Malware analysis select Malicious activity | ANY.RUN

Add for printing

File name:	select
Full analysis:	https://app.any.run/tasks/035c1e1d-ca24-42d1-8bcc-e4b5eac8de68
Verdict:	Malicious activity
Threats:	FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 19, 2019, 01:47:59
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	exe-to-msi rat flawedammyy ammyy trojan
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:	C19F4137DA7C2D9E5A6A26EFE3FC0F9A
SHA1:	B89129999C1D61AAC0141BA9E3656B612DFD01AD
SHA256:	10987FB8AB8275F9DE9B8F4F1434CAC08D03B659BF69F81FDB5659F7A0253079
SSDEEP:	3072:mEuxp21krc+gT892t0sIMhnj7+kdu8Ocv7cul9O1bwDjHl:mEgWEc+gg9zsIMrcu3v9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Starts NET.EXE for service management
  - cmd.exe (PID: 4004)
  - cmd.exe (PID: 872)
  - cmd.exe (PID: 3268)
- Application was dropped or rewritten from another process
  - wsus.exe (PID: 2740)
  - wsus.exe (PID: 3488)
- Connects to CnC server
  - wsus.exe (PID: 2740)
- FLAWEDAMMYY was detected
  - wsus.exe (PID: 2740)
SUSPICIOUS
- Starts SC.EXE for service management
  - cmd.exe (PID: 2344)
  - cmd.exe (PID: 2876)
  - cmd.exe (PID: 3560)
- Executable content was dropped or overwritten
  - MSID7E9.tmp (PID: 2376)
  - msiexec.exe (PID: 2372)
- Application launched itself
  - wsus.exe (PID: 3488)
- Starts CMD.EXE for commands execution
  - MSID7E9.tmp (PID: 2376)
- Drop ExeToMSI Application
  - msiexec.exe (PID: 2372)
- Creates files in the program directory
  - MSID7E9.tmp (PID: 2376)
INFO
- Searches for installed software
  - msiexec.exe (PID: 2372)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2244)
- Starts application with an unusual extension
  - msiexec.exe (PID: 2372)
- Application was dropped or rewritten from another process
  - MSID7E9.tmp (PID: 2376)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
LastPrinted:	2012:09:21 09:56:09
CreateDate:	2012:09:21 09:56:09
Software:	Windows Installer
Title:	Exe to msi converter free
Subject:	-
Author:	www.exetomsi.com
Keywords:	-
Comments:	-
Template:	;0
LastModifiedBy:	devuser
RevisionNumber:	{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate:	2013:05:21 11:56:44
Pages:	100
Words:	-
Security:	None

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

872

"C:\Windows\System32\cmd.exe" /C net.exe start foundation y

C:\Windows\System32\cmd.exe

MSID7E9.tmp

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1092

C:\Windows\system32\net1 start foundation y

C:\Windows\system32\net1.exe

—

net.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

2244

C:\Windows\system32\vssvc.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2344

"C:\Windows\System32\cmd.exe" /C sc delete foundation

C:\Windows\System32\cmd.exe

MSID7E9.tmp

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

1060

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2372

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2376

"C:\Windows\Installer\MSID7E9.tmp"

C:\Windows\Installer\MSID7E9.tmp

msiexec.exe

User:

admin

Company:

IBM Controler' System Security Control

Integrity Level:

MEDIUM

Description:

IBM Controler' System Security Control

Exit code:

Version:

2.8.17228.1

Modules

Images
c:\windows\installer\msid7e9.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv

2464

net.exe stop foundation

C:\Windows\system32\net.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll

2740

"C:\ProgramData\Microsofts Help\wsus.exe" -nogui

C:\ProgramData\Microsofts Help\wsus.exe

wsus.exe

User:

SYSTEM

Company:

Microsoft Block Security

Integrity Level:

SYSTEM

Description:

Microsoft Block Security

Exit code:

Version:

1.18.2.51920

Modules

Images
c:\programdata\microsofts help\wsus.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winscard.dll
c:\windows\system32\ws2_32.dll

2876

"C:\Windows\System32\cmd.exe" /C sc create foundation binPath= "C:\ProgramData\Microsofts Help\wsus.exe -service" type= own start= auto error= ignore

C:\Windows\System32\cmd.exe

MSID7E9.tmp

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2956

"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\select.msi"

C:\Windows\System32\msiexec.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

604

Read events

427

Write events

177

Delete events

Modification events


(PID) Process:	(2372) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4000000000000000229D3B35F5C7D40144090000EC0F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2372) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4000000000000000229D3B35F5C7D40144090000EC0F0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2372) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 20
(PID) Process:	(2372) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4000000000000000B6D2B235F5C7D40144090000EC0F0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2372) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 40000000000000006A97B735F5C7D40144090000A80E0000E803000001000000000000000000000064E623EF401F0D4385C863FDCECA8EC60000000000000000
(PID) Process:	(2244) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 400000000000000086E5C535F5C7D401C4080000DC0A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2244) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 400000000000000086E5C535F5C7D401C4080000200F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2244) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 400000000000000086E5C535F5C7D401C4080000240F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2244) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 400000000000000086E5C535F5C7D401C4080000D80A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2244) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 4000000000000000940CCD35F5C7D401C4080000200F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2372	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
2372	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF395EF7DA6C7C1DAB.TMP		—
		MD5:—	SHA256:—
2244	vssvc.exe	C:		—
		MD5:—	SHA256:—
2976	DrvInst.exe	C:\Windows\INF\setupapi.ev1		binary
		MD5:—	SHA256:—
2372	msiexec.exe	C:\Windows\Installer\19d019.ipi		binary
		MD5:—	SHA256:—
2376	MSID7E9.tmp	C:\ProgramData\Microsofts Help\wsus.exe		executable
		MD5:—	SHA256:—
2976	DrvInst.exe	C:\Windows\INF\setupapi.ev3		binary
		MD5:—	SHA256:—
2976	DrvInst.exe	C:\Windows\INF\setupapi.dev.log		ini
		MD5:—	SHA256:—
2372	msiexec.exe	C:\Windows\Installer\MSID661.tmp		binary
		MD5:—	SHA256:—
2376	MSID7E9.tmp	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\dat1[1].omg		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2376	MSID7E9.tmp	GET	200	185.17.120.235:80	http://185.17.120.235/dat1.omg	RU	binary	657 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2376	MSID7E9.tmp	185.17.120.235:80	—	Leaseweb Deutschland GmbH	RU	suspicious
2740	wsus.exe	185.99.133.2:80	—	Zappie Host LLC	NZ	malicious

DNS requests

No data

Threats

PID	Process	Class	Message
2740	wsus.exe	A Network Trojan was detected	MALWARE [PTsecurity] FlawedAmmyy.RAT
2740	wsus.exe	A Network Trojan was detected	MALWARE [PTsecurity] AMMYY RAT
2740	wsus.exe	A Network Trojan was detected	ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin
2740	wsus.exe	A Network Trojan was detected	MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin

Add for printing

Process	Message
MSID7E9.tmp	C:\ProgramData\Microsofts Help\template_3e330.DATAHASH
MSID7E9.tmp	--End Dowload--
MSID7E9.tmp	/C sc create foundation binPath= "C:\ProgramData\Microsofts Help\wsus.exe -service" type= own start= auto error= ignore

General Info

select

C19F4137DA7C2D9E5A6A26EFE3FC0F9A

B89129999C1D61AAC0141BA9E3656B612DFD01AD

10987FB8AB8275F9DE9B8F4F1434CAC08D03B659BF69F81FDB5659F7A0253079

3072:mEuxp21krc+gT892t0sIMhnj7+kdu8Ocv7cul9O1bwDjHl:mEgWEc+gg9zsIMrcu3v9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

Application was dropped or rewritten from another process

Connects to CnC server

FLAWEDAMMYY was detected

SUSPICIOUS

Starts SC.EXE for service management

Executable content was dropped or overwritten

Application launched itself

Starts CMD.EXE for commands execution

Drop ExeToMSI Application

Creates files in the program directory

INFO

Searches for installed software

Low-level read access rights to disk partition

Starts application with an unusual extension

Application was dropped or rewritten from another process

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings