analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

hmvrch.msi

Full analysis: https://app.any.run/tasks/186cb8bb-ac08-419a-836f-f62d55d985a3
Verdict: Malicious activity
Threats:

Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns.

Analysis date: June 18, 2019, 18:44:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
evasion
trojan
loda
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

E66120CD6D1D4A2F5432D408CAC8F54C

SHA1:

0677FB0A06BB373FB41650F127895EAB480997B3

SHA256:

6B23E254659C8BF38C99B2A29901622EAD86561F5D6531A0256F0E28D771897D

SSDEEP:

24576:1EnRmJkcoQricOIQxiZY1iaPF77b6cCskAYNy7IoI9z+z:1EMJZoQrbTFZY1iaPF7X6rjoI9z+z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • LBWUVX.exe (PID: 3036)
    • Changes the autorun value in the registry

      • WScript.exe (PID: 2300)
      • wscript.exe (PID: 2656)
      • wscript.exe (PID: 2696)
    • Writes to a start menu file

      • WScript.exe (PID: 2300)
      • wscript.exe (PID: 2656)
      • wscript.exe (PID: 2696)
    • Connects to CnC server

      • MSI23DF.tmp (PID: 3256)
      • wscript.exe (PID: 2696)
    • LODA was detected

      • MSI23DF.tmp (PID: 3256)
  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 4084)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2204)
    • Executed via COM

      • DrvInst.exe (PID: 2700)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2204)
      • MSI23DF.tmp (PID: 3256)
    • Uses RUNDLL32.EXE to load library

      • MSI23DF.tmp (PID: 3256)
    • Executes scripts

      • MSI23DF.tmp (PID: 3256)
      • WScript.exe (PID: 2300)
      • wscript.exe (PID: 2696)
    • Creates files in the user directory

      • WScript.exe (PID: 2300)
      • rundll32.exe (PID: 2492)
      • wscript.exe (PID: 2656)
    • Application launched itself

      • WScript.exe (PID: 2300)
      • wscript.exe (PID: 2696)
    • Creates files in the Windows directory

      • MSI23DF.tmp (PID: 3256)
  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 2204)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 4084)
    • Changes settings of System certificates

      • DrvInst.exe (PID: 2700)
    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 2700)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 2204)
    • Application was dropped or rewritten from another process

      • MSI23DF.tmp (PID: 3256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
LastPrinted: 2012:09:21 09:56:09
CreateDate: 2012:09:21 09:56:09
Software: Windows Installer
Title: Exe to msi converter free
Subject: -
Author: www.exetomsi.com
Keywords: -
Comments: -
Template: ;0
LastModifiedBy: devuser
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate: 2013:05:21 11:56:44
Pages: 100
Words: -
Security: None
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs #LODA msi23df.tmp lbwuvx.exe wscript.exe rundll32.exe no specs wscript.exe wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\hmvrch.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2204C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
4084C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2700DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A0" "000005BC"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3256"C:\Windows\Installer\MSI23DF.tmp"C:\Windows\Installer\MSI23DF.tmp
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
3036"C:\Users\admin\AppData\Local\Temp\LBWUVX.exe" C:\Users\admin\AppData\Local\Temp\LBWUVX.exe
MSI23DF.tmp
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
VistaTaskDialog
Version:
1.0.8.0
2300"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\LCRBBE..js" C:\Windows\System32\WScript.exe
MSI23DF.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2492"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeMSI23DF.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2656"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\WxQRRjaNiQ.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2696"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\LCRBBE..js"C:\Windows\System32\wscript.exe
WScript.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 079
Read events
818
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
9
Text files
75
Unknown types
5

Dropped files

PID
Process
Filename
Type
2204msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2204msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:470FBF3CFBC337322A83A363E0CEE248
SHA256:F7BA5F5DE50BB5F05DFF3BD8C5F2892F282EE98258ADE3F283F19508C5828798
2700DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:784746D4B8611D43E0EF2F9549F51795
SHA256:D531BA1139BD9F929133661D7C8BC352E1C097E52B7EFA46A96BF5DD9E935B31
2700DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:27BA25645B443FE75E0BDF790639504B
SHA256:3F407E17D38CE32D4D465BE837633EF00F88B753EF545A19DF26189CCC317AD8
2204msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{517a3ce2-4fe0-4be5-9859-85bd55ab1fd8}_OnDiskSnapshotPropbinary
MD5:470FBF3CFBC337322A83A363E0CEE248
SHA256:F7BA5F5DE50BB5F05DFF3BD8C5F2892F282EE98258ADE3F283F19508C5828798
2700DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
2204msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF2B50B1536E6F7B11.TMP
MD5:
SHA256:
3256MSI23DF.tmpC:\Users\admin\AppData\Local\Temp\aut24C7.tmp
MD5:
SHA256:
4084vssvc.exeC:
MD5:
SHA256:
3256MSI23DF.tmpC:\Users\admin\AppData\Local\Temp\aut2630.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
13
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2696
wscript.exe
POST
103.136.43.131:1425
http://vemvemserver.duckdns.org:1425/is-ready
unknown
malicious
2696
wscript.exe
POST
103.136.43.131:1425
http://vemvemserver.duckdns.org:1425/is-ready
unknown
malicious
2696
wscript.exe
POST
103.136.43.131:1425
http://vemvemserver.duckdns.org:1425/is-ready
unknown
malicious
2696
wscript.exe
POST
103.136.43.131:1425
http://vemvemserver.duckdns.org:1425/is-ready
unknown
malicious
3256
MSI23DF.tmp
GET
200
151.139.128.14:80
http://crl.comodoca.com/COMODORSACertificationAuthority.crl
US
der
812 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3256
MSI23DF.tmp
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
3256
MSI23DF.tmp
104.25.210.99:443
ipapi.co
Cloudflare Inc
US
shared
2656
wscript.exe
185.247.228.14:7755
unknownsoft.duckdns.org
malicious
2696
wscript.exe
103.136.43.131:1425
vemvemserver.duckdns.org
malicious
3256
MSI23DF.tmp
103.136.43.131:3120
vemvemserver.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
ipapi.co
  • 104.25.210.99
  • 104.25.209.99
shared
unknownsoft.duckdns.org
  • 185.247.228.14
malicious
vemvemserver.duckdns.org
  • 103.136.43.131
malicious
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
ocsp.comodoca4.com
  • 151.139.128.14
whitelisted
crl.comodoca.com
  • 151.139.128.14
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2696
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
2696
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
1 ETPRO signatures available at the full report
No debug info