analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

grcfne.msi

Full analysis: https://app.any.run/tasks/8e6be81b-ad40-492a-b11e-b2af43f5e0d9
Verdict: Malicious activity
Threats:

Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns.

Malware Trends Tracker     >>>
Analysis date: December 03, 2019, 01:22:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
trojan
loda
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

C0CDD7F5824CAB358C18FE146F4B024D

SHA1:

023F7BDFBEF59E0D3174693349DBC5FAE72F5350

SHA256:

633F3970C31C9CB849BD5F66C3A783538BB2327B4BEC5774B870F8B3B53EA3C1

SSDEEP:

24576:6EnthEVaPqL5Y644A1gOGKnpWMGXuzkeY0oGK:6ErEVUc5Yp4A1gAWMKuz5JBK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 656)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 992)

    • LODA was detected

      • MSI1E04.tmp (PID: 784)

    • Changes the autorun value in the registry

      • MSI1E04.tmp (PID: 784)

    • Connects to CnC server

      • MSI1E04.tmp (PID: 784)

  • SUSPICIOUS

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3608)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3608)
      • MSI1E04.tmp (PID: 784)

    • Executed as Windows Service

      • vssvc.exe (PID: 3332)

    • Starts CMD.EXE for commands execution

      • MSI1E04.tmp (PID: 784)

    • Creates files in the user directory

      • MSI1E04.tmp (PID: 784)

  • INFO

    • Application was dropped or rewritten from another process

      • MSI1E04.tmp (PID: 784)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3332)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
Words: -
Pages: 100
ModifyDate: 2013:05:21 11:56:44
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
LastModifiedBy: devuser
Template: ;0
Comments: -
Keywords: -
Author: www.exetomsi.com
Subject: -
Title: Exe to msi converter free
Software: Windows Installer
CreateDate: 2012:09:21 09:56:09
LastPrinted: 2012:09:21 09:56:09
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs #LODA msi1e04.tmp cmd.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1740"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\grcfne.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3608C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3332C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
784"C:\Windows\Installer\MSI1E04.tmp"C:\Windows\Installer\MSI1E04.tmp
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
656C:\Windows\system32\cmd.exe /c schtasks /create /tn XNAEAL.exe /tr C:\Users\admin\AppData\Roaming\Windata\JLMWFF.exe /sc minute /mo 1C:\Windows\system32\cmd.exe
MSI1E04.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
992schtasks /create /tn XNAEAL.exe /tr C:\Users\admin\AppData\Roaming\Windata\JLMWFF.exe /sc minute /mo 1C:\Windows\system32\schtasks.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
578
Read events
429
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3608msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3608msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF39DE77EB3D14799C.TMP
MD5:
SHA256:
3332vssvc.exeC:
MD5:
SHA256:
3608msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:C60B46E585FCFAB38BEC7A6247137EFA
SHA256:882C747E10B984753AABC58E673E4554AA828D537915530C752FF5B7ED336E4C
784MSI1E04.tmpC:\Users\admin\AppData\Roaming\Windata\JLMWFF.exeexecutable
MD5:02196C0AB332E6F9D194038E4F1D3A45
SHA256:65DF98D287C5886F7984A0BD3902C60961FDE272BA82DFAB62F758F4E5A1F455
3608msiexec.exeC:\Windows\Installer\MSI1E04.tmpexecutable
MD5:02196C0AB332E6F9D194038E4F1D3A45
SHA256:65DF98D287C5886F7984A0BD3902C60961FDE272BA82DFAB62F758F4E5A1F455
3608msiexec.exeC:\Windows\Installer\MSI1CC9.tmpbinary
MD5:52D0B8F0E2A941CB5E2ED2C1776C4E5E
SHA256:AEB7977076CA6C5E72D3FBB85F73C93A6F42D8AEC7C4F1EA25A9E538DC82BE22
3608msiexec.exeC:\Windows\Installer\3916fd.msiexecutable
MD5:C0CDD7F5824CAB358C18FE146F4B024D
SHA256:633F3970C31C9CB849BD5F66C3A783538BB2327B4BEC5774B870F8B3B53EA3C1
3608msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{6d63ae53-f97a-4e3d-bfca-2c6e1c918e27}_OnDiskSnapshotPropbinary
MD5:C60B46E585FCFAB38BEC7A6247137EFA
SHA256:882C747E10B984753AABC58E673E4554AA828D537915530C752FF5B7ED336E4C
3608msiexec.exeC:\Windows\Installer\3916ff.ipibinary
MD5:D9C7B1C6EC86D375A48D4018D03F3EE4
SHA256:34D978C62FAFF54A73E05F142EAE500C981AE314722679878DF0ED63341B117A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
784
MSI1E04.tmp
79.142.76.244:53916
4success.zapto.org
AltusHost B.V.
SE
malicious

DNS requests

Domain
IP
Reputation
4success.zapto.org
  • 79.142.76.244
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.zapto .org
784
MSI1E04.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loda Logger CnC Beacon
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
grcfne.msi