Xcitium Cloud Verdict

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: UPX1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0018da00, virtual_size: 0x0018e000

The executable is compressed using UPX Show sources

packer_section

name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x005b1000

Information Discovery

Expresses interest in specific running processes Show sources

api_process_name

svchost.exe

Repeatedly searches for a not-found process, may want to run with startbrowser=1 option

Static Anomaly

Unusual version info supplied for binary Show sources

anomaly

Microsoft mentioned in LegalCopyright, but not in CompanyName field

Networking

Attempts to connect to a dead IP:Port (1 unique times) Show sources

network_host_ip

185.10.68.220:443 (Germany)

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

File Name: services.exe

File Type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

SHA1: 44a3eaf1e91ac124b950dceaf870c5cb574403c0

MD5: 059bff8c2b8b17074a8244b83a0e5064