analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

c05f5f4559ce43fbcefdcbf76c7a9e71db4db97afe45786b5c7e924aa130fcfb.xls

Full analysis: https://app.any.run/tasks/4c2023b2-694d-446a-b929-33e9c2b619c5
Verdict: Malicious activity
Threats:

FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics.

Malware Trends Tracker     >>>
Analysis date: June 20, 2019, 07:12:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
flawedammyy
ammyy
trojan
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: kerio, Last Saved By: alex, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat May 18 08:27:21 2019, Last Saved Time/Date: Wed Jun 19 18:42:03 2019, Security: 0
MD5:

4DEE778771A60586D664D307357763B5

SHA1:

A61FE59A8557B7DF8481D318463290DB0ADFE733

SHA256:

1838757CE7D5140782DF466C77F0C868A031FC5F773670C84E9ED4ACB4A667A8

SSDEEP:

6144:6Kpb8rGYrMPelwhKmFV5xtuEsg8/dgpLwQdh4AcC+a1q8/au0MZpq0jO:j0QdhUvAz/aQpq0jO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • stt.exe (PID: 3684)
      • wsus.exe (PID: 2128)
      • wsus.exe (PID: 772)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3320)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3320)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3320)

    • Starts NET.EXE to view/change users group

      • stt.exe (PID: 3684)

    • FLAWEDAMMYY was detected

      • wsus.exe (PID: 2128)

    • Connects to CnC server

      • wsus.exe (PID: 2128)

    • Loads the Task Scheduler COM API

      • stt.exe (PID: 3684)

    • AMMYY was detected

      • wsus.exe (PID: 2128)

    • Changes the autorun value in the registry

      • stt.exe (PID: 3684)

    • Loads the Task Scheduler DLL interface

      • stt.exe (PID: 3684)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3320)

    • Creates files in the program directory

      • stt.exe (PID: 3684)

    • Starts CMD.EXE for commands execution

      • stt.exe (PID: 3684)

    • Executed via Task Scheduler

      • wsus.exe (PID: 772)

    • Executable content was dropped or overwritten

      • stt.exe (PID: 3684)

    • Creates files in the Windows directory

      • stt.exe (PID: 3684)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3320)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

HeadingPairs:
  • Листы
  • 1
TitleOfParts: 1
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2019:06:19 17:42:03
CreateDate: 2019:05:18 07:27:21
Software: Microsoft Excel
LastModifiedBy: alex
Author: kerio
CompObjUserType: Microsoft Forms 2.0 Form
CompObjUserTypeLen: 25
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start excel.exe cmd.exe no specs stt.exe net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs #AMMYY wsus.exe cmd.exe no specs wsus.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3320"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1760cmd.exe /c start "" stt.exeC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3684stt.exe C:\Users\admin\Documents\stt.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2472net group /domainC:\Windows\system32\net.exestt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2736C:\Windows\system32\net1 group /domainC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1208net group /domainC:\Windows\system32\net.exestt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3200C:\Windows\system32\net1 group /domainC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2128C:\ProgramData\NuGets\wsus.exeC:\ProgramData\NuGets\wsus.exe
stt.exe
User:
admin
Integrity Level:
MEDIUM
2172"C:\Windows\system32\cmd.exe" /c del C:\Users\admin\DOCUME~1\stt.exe >> NULC:\Windows\system32\cmd.exestt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
772C:\ProgramData\NuGets\wsus.exe C:\ProgramData\NuGets\wsus.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
760
Read events
643
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
4
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3320EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVREDB8.tmp.cvr
MD5:
SHA256:
3320EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:28F215B66C25F3E58C89E00A035AB6DF
SHA256:6377642B3B7C45D9A385307CC3DFD1B43E12A95C6560069AA22220A223E7A23E
3684stt.exeC:\Windows\Tasks\Microsoft System Protect.jobbinary
MD5:2AEFF20196681BEA05D1489D1B7E211F
SHA256:D64979D0F20FB9A8029F349EF98F79F38B02575541829CBE227F09F0FCC2DBC0
3684stt.exeC:\ProgramData\NuGets\template_41c318.TMPTMPZIP7binary
MD5:36F89707C748B3E2E0BC880F75B4CAED
SHA256:AB0A29DB8DA2CAEFEEDC8FDB3773E1CCC49FE721029F0E1C291273304EA382A8
3320EXCEL.EXEC:\Users\admin\Documents\stt.exeexecutable
MD5:C26CE0E515BC3BEBA7A664E920AD005A
SHA256:43029BB89B0C7203743F75CC46F137041304B0E253FB0F7E58B3EB27E7928B5A
3684stt.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\02[1].datbinary
MD5:36F89707C748B3E2E0BC880F75B4CAED
SHA256:AB0A29DB8DA2CAEFEEDC8FDB3773E1CCC49FE721029F0E1C291273304EA382A8
3684stt.exeC:\ProgramData\NuGets\wsus.exeexecutable
MD5:E70EB94ADF7BC442032938AFF77ED7B9
SHA256:C2C6F548FE6832C84C8AB45288363B78959D6DDA2DD926100C5885DE14C4708B
3320EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\p2[1]executable
MD5:C26CE0E515BC3BEBA7A664E920AD005A
SHA256:43029BB89B0C7203743F75CC46F137041304B0E253FB0F7E58B3EB27E7928B5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3684
stt.exe
GET
200
54.38.127.28:80
http://54.38.127.28/02.dat
FR
binary
583 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3684
stt.exe
54.38.127.28:80
OVH SAS
FR
suspicious
2128
wsus.exe
185.117.89.145:80
Portlane AB
SE
malicious
3320
EXCEL.EXE
179.43.147.77:80
Private Layer INC
CH
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3320
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3320
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3320
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3320
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3320
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3320
EXCEL.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2128
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT
2128
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] AMMYY RAT
2128
wsus.exe
A Network Trojan was detected
ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin
2128
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin
Process
Message
stt.exe
C:\ProgramData\NuGets\template_41c318.TMPTMPZIP7
stt.exe
1
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
c05f5f4559ce43fbcefdcbf76c7a9e71db4db97afe45786b5c7e924aa130fcfb.xls