File name:

svchost.zip

Full analysis: https://app.any.run/tasks/761d2b1a-5144-4c49-b5a3-7a23c3533d86
Verdict: Malicious activity
Analysis date: January 11, 2020, 07:24:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EF1E4C04BF60CACA1DFE0386A4F11D97

SHA1:

C6C044EAFC184F275BF1A55DBDD85355C188D9E3

SHA256:

1FF04ED2CADB8BDA5A42EA75052F5346348CC75F14B4B22A841915D881BA1F7A

SSDEEP:

1536:muaDO+nKjYRotV3nsPFG+5ODTb7MX6DgDTj:PwEYutj+5O7oH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • svchost.exe (PID: 2572)
      • DesktopLayer.exe (PID: 3388)
    • Changes the login/logoff helper path in the registry

      • iexplore.exe (PID: 1908)
    • Connects to CnC server

      • iexplore.exe (PID: 1908)
    • RAMNIT was detected

      • iexplore.exe (PID: 1908)
  • SUSPICIOUS

    • Creates files in the program directory

      • iexplore.exe (PID: 1908)
      • svchost.exe (PID: 2572)
    • Executable content was dropped or overwritten

      • svchost.exe (PID: 2572)
      • WinRAR.exe (PID: 2456)
    • Starts Internet Explorer

      • DesktopLayer.exe (PID: 3388)
    • Creates executable files which already exist in Windows

      • WinRAR.exe (PID: 2456)
  • INFO

    • Manual execution by user

      • svchost.exe (PID: 2572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: svchost.exe
ZipUncompressedSize: 56320
ZipCompressedSize: 54755
ZipCRC: 0x40c57347
ZipModifyDate: 2020:01:11 15:11:07
ZipCompression: Deflated
ZipBitFlag: 0
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe svchost.exe desktoplayer.exe no specs #RAMNIT iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2456"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\svchost.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2572"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
explorer.exe
User:
admin
Company:
SOFTWIN S.R.L.
Integrity Level:
HIGH
Description:
BitDefender Management Console
Exit code:
0
Version:
106.42.73.61
3388"C:\Program Files\Microsoft\DesktopLayer.exe"C:\Program Files\Microsoft\DesktopLayer.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1908"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
DesktopLayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
534
Read events
523
Write events
11
Delete events
0

Modification events

(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2456) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\svchost.zip
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(1908) iexplore.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Userinit
Value:
c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
Executable files
2
Suspicious files
2
Text files
39
Unknown types
0

Dropped files

PID
Process
Filename
Type
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Benioku.htmhtml
MD5:A491201AB7305E2C71D90CB6CBBEEAA1
SHA256:826444C3D91CB3694A2256B0D5470553FAAB1B70D0008A3294554875015BF0BC
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htmhtml
MD5:439C71C59341E5E518D0EABC4099A24B
SHA256:419BCE4CD535A08FD240849436101579FC6A5464690D166E3E7A8EED87F12293
2456WinRAR.exeC:\Users\admin\Desktop\svchost.exeexecutable
MD5:FF5E1F27193CE51EEC318714EF038BEF
SHA256:FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\LueMinut.htmhtml
MD5:06EE95A60459E8B22EA76F1BE1A619E3
SHA256:8A17F941DBD591C215422998F8D098742D1BF7D736C927F3E37217F545420416
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Liesmich.htmhtml
MD5:3FE5C54F7BDC00C83C49C27C9241FC80
SHA256:C65C0C1406867B92BF4590173628035FAE1ECDA06B222941B564B647F622917E
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CAT\license.htmlxml
MD5:EFF1C69346C2497A5AE6EC7FCC2C4477
SHA256:0605C364DEA456FF09F7F6CEEA18C1FFBE805D2747943D8AA6C94927BD2D8DE8
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHT\license.htmlxml
MD5:909C2BEF1CB3B9C5383DC566961B3E4C
SHA256:98D29CED4AED84E21724B07B18E7895CADAEDFE38B3BADA73CE3C6CA8E9CCD3E
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHS\license.htmlxml
MD5:68A3F112C4D71284AE0B4AB1F691D7A0
SHA256:C1DA768A291F0F1691BBE933C020B79815F458D1B77C689DF10B89072F870612
2572svchost.exeC:\Program Files\Microsoft\DesktopLayer.exeexecutable
MD5:FF5E1F27193CE51EEC318714EF038BEF
SHA256:FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
1908iexplore.exeC:\Program Files\Adobe\Acrobat Reader DC\Leggimi.htmhtml
MD5:7BFD7D6BB6EAC5462C4F9E370F7A6F80
SHA256:84E5D8D48334DF15BB9A99C858DA7D56268E14EEC1058F836BF6B4DC9DE41C0D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
5

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1908
iexplore.exe
172.217.16.78:80
google.com
Google Inc.
US
whitelisted
1908
iexplore.exe
72.26.218.70:443
fget-career.com
Voxel Dot Net, Inc.
NL
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.78
whitelisted
fget-career.com
  • 72.26.218.70
malicious

Threats

PID
Process
Class
Message
1908
iexplore.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
1908
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
1908
iexplore.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
1908
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
1 ETPRO signatures available at the full report
No debug info