download: | hmvrch.msi |
Full analysis: | https://app.any.run/tasks/186cb8bb-ac08-419a-836f-f62d55d985a3 |
Verdict: | Malicious activity |
Threats: | Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns. |
Analysis date: | June 18, 2019, 18:44:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0 |
MD5: | E66120CD6D1D4A2F5432D408CAC8F54C |
SHA1: | 0677FB0A06BB373FB41650F127895EAB480997B3 |
SHA256: | 6B23E254659C8BF38C99B2A29901622EAD86561F5D6531A0256F0E28D771897D |
SSDEEP: | 24576:1EnRmJkcoQricOIQxiZY1iaPF77b6cCskAYNy7IoI9z+z:1EMJZoQrbTFZY1iaPF7X6rjoI9z+z |
.msi | | | Microsoft Installer (100) |
---|
CodePage: | Windows Latin 1 (Western European) |
---|---|
LastPrinted: | 2012:09:21 09:56:09 |
CreateDate: | 2012:09:21 09:56:09 |
Software: | Windows Installer |
Title: | Exe to msi converter free |
Subject: | - |
Author: | www.exetomsi.com |
Keywords: | - |
Comments: | - |
Template: | ;0 |
LastModifiedBy: | devuser |
RevisionNumber: | {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E} |
ModifyDate: | 2013:05:21 11:56:44 |
Pages: | 100 |
Words: | - |
Security: | None |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\hmvrch.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2204 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
4084 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2700 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A0" "000005BC" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3256 | "C:\Windows\Installer\MSI23DF.tmp" | C:\Windows\Installer\MSI23DF.tmp | msiexec.exe | |
User: admin Integrity Level: MEDIUM Version: 3, 3, 8, 1 | ||||
3036 | "C:\Users\admin\AppData\Local\Temp\LBWUVX.exe" | C:\Users\admin\AppData\Local\Temp\LBWUVX.exe | MSI23DF.tmp | |
User: SYSTEM Integrity Level: SYSTEM Description: VistaTaskDialog Version: 1.0.8.0 | ||||
2300 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\LCRBBE..js" | C:\Windows\System32\WScript.exe | MSI23DF.tmp | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2492 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | MSI23DF.tmp |
User: SYSTEM Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2656 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\WxQRRjaNiQ.js" | C:\Windows\System32\wscript.exe | WScript.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2696 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\LCRBBE..js" | C:\Windows\System32\wscript.exe | WScript.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2204 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2204 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:470FBF3CFBC337322A83A363E0CEE248 | SHA256:F7BA5F5DE50BB5F05DFF3BD8C5F2892F282EE98258ADE3F283F19508C5828798 | |||
2700 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:784746D4B8611D43E0EF2F9549F51795 | SHA256:D531BA1139BD9F929133661D7C8BC352E1C097E52B7EFA46A96BF5DD9E935B31 | |||
2700 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:27BA25645B443FE75E0BDF790639504B | SHA256:3F407E17D38CE32D4D465BE837633EF00F88B753EF545A19DF26189CCC317AD8 | |||
2204 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{517a3ce2-4fe0-4be5-9859-85bd55ab1fd8}_OnDiskSnapshotProp | binary | |
MD5:470FBF3CFBC337322A83A363E0CEE248 | SHA256:F7BA5F5DE50BB5F05DFF3BD8C5F2892F282EE98258ADE3F283F19508C5828798 | |||
2700 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
2204 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF2B50B1536E6F7B11.TMP | — | |
MD5:— | SHA256:— | |||
3256 | MSI23DF.tmp | C:\Users\admin\AppData\Local\Temp\aut24C7.tmp | — | |
MD5:— | SHA256:— | |||
4084 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
3256 | MSI23DF.tmp | C:\Users\admin\AppData\Local\Temp\aut2630.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2696 | wscript.exe | POST | — | 103.136.43.131:1425 | http://vemvemserver.duckdns.org:1425/is-ready | unknown | — | — | malicious |
2696 | wscript.exe | POST | — | 103.136.43.131:1425 | http://vemvemserver.duckdns.org:1425/is-ready | unknown | — | — | malicious |
2696 | wscript.exe | POST | — | 103.136.43.131:1425 | http://vemvemserver.duckdns.org:1425/is-ready | unknown | — | — | malicious |
2696 | wscript.exe | POST | — | 103.136.43.131:1425 | http://vemvemserver.duckdns.org:1425/is-ready | unknown | — | — | malicious |
3256 | MSI23DF.tmp | GET | 200 | 151.139.128.14:80 | http://crl.comodoca.com/COMODORSACertificationAuthority.crl | US | der | 812 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3256 | MSI23DF.tmp | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
3256 | MSI23DF.tmp | 104.25.210.99:443 | ipapi.co | Cloudflare Inc | US | shared |
2656 | wscript.exe | 185.247.228.14:7755 | unknownsoft.duckdns.org | — | — | malicious |
2696 | wscript.exe | 103.136.43.131:1425 | vemvemserver.duckdns.org | — | — | malicious |
3256 | MSI23DF.tmp | 103.136.43.131:3120 | vemvemserver.duckdns.org | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
ipapi.co |
| shared |
unknownsoft.duckdns.org |
| malicious |
vemvemserver.duckdns.org |
| malicious |
ocsp.usertrust.com |
| whitelisted |
dns.msftncsi.com |
| shared |
ocsp.comodoca4.com |
| whitelisted |
crl.comodoca.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2696 | wscript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
2696 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |