File name:

svchost.zip

Full analysis: https://app.any.run/tasks/761d2b1a-5144-4c49-b5a3-7a23c3533d86
Verdict: Malicious activity
Analysis date: January 11, 2020, 07:24:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EF1E4C04BF60CACA1DFE0386A4F11D97

SHA1:

C6C044EAFC184F275BF1A55DBDD85355C188D9E3

SHA256:

1FF04ED2CADB8BDA5A42EA75052F5346348CC75F14B4B22A841915D881BA1F7A

SSDEEP:

1536:muaDO+nKjYRotV3nsPFG+5ODTb7MX6DgDTj:PwEYutj+5O7oH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • svchost.exe (PID: 2572)
      • DesktopLayer.exe (PID: 3388)
    • Connects to CnC server

      • iexplore.exe (PID: 1908)
    • Changes the login/logoff helper path in the registry

      • iexplore.exe (PID: 1908)
    • RAMNIT was detected

      • iexplore.exe (PID: 1908)
  • SUSPICIOUS

    • Creates executable files which already exist in Windows

      • WinRAR.exe (PID: 2456)
    • Creates files in the program directory

      • svchost.exe (PID: 2572)
      • iexplore.exe (PID: 1908)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2456)
      • svchost.exe (PID: 2572)
    • Starts Internet Explorer

      • DesktopLayer.exe (PID: 3388)
  • INFO

    • Manual execution by user

      • svchost.exe (PID: 2572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: svchost.exe
ZipUncompressedSize: 56320
ZipCompressedSize: 54755
ZipCRC: 0x40c57347
ZipModifyDate: 2020:01:11 15:11:07
ZipCompression: Deflated
ZipBitFlag: 0
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe svchost.exe desktoplayer.exe no specs #RAMNIT iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2456"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\svchost.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
2572"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
explorer.exe
User:
admin
Company:
SOFTWIN S.R.L.
Integrity Level:
HIGH
Description:
BitDefender Management Console
Exit code:
0
Version:
106.42.73.61
Modules
Images
c:\users\admin\desktop\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
3388"C:\Program Files\Microsoft\DesktopLayer.exe"C:\Program Files\Microsoft\DesktopLayer.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\microsoft\desktoplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\internet explorer\iexplore.exe
1908"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
DesktopLayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
Total events
534
Read events
523
Write events
11
Delete events
0

Modification events

(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2456) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\svchost.zip
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(1908) iexplore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
Executable files
2
Suspicious files
2
Text files
39
Unknown types
0

Dropped files

PID
Process
Filename
Type
2456WinRAR.exeC:\Users\admin\Desktop\svchost.exeexecutable
MD5:FF5E1F27193CE51EEC318714EF038BEF
SHA256:FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
2572svchost.exeC:\Program Files\Microsoft\DesktopLayer.exeexecutable
MD5:FF5E1F27193CE51EEC318714EF038BEF
SHA256:FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
1908iexplore.exeC:\Program Files\Internet Explorer\dmlconf.datbinary
MD5:702B30E090FDADB0D624B7D27879303D
SHA256:87CF81595B02EED7727F06F1E07129F5225D9D08A74461266154CA51C24CCBEE
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Leame.htmhtml
MD5:5079AFA6A352AFE6D89C9CF78EAF3644
SHA256:34F530DC85BE9889F4ACC3CD32B7038542EDA595EC82829A32AA1EA4171BB63A
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Berime.htmhtml
MD5:CBADF7509F16BF3620AC5A483E4CBB1C
SHA256:1F58F6F2330711369236A596E37B19F695C2677BB363C9A59E3A70AC220E95FB
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Benioku.htmhtml
MD5:A491201AB7305E2C71D90CB6CBBEEAA1
SHA256:826444C3D91CB3694A2256B0D5470553FAAB1B70D0008A3294554875015BF0BC
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Leggimi.htmhtml
MD5:7BFD7D6BB6EAC5462C4F9E370F7A6F80
SHA256:84E5D8D48334DF15BB9A99C858DA7D56268E14EEC1058F836BF6B4DC9DE41C0D
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\IrakHau.htmhtml
MD5:A6851D600250BF93716FD1721E509697
SHA256:3B4DE405392B27B611E9D820857D221BE34873A4D28AE2DDBE760C78440011CA
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\LeesMij.htmhtml
MD5:306F4A37ABAF653E02812B4CC1E71C1B
SHA256:B6E495D6E2A2CFE5C82361C881311BAB1BAB6C9B8908FED6EEE7F64203DF2B78
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htmhtml
MD5:37F3D4CB431CEC9AF2F69D87FE8A2F64
SHA256:590E6DBB8DF77FE6E57894632FA6CB28C7B086704B0E7F9A348A95651310FD8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
5

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1908
iexplore.exe
72.26.218.70:443
fget-career.com
Voxel Dot Net, Inc.
NL
malicious
1908
iexplore.exe
172.217.16.78:80
google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.78
whitelisted
fget-career.com
  • 72.26.218.70
malicious

Threats

PID
Process
Class
Message
1908
iexplore.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
1908
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
1908
iexplore.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
1908
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
1 ETPRO signatures available at the full report
No debug info