File name:	svchost.zip
Full analysis:	https://app.any.run/tasks/761d2b1a-5144-4c49-b5a3-7a23c3533d86
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 11, 2020, 07:24:18
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan ramnit
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	EF1E4C04BF60CACA1DFE0386A4F11D97
SHA1:	C6C044EAFC184F275BF1A55DBDD85355C188D9E3
SHA256:	1FF04ED2CADB8BDA5A42EA75052F5346348CC75F14B4B22A841915D881BA1F7A
SSDEEP:	1536:muaDO+nKjYRotV3nsPFG+5ODTb7MX6DgDTj:PwEYutj+5O7oH

ZipFileName:	svchost.exe
ZipUncompressedSize:	56320
ZipCompressedSize:	54755
ZipCRC:	0x40c57347
ZipModifyDate:	2020:01:11 15:11:07
ZipCompression:	Deflated
ZipBitFlag:	-
ZipRequiredVersion:	20

PID	CMD	Path	Indicators	Parent process
2456	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\svchost.zip"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
2572	"C:\Users\admin\Desktop\svchost.exe"	C:\Users\admin\Desktop\svchost.exe		explorer.exe
User: admin Company: SOFTWIN S.R.L. Integrity Level: HIGH Description: BitDefender Management Console Exit code: 0 Version: 106.42.73.61
3388	"C:\Program Files\Microsoft\DesktopLayer.exe"	C:\Program Files\Microsoft\DesktopLayer.exe	—	svchost.exe
User: admin Integrity Level: HIGH Exit code: 0
1908	"C:\Program Files\Internet Explorer\iexplore.exe"	C:\Program Files\Internet Explorer\iexplore.exe		DesktopLayer.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)

PID	Process	Filename		Type
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHT\license.html		xml
		MD5:909C2BEF1CB3B9C5383DC566961B3E4C	SHA256:98D29CED4AED84E21724B07B18E7895CADAEDFE38B3BADA73CE3C6CA8E9CCD3E
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CAT\license.html		xml
		MD5:EFF1C69346C2497A5AE6EC7FCC2C4477	SHA256:0605C364DEA456FF09F7F6CEEA18C1FFBE805D2747943D8AA6C94927BD2D8DE8
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htm		html
		MD5:439C71C59341E5E518D0EABC4099A24B	SHA256:419BCE4CD535A08FD240849436101579FC6A5464690D166E3E7A8EED87F12293
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\IrakHau.htm		html
		MD5:A6851D600250BF93716FD1721E509697	SHA256:3B4DE405392B27B611E9D820857D221BE34873A4D28AE2DDBE760C78440011CA
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\Liesmich.htm		html
		MD5:3FE5C54F7BDC00C83C49C27C9241FC80	SHA256:C65C0C1406867B92BF4590173628035FAE1ECDA06B222941B564B647F622917E
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\Leame.htm		html
		MD5:5079AFA6A352AFE6D89C9CF78EAF3644	SHA256:34F530DC85BE9889F4ACC3CD32B7038542EDA595EC82829A32AA1EA4171BB63A
1908	iexplore.exe	C:\Program Files\Internet Explorer\dmlconf.dat		binary
		MD5:702B30E090FDADB0D624B7D27879303D	SHA256:87CF81595B02EED7727F06F1E07129F5225D9D08A74461266154CA51C24CCBEE
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\Berime.htm		html
		MD5:CBADF7509F16BF3620AC5A483E4CBB1C	SHA256:1F58F6F2330711369236A596E37B19F695C2677BB363C9A59E3A70AC220E95FB
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htm		html
		MD5:37F3D4CB431CEC9AF2F69D87FE8A2F64	SHA256:590E6DBB8DF77FE6E57894632FA6CB28C7B086704B0E7F9A348A95651310FD8E
1908	iexplore.exe	C:\Program Files\Adobe\Acrobat Reader DC\Leggimi.htm		html
		MD5:7BFD7D6BB6EAC5462C4F9E370F7A6F80	SHA256:84E5D8D48334DF15BB9A99C858DA7D56268E14EEC1058F836BF6B4DC9DE41C0D

PID	Process	IP	Domain	ASN	CN	Reputation
1908	iexplore.exe	72.26.218.70:443	fget-career.com	Voxel Dot Net, Inc.	NL	malicious
1908	iexplore.exe	172.217.16.78:80	google.com	Google Inc.	US	whitelisted

Domain	IP	Reputation
google.com	172.217.16.78	whitelisted
fget-career.com	72.26.218.70	malicious

PID	Process	Class	Message
1908	iexplore.exe	A Network Trojan was detected	ET TROJAN Win32/Ramnit Checkin
1908	iexplore.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Ramnit Checkin
1908	iexplore.exe	A Network Trojan was detected	ET TROJAN Win32/Ramnit Checkin
1908	iexplore.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Ramnit Checkin

General Info

svchost.zip

EF1E4C04BF60CACA1DFE0386A4F11D97

C6C044EAFC184F275BF1A55DBDD85355C188D9E3

1FF04ED2CADB8BDA5A42EA75052F5346348CC75F14B4B22A841915D881BA1F7A

1536:muaDO+nKjYRotV3nsPFG+5ODTb7MX6DgDTj:PwEYutj+5O7oH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Connects to CnC server

Changes the login/logoff helper path in the registry

RAMNIT was detected

SUSPICIOUS

Executable content was dropped or overwritten

Creates executable files which already exist in Windows

Creates files in the program directory

Starts Internet Explorer

INFO

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings