File name:

c05f5f4559ce43fbcefdcbf76c7a9e71db4db97afe45786b5c7e924aa130fcfb.xls

Full analysis: https://app.any.run/tasks/4c2023b2-694d-446a-b929-33e9c2b619c5
Verdict: Malicious activity
Threats:

FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics.

Analysis date: June 20, 2019, 07:12:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
flawedammyy
ammyy
trojan
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: kerio, Last Saved By: alex, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat May 18 08:27:21 2019, Last Saved Time/Date: Wed Jun 19 18:42:03 2019, Security: 0
MD5:

4DEE778771A60586D664D307357763B5

SHA1:

A61FE59A8557B7DF8481D318463290DB0ADFE733

SHA256:

1838757CE7D5140782DF466C77F0C868A031FC5F773670C84E9ED4ACB4A667A8

SSDEEP:

6144:6Kpb8rGYrMPelwhKmFV5xtuEsg8/dgpLwQdh4AcC+a1q8/au0MZpq0jO:j0QdhUvAz/aQpq0jO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3320)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3320)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3320)
    • Application was dropped or rewritten from another process

      • stt.exe (PID: 3684)
      • wsus.exe (PID: 2128)
      • wsus.exe (PID: 772)
    • Starts NET.EXE to view/change users group

      • stt.exe (PID: 3684)
    • FLAWEDAMMYY was detected

      • wsus.exe (PID: 2128)
    • AMMYY was detected

      • wsus.exe (PID: 2128)
    • Loads the Task Scheduler COM API

      • stt.exe (PID: 3684)
    • Connects to CnC server

      • wsus.exe (PID: 2128)
    • Loads the Task Scheduler DLL interface

      • stt.exe (PID: 3684)
    • Changes the autorun value in the registry

      • stt.exe (PID: 3684)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3320)
    • Creates files in the program directory

      • stt.exe (PID: 3684)
    • Executable content was dropped or overwritten

      • stt.exe (PID: 3684)
    • Starts CMD.EXE for commands execution

      • stt.exe (PID: 3684)
    • Executed via Task Scheduler

      • wsus.exe (PID: 772)
    • Creates files in the Windows directory

      • stt.exe (PID: 3684)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3320)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

HeadingPairs:
  • Листы
  • 1
TitleOfParts: 1
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2019:06:19 17:42:03
CreateDate: 2019:05:18 07:27:21
Software: Microsoft Excel
LastModifiedBy: alex
Author: kerio
CompObjUserType: Microsoft Forms 2.0 Form
CompObjUserTypeLen: 25
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start excel.exe cmd.exe no specs stt.exe net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs #AMMYY wsus.exe cmd.exe no specs wsus.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3320"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1760cmd.exe /c start "" stt.exeC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3684stt.exe C:\Users\admin\Documents\stt.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\documents\stt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2472net group /domainC:\Windows\system32\net.exestt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
2736C:\Windows\system32\net1 group /domainC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1208net group /domainC:\Windows\system32\net.exestt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
3200C:\Windows\system32\net1 group /domainC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
2128C:\ProgramData\NuGets\wsus.exeC:\ProgramData\NuGets\wsus.exe
stt.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\nugets\wsus.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2172"C:\Windows\system32\cmd.exe" /c del C:\Users\admin\DOCUME~1\stt.exe >> NULC:\Windows\system32\cmd.exestt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
772C:\ProgramData\NuGets\wsus.exe C:\ProgramData\NuGets\wsus.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\nugets\wsus.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
Total events
760
Read events
643
Write events
110
Delete events
7

Modification events

(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:8i>
Value:
38693E00F80C0000010000000000000000000000
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:writeName:MTTT
Value:
F80C00000EAD48803727D50100000000
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete valueName:8i>
Value:
38693E00F80C0000010000000000000000000000
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete keyName:
Value:
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:delete keyName:
Value:
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3320) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11F403
Operation:writeName:11F403
Value:
04000000F80C00006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0063003000350066003500660034003500350039006300650034003300660062006300650066006400630062006600370036006300370061003900650037003100640062003400640062003900370061006600650034003500370038003600620035006300370065003900320034006100610031003300300066006300660062002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000C028EC813727D50103F4110003F4110000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
3
Suspicious files
4
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3320EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVREDB8.tmp.cvr
MD5:
SHA256:
3320EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:28F215B66C25F3E58C89E00A035AB6DF
SHA256:6377642B3B7C45D9A385307CC3DFD1B43E12A95C6560069AA22220A223E7A23E
3684stt.exeC:\ProgramData\NuGets\wsus.exeexecutable
MD5:E70EB94ADF7BC442032938AFF77ED7B9
SHA256:C2C6F548FE6832C84C8AB45288363B78959D6DDA2DD926100C5885DE14C4708B
3320EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\p2[1]executable
MD5:C26CE0E515BC3BEBA7A664E920AD005A
SHA256:43029BB89B0C7203743F75CC46F137041304B0E253FB0F7E58B3EB27E7928B5A
3684stt.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\02[1].datbinary
MD5:36F89707C748B3E2E0BC880F75B4CAED
SHA256:AB0A29DB8DA2CAEFEEDC8FDB3773E1CCC49FE721029F0E1C291273304EA382A8
3684stt.exeC:\ProgramData\NuGets\template_41c318.TMPTMPZIP7binary
MD5:36F89707C748B3E2E0BC880F75B4CAED
SHA256:AB0A29DB8DA2CAEFEEDC8FDB3773E1CCC49FE721029F0E1C291273304EA382A8
3320EXCEL.EXEC:\Users\admin\Documents\stt.exeexecutable
MD5:C26CE0E515BC3BEBA7A664E920AD005A
SHA256:43029BB89B0C7203743F75CC46F137041304B0E253FB0F7E58B3EB27E7928B5A
3684stt.exeC:\Windows\Tasks\Microsoft System Protect.jobbinary
MD5:2AEFF20196681BEA05D1489D1B7E211F
SHA256:D64979D0F20FB9A8029F349EF98F79F38B02575541829CBE227F09F0FCC2DBC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
0
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3684
stt.exe
GET
200
54.38.127.28:80
http://54.38.127.28/02.dat
FR
binary
583 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3320
EXCEL.EXE
179.43.147.77:80
Private Layer INC
CH
suspicious
3684
stt.exe
54.38.127.28:80
OVH SAS
FR
suspicious
2128
wsus.exe
185.117.89.145:80
Portlane AB
SE
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT
A Network Trojan was detected
MALWARE [PTsecurity] AMMYY RAT
A Network Trojan was detected
ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin
Process
Message
stt.exe
C:\ProgramData\NuGets\template_41c318.TMPTMPZIP7
stt.exe
1