svcready | c710edb3e8b62981cd8b3f01de3a9ac43417effd342e1c8e8b83f0277eed1149

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/09/2022, 15:01 UTC

Target

6821b537c2deb89bcb181524042ce8b52ea9852def48375d76d68cde2a276d3e.dll
Size

1.5MB
MD5

40b1d02c1408620b18f9850909606315
SHA1

e8fd2e7d6e61c25776845017f547aee21d52f3d6
SHA256

6821b537c2deb89bcb181524042ce8b52ea9852def48375d76d68cde2a276d3e
SHA512

be41b7357d27b6e47129d3b1585dfd8ab035a8ebf5ce29499909a9cc933c41a31eb58fb1ae931c0218f7a8930a5e2d49626ada9ea106486662af6f636388af6d
SSDEEP

24576:xHf0hvBaBdjZAIVCv1nWe2PQIgzZaTonGkeMVlR18qLElrQPdSVSK1szTjjVRJfc:xMf5XQ

Score

10^/10

svcready loader

Detects SVCReady loader 1 IoCs

resource	yara_rule
behavioral1/memory/988-57-0x0000000010000000-0x0000000010091000-memory.dmp	family_svcready

SVCReady
SVCReady is a malware loader first seen in April 2022.
loader svcready

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	988	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 988	1768	regsvr32.exe	27
PID 1768 wrote to memory of 988	1768	regsvr32.exe	27
PID 1768 wrote to memory of 988	1768	regsvr32.exe	27
PID 1768 wrote to memory of 988	1768	regsvr32.exe	27
PID 1768 wrote to memory of 988	1768	regsvr32.exe	27
PID 1768 wrote to memory of 988	1768	regsvr32.exe	27
PID 1768 wrote to memory of 988	1768	regsvr32.exe	27
PID 988 wrote to memory of 2032	988	regsvr32.exe	28
PID 988 wrote to memory of 2032	988	regsvr32.exe	28
PID 988 wrote to memory of 2032	988	regsvr32.exe	28
PID 988 wrote to memory of 2032	988	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6821b537c2deb89bcb181524042ce8b52ea9852def48375d76d68cde2a276d3e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\6821b537c2deb89bcb181524042ce8b52ea9852def48375d76d68cde2a276d3e.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 300
    3⤵
    - Program crash
    PID:2032

memory/988-56-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/988-57-0x0000000010000000-0x0000000010091000-memory.dmp

Filesize
580KB

Download
memory/1768-54-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download