EchoTrail

services.exe

Author: Microsoft

Source: Wild

Summary

Services.exe is part of the Service Control Manager (SCM) system that is responsible for managing and interacting with Windows Service processes. Services interact with SCM through an API and that same API is used by other service management tools such as sc.exe.

EchoTrail Prevalence Score (EPS)

91.21

Rank Analysis

Host Prevalence

87.9%

Execution Rank

492nd

Behavioral Analysis

Top Hashes

5acb7665bff5024e3b244ec733f612fa257b886bc84add6f61246b5f6bc37b9e

23.14 %

Top Paths

C:\Windows\System32

99.88 %

Top Network Ports

59692

0.17 %

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

Look at the typical parents of services.exe. It should only ever be launched by wininit.exe. Having knowledge of the typical parents and children of a process can help identify cases where a process may be acting maliciously. If you see services.exe being launched by something other than wininit.exe in your environment, it’s definitely worth investigating for signs of other malicious behavior. Also if the version of services.exe running in your environment doesn’t match one of the common hashes, it’s likely to be a malicious process running under the name of a common windows process, services.exe in this case, to fly under the radar and avoid being noticed. Services.exe should never launch a shell (i.e. CMD, PowerShell, MSBuild, Linux subsystem). However, this scenario has historically been the case in targeted attacks and penetration tests. Initial response should include looking for further suspicious activity from the command shell tree as well as inquiring of the system owner or administrator if this activity is expected.