analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

hezrkt.msi

Full analysis: https://app.any.run/tasks/92c16696-19b9-45f6-b93c-a20496e5a39b
Verdict: Malicious activity
Threats:

Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns.

Malware Trends Tracker     >>>
Analysis date: January 17, 2020, 18:11:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
trojan
loda
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

ABF7120C686E46BC988114BE04A04231

SHA1:

C74965A75A71DA9E64173CE61F2B06EED6BF53BA

SHA256:

CF0BCAC1130FA1AC0450656783AE0E4F01546942D146677692CE0027CE2D036F

SSDEEP:

24576:lEnthEVaPqLNC8ReSNrK449vnNpHrYWYz:lErEVUcJR3hp4dnNprP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MSIE22F.tmp (PID: 2216)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 884)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1940)

    • LODA was detected

      • MSIE22F.tmp (PID: 2216)

    • Connects to CnC server

      • MSIE22F.tmp (PID: 2216)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2372)
      • MSIE22F.tmp (PID: 2216)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2372)

    • Executed as Windows Service

      • vssvc.exe (PID: 1252)

    • Creates files in the user directory

      • MSIE22F.tmp (PID: 2216)

    • Starts CMD.EXE for commands execution

      • MSIE22F.tmp (PID: 2216)

    • Connects to unusual port

      • MSIE22F.tmp (PID: 2216)

  • INFO

    • Application was dropped or rewritten from another process

      • MSIE22F.tmp (PID: 2216)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 2372)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
LastPrinted: 2012:09:21 09:56:09
CreateDate: 2012:09:21 09:56:09
Software: Windows Installer
Title: Exe to msi converter free
Subject: -
Author: www.exetomsi.com
Keywords: -
Comments: -
Template: ;0
LastModifiedBy: devuser
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate: 2013:05:21 11:56:44
Pages: 100
Words: -
Security: None
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs #LODA msie22f.tmp cmd.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\hezrkt.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2372C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1252C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2216"C:\Windows\Installer\MSIE22F.tmp"C:\Windows\Installer\MSIE22F.tmp
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
1940C:\Windows\system32\cmd.exe /c schtasks /create /tn YECUWH.exe /tr C:\Users\admin\AppData\Roaming\Windata\CMTJKR.exe /sc minute /mo 1C:\Windows\system32\cmd.exe
MSIE22F.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
884schtasks /create /tn YECUWH.exe /tr C:\Users\admin\AppData\Roaming\Windata\CMTJKR.exe /sc minute /mo 1C:\Windows\system32\schtasks.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
587
Read events
438
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2372msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2372msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF5A2D7D8CC6884E0F.TMP
MD5:
SHA256:
1252vssvc.exeC:
MD5:
SHA256:
2372msiexec.exeC:\Windows\Installer\MSIE142.tmpbinary
MD5:14C6013B9F696993FF16CC776A520D8D
SHA256:C82606E1D0AA804C2544C78CEFC5B56B4DDFB3288C4F66CCFC0E0E90E1AF54A3
2372msiexec.exeC:\Windows\Installer\39dbc6.ipibinary
MD5:839855EE5716A9A9B6B7541F958C1864
SHA256:EA64EEA231E638FDC34A1165DEAE66DA122D7CC2E693E92E9C532426A3A7A4F2
2372msiexec.exeC:\Windows\Installer\MSIE22F.tmpexecutable
MD5:D87E82EAB792FF4118B1E9D3D0DE6E1F
SHA256:F7858AFF60C20490BCD779DE03E8ECA01061F6A7B4186DD326F8C400A0899D8C
2372msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:26378C907F220EF77E69DB3A533AB76D
SHA256:CD1DC16BEA3DE46E8FD2093E765F5E15A8987D082D283432540F4BF75BF6995D
2372msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{a4abe137-f84a-41bb-a6f4-a0d129b14468}_OnDiskSnapshotPropbinary
MD5:26378C907F220EF77E69DB3A533AB76D
SHA256:CD1DC16BEA3DE46E8FD2093E765F5E15A8987D082D283432540F4BF75BF6995D
2372msiexec.exeC:\Windows\Installer\39dbc4.msiexecutable
MD5:ABF7120C686E46BC988114BE04A04231
SHA256:CF0BCAC1130FA1AC0450656783AE0E4F01546942D146677692CE0027CE2D036F
2216MSIE22F.tmpC:\Users\admin\AppData\Roaming\Windata\CMTJKR.exeexecutable
MD5:D87E82EAB792FF4118B1E9D3D0DE6E1F
SHA256:F7858AFF60C20490BCD779DE03E8ECA01061F6A7B4186DD326F8C400A0899D8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2216
MSIE22F.tmp
79.142.76.244:2089
success20.hopto.org
AltusHost B.V.
SE
malicious

DNS requests

Domain
IP
Reputation
success20.hopto.org
  • 79.142.76.244
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
2216
MSIE22F.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loda Logger CnC Beacon
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
hezrkt.msi