File name: | MSIFAF1.tmp.zip |
Full analysis: | https://app.any.run/tasks/36c67dd3-df32-40fb-8429-33f592252d9d |
Verdict: | Malicious activity |
Threats: | FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics. |
Analysis date: | February 19, 2019, 13:18:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 3D5C540AD22B9575D501B1DD39B90D91 |
SHA1: | B455350E75E808B509C8324FC70977015B2F7E61 |
SHA256: | C7980E9014B6ABF25861B0D65B455500EABEEB1CBA1CB97B46159759A2D57CAF |
SSDEEP: | 1536:7JtspR7uFo17B5G9h6ci1PHbgPufKuG8iQaLxc8g663:7J4oEuKvKuG8iA8O3 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:02:19 05:55:23 |
ZipCRC: | 0xb9be10f9 |
ZipCompressedSize: | 75922 |
ZipUncompressedSize: | 144064 |
ZipFileName: | MSI7B3E.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2748 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MSIFAF1.tmp.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3184 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2748.31722\MSI7B3E.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2748.31722\MSI7B3E.exe | WinRAR.exe | |
User: admin Company: IBM Controler' System Security Control Integrity Level: MEDIUM Description: IBM Controler' System Security Control Exit code: 0 Version: 2.8.17228.1 | ||||
3096 | "C:\ProgramData\Microsofts Help\wsus.exe" | C:\ProgramData\Microsofts Help\wsus.exe | MSI7B3E.exe | |
User: admin Company: Microsoft Block Security Integrity Level: MEDIUM Description: Microsoft Block Security Version: 1.18.2.51920 | ||||
1948 | "C:\Windows\system32\cmd.exe" /c del C:\Users\admin\AppData\Local\Temp\RAR$EX~1.317\MSI7B3E.exe >> NUL | C:\Windows\system32\cmd.exe | — | MSI7B3E.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2580 | "C:\ProgramData\Microsofts Help\wsus.exe" | C:\ProgramData\Microsofts Help\wsus.exe | — | taskeng.exe |
User: admin Company: Microsoft Block Security Integrity Level: MEDIUM Description: Microsoft Block Security Exit code: 0 Version: 1.18.2.51920 | ||||
2808 | "C:\Windows\system32\cmd.exe" /c del C:\Users\admin\AppData\Local\Temp\RAR$EX~1.317\MSI7B3E.exe >> NUL | C:\Windows\system32\cmd.exe | — | MSI7B3E.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\MSIFAF1.tmp.zip | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3184 | MSI7B3E.exe | C:\Windows\Tasks\Microsoft System Protect.job | binary | |
MD5:F7D937384A9F018743C9B1F5518D9DC5 | SHA256:2D6BBB8AE69075600EA57FA5C55F1AF944EB6A6FE3D97068C4891744AA7897E6 | |||
3184 | MSI7B3E.exe | C:\ProgramData\Microsofts Help\template_ece330.DATAHASH | binary | |
MD5:DA80F64698FDCBE7C3284DF94DCCC6F3 | SHA256:1FA3B63B9FD44F2C93B4D513BA33839F56094A2D7886C8E151BB9F11132CF5CD | |||
3184 | MSI7B3E.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\dat1[1].omg | binary | |
MD5:DA80F64698FDCBE7C3284DF94DCCC6F3 | SHA256:1FA3B63B9FD44F2C93B4D513BA33839F56094A2D7886C8E151BB9F11132CF5CD | |||
2748 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2748.31722\MSI7B3E.exe | executable | |
MD5:CE0F37D5932FF0B583B79C6DCF7DAC7E | SHA256:4EFE3097DAC309A1619415E1EF8654F0B30B516E601D6C4C061CFCD9DD876968 | |||
3184 | MSI7B3E.exe | C:\ProgramData\Microsofts Help\wsus.exe | executable | |
MD5:30B4E109CAAEBAB50007872085E8D208 | SHA256:7ECFD68341FE276C17246DC51C5D70EE2C1BBC6801C85201C8A62956C23D872D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3184 | MSI7B3E.exe | GET | 200 | 185.17.120.235:80 | http://185.17.120.235/dat1.omg | RU | binary | 657 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3096 | wsus.exe | 185.99.133.2:80 | — | Zappie Host LLC | NZ | malicious |
3184 | MSI7B3E.exe | 185.17.120.235:80 | — | Leaseweb Deutschland GmbH | RU | suspicious |
PID | Process | Class | Message |
---|---|---|---|
3096 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT |
3096 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] AMMYY RAT |
3096 | wsus.exe | A Network Trojan was detected | ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin |
3096 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin |
Process | Message |
---|---|
MSI7B3E.exe | C:\ProgramData\Microsofts Help\template_ece330.DATAHASH |
MSI7B3E.exe | --End Dowload-- |