File name:

svchost.zip

Full analysis: https://app.any.run/tasks/761d2b1a-5144-4c49-b5a3-7a23c3533d86
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: January 11, 2020, 07:24:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EF1E4C04BF60CACA1DFE0386A4F11D97

SHA1:

C6C044EAFC184F275BF1A55DBDD85355C188D9E3

SHA256:

1FF04ED2CADB8BDA5A42EA75052F5346348CC75F14B4B22A841915D881BA1F7A

SSDEEP:

1536:muaDO+nKjYRotV3nsPFG+5ODTb7MX6DgDTj:PwEYutj+5O7oH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DesktopLayer.exe (PID: 3388)
      • svchost.exe (PID: 2572)
    • Changes the login/logoff helper path in the registry

      • iexplore.exe (PID: 1908)
    • RAMNIT was detected

      • iexplore.exe (PID: 1908)
    • Connects to CnC server

      • iexplore.exe (PID: 1908)
  • SUSPICIOUS

    • Creates executable files which already exist in Windows

      • WinRAR.exe (PID: 2456)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2456)
      • svchost.exe (PID: 2572)
    • Starts Internet Explorer

      • DesktopLayer.exe (PID: 3388)
    • Creates files in the program directory

      • iexplore.exe (PID: 1908)
      • svchost.exe (PID: 2572)
  • INFO

    • Manual execution by user

      • svchost.exe (PID: 2572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: svchost.exe
ZipUncompressedSize: 56320
ZipCompressedSize: 54755
ZipCRC: 0x40c57347
ZipModifyDate: 2020:01:11 15:11:07
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe svchost.exe desktoplayer.exe no specs #RAMNIT iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2456"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\svchost.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2572"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
explorer.exe
User:
admin
Company:
SOFTWIN S.R.L.
Integrity Level:
HIGH
Description:
BitDefender Management Console
Exit code:
0
Version:
106.42.73.61
Modules
Images
c:\users\admin\desktop\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3388"C:\Program Files\Microsoft\DesktopLayer.exe"C:\Program Files\Microsoft\DesktopLayer.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\microsoft\desktoplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1908"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
DesktopLayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
534
Read events
523
Write events
11
Delete events
0

Modification events

(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2456) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\svchost.zip
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(1908) iexplore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
Executable files
2
Suspicious files
2
Text files
39
Unknown types
0

Dropped files

PID
Process
Filename
Type
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Leggimi.htmhtml
MD5:7BFD7D6BB6EAC5462C4F9E370F7A6F80
SHA256:84E5D8D48334DF15BB9A99C858DA7D56268E14EEC1058F836BF6B4DC9DE41C0D
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htmhtml
MD5:37F3D4CB431CEC9AF2F69D87FE8A2F64
SHA256:590E6DBB8DF77FE6E57894632FA6CB28C7B086704B0E7F9A348A95651310FD8E
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DAN\license.htmlxml
MD5:4A7294F5F2EF29591C7ADA018783985B
SHA256:9DB7360661300BA7CD9547950860B7D8CD634A655E475A28BBC0EEEB29848333
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Berime.htmhtml
MD5:CBADF7509F16BF3620AC5A483E4CBB1C
SHA256:1F58F6F2330711369236A596E37B19F695C2677BB363C9A59E3A70AC220E95FB
1908iexplore.exeC:\Program Files\Internet Explorer\dmlconf.datbinary
MD5:702B30E090FDADB0D624B7D27879303D
SHA256:87CF81595B02EED7727F06F1E07129F5225D9D08A74461266154CA51C24CCBEE
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CAT\license.htmlxml
MD5:EFF1C69346C2497A5AE6EC7FCC2C4477
SHA256:0605C364DEA456FF09F7F6CEEA18C1FFBE805D2747943D8AA6C94927BD2D8DE8
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htmhtml
MD5:439C71C59341E5E518D0EABC4099A24B
SHA256:419BCE4CD535A08FD240849436101579FC6A5464690D166E3E7A8EED87F12293
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Leame.htmhtml
MD5:5079AFA6A352AFE6D89C9CF78EAF3644
SHA256:34F530DC85BE9889F4ACC3CD32B7038542EDA595EC82829A32AA1EA4171BB63A
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Liesmich.htmhtml
MD5:3FE5C54F7BDC00C83C49C27C9241FC80
SHA256:C65C0C1406867B92BF4590173628035FAE1ECDA06B222941B564B647F622917E
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHT\license.htmlxml
MD5:909C2BEF1CB3B9C5383DC566961B3E4C
SHA256:98D29CED4AED84E21724B07B18E7895CADAEDFE38B3BADA73CE3C6CA8E9CCD3E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
5

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1908
iexplore.exe
172.217.16.78:80
google.com
Google Inc.
US
whitelisted
1908
iexplore.exe
72.26.218.70:443
fget-career.com
Voxel Dot Net, Inc.
NL
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.78
malicious
fget-career.com
  • 72.26.218.70
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
1 ETPRO signatures available at the full report
No debug info