004	regsvr32.exe	28
PID 2004 wrote to memory of 1516	2004	regsvr32.exe	28
PID 2004 wrote to memory of 1516	2004	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\svc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\svc.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 312
    3⤵
    - Program crash
    PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1772-54-0x000007FEFBE31000-0x000007FEFBE33000-memory.dmp

Filesize
8KB

Download
memory/2004-56-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2004-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download