Services.exe

First submission 2023-09-13 16:34:07

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	7293.0 KB (7468032 bytes)
Compile time:	2023-08-30 18:23:06
MD5:	e962e5b9badb08fa227761855fedf45f
SHA1:	6d7e692b52498ab70bba061e325e6756d65f9978
SHA256:	1e78377257155e87512b7813cc01a9b047ee03227957e62373aa07245ea94bd7
Import Hash :	de8af78b3569eb79f0a43010a95e85a8
Sections 9	.text .rdata .data .vmp0 .vmp1 .vmp2 .reloc .rsrc .srdata
Directories 3	import resource relocation
Virus Total:	61/70 VT report date: 2023-09-13 14:21:35

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://171.22.28.208/download/Services.exe	171.22.28.208	2023-09-13 16:34:07

PE Sections 7 suspicious

Name	VAddress	VSize	Size	SHA1	MD5	Suspicious
.text	0x1000	0x514ef	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rdata	0x53000	0xab90	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.data	0x5e000	0x17fc	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.vmp0	0x60000	0x36d661	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.vmp1	0x3ce000	0x508	1536	3a8a61b13d94d7ed691d1b23a17e9fdcfe506c7f	6e40eacf9493bd351013efd6a0a3f761
.vmp2	0x3cf000	0x666e90	6713344	4d98aa9d32f1b2be123dff029dcb13dc661c90e3	fcbfa20f90b2b558f33ae38cb2af437a
.reloc	0xa36000	0x648	2048	a7a6941f77dcb6e8e008181993755ccf5f3174ea	80b06e371cace14bbf49063c5279a5c3
.rsrc	0xa37000	0xba1a8	721408	7320373eab8a62c6ab48952d21e7ded07a029e8b	e2604dc92a1184e5c5205ebd57d23c2f
.srdata	0xaf2000	0x7000	28672	0b29e90a63a2aad7d130822c54310e27185e926c	3a6ec8fee222051d61ccb05a4e3265c1

PE Resources 9

Name	Language	Sublanguage	Offset	Size	Data
PNG	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xae700c	3335
RT_BITMAP	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xaeebc4	240
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xae3618	9640	PE Resource: RT_ICON - Data (0` %2CCCCCCCCCCCCCCCCCCC22CCCCCCCCCCCCCCCCCCC2CCCC;J4CL6=G3`lNM[;2N08S:#=)>P:CU>J[EJeRXkXnpcLareTeWC@G4FH7@D3egOSW=:L0=Q6';%CN9IS>OYENdL[jT`zl:UhSmSC@K9,6%NXAFV<5L7SbJUcH)A,6H3;N= Zv+[~fk`/EypC8<,05&QTBLT=:J5W^JX_H.?;F3@N=)ij2lt$""~;:qZCLYA6D0<N7RgG=Z;?V;RaIO[C<I5]icae+J@Cz{AnTCEL6;B0@L6YdIEW;ES;W_JQWBAH5#v.J9Hr4^:CS`J8K_1:Q^oRpx^=U8:R7>T?GQ?ko ] kwtLgSZgWCLS><T[4AMdlSrt^DS8@O7CR>HM>)QfQLUDC_fPAR]rptdqY?X@2M7WaJ"qe bLsrfCVXEEXZtqvhnZDU>6K4[^L.TtjpYCXk[TUo^wambb~b\{_SjTS^J/g ,lm`}]IoUCN]KXuYmZyybr{bh{_aw\VfPU[J8x\|"9phdyZ=`>Cpx`_oTF[>q~biehmR~`]vaauzfb~+zHzj~po`y^CgjUdlUKX=uycocmhWzXat]hvvge{3N~ktmXjNC_pY_tSlae{_`!cphstq6CsWxpCXbLdoRp}_gv\g~0 gtfsvr>wJoOtdCWbOq\|_o}]O HqyfhXwZ\^miCOTBtw`sx^VPs{kd\tVb\|ZfzYChqZO]A[jN3 `v2mw\|myLvZ:xWhlCacOUZBafO><s~vqsRsT?tIpiwC]mRJgFGmQ'ywelXL0V}CV^FRcEMjK5 ,jf[wS:[vxuC`uVOoJKiMao JwjKd~{C^iLXkJQgJfo.$ $SoSlt}C~wuu\|t{t889731C_d<kxCboSbu[my\m{]r%&'%"1NTZ}Wp_C222CCCCCCCCCCCCCCCCCCC22CCCCCCCCCCCCCCCCCCC2CCCC;J4CL6=G3`lNM[;2N08S:#=)>P:CU>J[EJeRXkXnpczXlareTeWC<J4CL6=G3alNM[;2N08T:#=)>P9CU>J[EJgQWlW^ll>HPqlNkYC3>+,6%MX@EV<6J7SbJSbH)A,6G4>M;ZEUeLZBoCrz<dZO\YC3>+,6%MX@FV<5K7SbJTbH)A,6H4;L<-<o7?w0(.()'AF7[`C?N56D0;N7RgH=Y;?V;SbJNZB<J5p=\=}={={:x5C<fem2^HC?N56D0;N7RgH=Y;?V;SbJNZB<J5)#&&"-D?Gcx/`ECHV=VGIK;>^nQnx]<U89Q8@R@FP>=q@BzC@sMmQdQJUFCHV==@\44O^nRnx]=U89Q7?S@FP>&!((?LcSIVFCS\DYNL}rotcpX?WA2M7XaKKuDC~@zEkxrfuYCS\DEI[tvotcpX?W@2M7XaK81&-&S`rfuYCQXOobx\mZval~bb}b^zbShTR^JmPbIFG[ln^}]9aHCM]PWoVl]wal~bb}a]{`RiSR^J;D~)'%%<Akl^}\8bFCgmU`nTF[>q~biehpS\|d`satwtzfqp~Ksc\|zj~uoQlPCfmU`nTF[>r~biehmR}`]tafntzffl{3AN[zjroQmOCSdL^sRkbdz^~xtSFD<v{phrtrsY}NfUldCSeL^sRladz^dt3?%+"(gophrtr=gDjVldCKWBq\|_o}]iwCCDC?jqyehWv[[_^~[CKWBq\|_o}]V`!!"$#$"""P_qyegWwZ[^_~[C]gNO]A[jNZGC@xDF^x~rzOs\>s_in{zC]gNP]A[jN=Q )%'("(>Nrw\|mzMu[:wXimzyCQbFJgFIkQXJEHHJRfnoze\|Q{l\|r}CQbFJgEHlQ6P$- %%%--FelZVb:SXr{CVlKOoJLeNswjVNJJMw\|tvCWlKOoJKiNcvp0O(9&$4'@SoylQi~oC\sS]w^e}\e~]LMMNJ=\|V\|\|\|Jt}YhhC\sS\x]f}\e~\o/8-:.7/0&1!+1VLR+eXUpgC22
RT_MENU	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xaeecb4	162
RT_DIALOG	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xaf00a4	770
RT_STRING	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xaf10d8	184
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xae682c	174
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xae68dc	1838	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"> <asmv3:application> <asmv3:windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2</dpiAwareness> </asmv3:windowsSettings> </asmv3:application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="" processorArchitecture=""/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates app support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates app support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates app support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates app support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates app support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>
None	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xaf1190	24

Strings analysis - File found

Library
ADVAPI32.dll
KERNEL32.dll
USER32.dll
SETUPAPI.dll
SHELL32.dll

Strings analysis - Possible URLs found 2

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings

Import functions

ADVAPI32.dll 1 SHELL32.dll 1 KERNEL32.dll 9 SETUPAPI.dll 1 USER32.dll 1

Function	Address	Souspicious	Anti Debug
CreateServiceA	0x7ce008

Function	Address	Souspicious	Anti Debug
SHGetSpecialFolderPathA	0x7ce010

Function	Address	Souspicious	Anti Debug
CreateProcessA	0x7ce000
GetSystemTimeAsFileTime	0x7ce020
LocalAlloc	0x7ce030
LocalFree	0x7ce034
GetModuleFileNameW	0x7ce038
ExitProcess	0x7ce03c
LoadLibraryA	0x7ce040
GetModuleHandleA	0x7ce044
GetProcAddress	0x7ce048

Function	Address	Souspicious	Anti Debug
SetupDiGetClassDevsA	0x7ce018

Function	Address	Souspicious	Anti Debug
CharUpperBuffW	0x7ce028

Name	Latest seen	MD5
Services.exe	2023-09-05 15:33:07	ca7502cd02a0a170d9f4305c18410126