Malware analysis select Malicious activity | ANY.RUN

Add for printing

File name:	select
Full analysis:	https://app.any.run/tasks/4ca36eee-62f9-4748-8bd5-de699dc891d3
Verdict:	Malicious activity
Threats:	FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 19, 2019, 01:53:38
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	exe-to-msi rat flawedammyy ammyy trojan
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:	C19F4137DA7C2D9E5A6A26EFE3FC0F9A
SHA1:	B89129999C1D61AAC0141BA9E3656B612DFD01AD
SHA256:	10987FB8AB8275F9DE9B8F4F1434CAC08D03B659BF69F81FDB5659F7A0253079
SSDEEP:	3072:mEuxp21krc+gT892t0sIMhnj7+kdu8Ocv7cul9O1bwDjHl:mEgWEc+gg9zsIMrcu3v9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Starts NET.EXE for service management
  - cmd.exe (PID: 3448)
  - cmd.exe (PID: 4092)
  - cmd.exe (PID: 2652)
- Application was dropped or rewritten from another process
  - wsus.exe (PID: 3712)
  - wsus.exe (PID: 3056)
- Connects to CnC server
  - wsus.exe (PID: 3056)
- FLAWEDAMMYY was detected
  - wsus.exe (PID: 3056)
SUSPICIOUS
- Drop ExeToMSI Application
  - msiexec.exe (PID: 2324)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 2324)
  - MSIA1D0.tmp (PID: 2836)
- Starts CMD.EXE for commands execution
  - MSIA1D0.tmp (PID: 2836)
- Starts SC.EXE for service management
  - cmd.exe (PID: 3700)
  - cmd.exe (PID: 3080)
  - cmd.exe (PID: 2288)
- Creates files in the program directory
  - MSIA1D0.tmp (PID: 2836)
- Application launched itself
  - wsus.exe (PID: 3712)
INFO
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2232)
- Searches for installed software
  - msiexec.exe (PID: 2324)
- Starts application with an unusual extension
  - msiexec.exe (PID: 2324)
- Application was dropped or rewritten from another process
  - MSIA1D0.tmp (PID: 2836)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
LastPrinted:	2012:09:21 09:56:09
CreateDate:	2012:09:21 09:56:09
Software:	Windows Installer
Title:	Exe to msi converter free
Subject:	-
Author:	www.exetomsi.com
Keywords:	-
Comments:	-
Template:	;0
LastModifiedBy:	devuser
RevisionNumber:	{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate:	2013:05:21 11:56:44
Pages:	100
Words:	-
Security:	None

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2984	"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\select.msi"	C:\Windows\System32\msiexec.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2324	C:\Windows\system32\msiexec.exe /V	C:\Windows\system32\msiexec.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2232	C:\Windows\system32\vssvc.exe	C:\Windows\system32\vssvc.exe	—	services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2704	DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000550" "00000330"	C:\Windows\system32\DrvInst.exe	—	svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2836	"C:\Windows\Installer\MSIA1D0.tmp"	C:\Windows\Installer\MSIA1D0.tmp		msiexec.exe
User: admin Company: IBM Controler' System Security Control Integrity Level: MEDIUM Description: IBM Controler' System Security Control Version: 2.8.17228.1
3448	"C:\Windows\System32\cmd.exe" /C net.exe stop foundation	C:\Windows\System32\cmd.exe		MSIA1D0.tmp
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3700	"C:\Windows\System32\cmd.exe" /C sc delete foundation	C:\Windows\System32\cmd.exe		MSIA1D0.tmp
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2808	net.exe stop foundation	C:\Windows\system32\net.exe	—	cmd.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3152	sc delete foundation	C:\Windows\system32\sc.exe	—	cmd.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3984	C:\Windows\system32\net1 stop foundation	C:\Windows\system32\net1.exe	—	net.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

Add for printing

Total events

615

Read events

438

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2324	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
2704	DrvInst.exe	C:\Windows\INF\setupapi.ev1		binary
		MD5:34600D00BC8310E3F2BBB85BB95E992E	SHA256:4D9902941A0ABC921BB8018EC6C0F56235C8FDE67AAE8F538E843EFF8BF044B0
2324	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{def2675f-1ea4-49a2-8367-5f05f45b97ea}_OnDiskSnapshotProp		binary
		MD5:4337F9D39712EEB242E2C97D0F871E4A	SHA256:A578CC0B1233220425F627FA7803FC544B38D4B833E09E0A2109F9F646EC46BE
2324	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:4337F9D39712EEB242E2C97D0F871E4A	SHA256:A578CC0B1233220425F627FA7803FC544B38D4B833E09E0A2109F9F646EC46BE
2704	DrvInst.exe	C:\Windows\INF\setupapi.dev.log		ini
		MD5:ED737009718B2972F4C725E456BA5B98	SHA256:256FF79F326F415DCCFA5B7F769BB3FBB99B82D331EB84266E5565069835D75A
2704	DrvInst.exe	C:\Windows\INF\setupapi.ev3		binary
		MD5:76DCC60F78B3DFF1AE3627619074F465	SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
2324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF78F86D8611F9DDAE.TMP		—
		MD5:—	SHA256:—
2232	vssvc.exe	C:		—
		MD5:—	SHA256:—
2324	msiexec.exe	C:\Windows\Installer\MSIA0F4.tmp		binary
		MD5:97079A31C0C25586F625E1A0F430509C	SHA256:D4DBF9C7A43FFBD35539F7B67D682F4CA97F5C38E667D0F61D853E4C0A7E41C4
2324	msiexec.exe	C:\Windows\Installer\249c04.ipi		binary
		MD5:F99FBF9C8CA60852B5EDD8ED5F7D9C4B	SHA256:2C940DEA4F74EDCAF9AC60ADDDA6F820A98662C4D1FE03E2FA34EA65F060DB8C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2836	MSIA1D0.tmp	GET	200	185.17.120.235:80	http://185.17.120.235/dat1.omg	RU	binary	657 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3056	wsus.exe	185.99.133.2:80	—	Zappie Host LLC	NZ	malicious
2836	MSIA1D0.tmp	185.17.120.235:80	—	Leaseweb Deutschland GmbH	RU	suspicious

DNS requests

No data

Threats

PID	Process	Class	Message
3056	wsus.exe	A Network Trojan was detected	MALWARE [PTsecurity] FlawedAmmyy.RAT
3056	wsus.exe	A Network Trojan was detected	MALWARE [PTsecurity] AMMYY RAT
3056	wsus.exe	A Network Trojan was detected	MALWARE [PTsecurity] FlawedAmmyy.RAT
3056	wsus.exe	A Network Trojan was detected	MALWARE [PTsecurity] AMMYY RAT
3056	wsus.exe	A Network Trojan was detected	ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin
3056	wsus.exe	A Network Trojan was detected	MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin

Add for printing

Process	Message
MSIA1D0.tmp	C:\ProgramData\Microsofts Help\template_d7e330.DATAHASH
MSIA1D0.tmp	--End Dowload--
MSIA1D0.tmp	/C sc create foundation binPath= "C:\ProgramData\Microsofts Help\wsus.exe -service" type= own start= auto error= ignore

General Info

select

C19F4137DA7C2D9E5A6A26EFE3FC0F9A

B89129999C1D61AAC0141BA9E3656B612DFD01AD

10987FB8AB8275F9DE9B8F4F1434CAC08D03B659BF69F81FDB5659F7A0253079

3072:mEuxp21krc+gT892t0sIMhnj7+kdu8Ocv7cul9O1bwDjHl:mEgWEc+gg9zsIMrcu3v9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

Application was dropped or rewritten from another process

Connects to CnC server

FLAWEDAMMYY was detected

SUSPICIOUS

Drop ExeToMSI Application

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Creates files in the program directory

Application launched itself

INFO

Low-level read access rights to disk partition

Searches for installed software

Starts application with an unusual extension

Application was dropped or rewritten from another process

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings