download: | hezrkt.msi |
Full analysis: | https://app.any.run/tasks/92c16696-19b9-45f6-b93c-a20496e5a39b |
Verdict: | Malicious activity |
Threats: | Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns. |
Analysis date: | January 17, 2020, 18:11:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0 |
MD5: | ABF7120C686E46BC988114BE04A04231 |
SHA1: | C74965A75A71DA9E64173CE61F2B06EED6BF53BA |
SHA256: | CF0BCAC1130FA1AC0450656783AE0E4F01546942D146677692CE0027CE2D036F |
SSDEEP: | 24576:lEnthEVaPqLNC8ReSNrK449vnNpHrYWYz:lErEVUcJR3hp4dnNprP |
.msi | | | Microsoft Installer (100) |
---|
CodePage: | Windows Latin 1 (Western European) |
---|---|
LastPrinted: | 2012:09:21 09:56:09 |
CreateDate: | 2012:09:21 09:56:09 |
Software: | Windows Installer |
Title: | Exe to msi converter free |
Subject: | - |
Author: | www.exetomsi.com |
Keywords: | - |
Comments: | - |
Template: | ;0 |
LastModifiedBy: | devuser |
RevisionNumber: | {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E} |
ModifyDate: | 2013:05:21 11:56:44 |
Pages: | 100 |
Words: | - |
Security: | None |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
944 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\hezrkt.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2372 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1252 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2216 | "C:\Windows\Installer\MSIE22F.tmp" | C:\Windows\Installer\MSIE22F.tmp | msiexec.exe | |
User: admin Integrity Level: MEDIUM Version: 3, 3, 8, 1 | ||||
1940 | C:\Windows\system32\cmd.exe /c schtasks /create /tn YECUWH.exe /tr C:\Users\admin\AppData\Roaming\Windata\CMTJKR.exe /sc minute /mo 1 | C:\Windows\system32\cmd.exe | MSIE22F.tmp | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
884 | schtasks /create /tn YECUWH.exe /tr C:\Users\admin\AppData\Roaming\Windata\CMTJKR.exe /sc minute /mo 1 | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2372 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2372 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF5A2D7D8CC6884E0F.TMP | — | |
MD5:— | SHA256:— | |||
1252 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
2372 | msiexec.exe | C:\Windows\Installer\MSIE142.tmp | binary | |
MD5:14C6013B9F696993FF16CC776A520D8D | SHA256:C82606E1D0AA804C2544C78CEFC5B56B4DDFB3288C4F66CCFC0E0E90E1AF54A3 | |||
2372 | msiexec.exe | C:\Windows\Installer\39dbc6.ipi | binary | |
MD5:839855EE5716A9A9B6B7541F958C1864 | SHA256:EA64EEA231E638FDC34A1165DEAE66DA122D7CC2E693E92E9C532426A3A7A4F2 | |||
2372 | msiexec.exe | C:\Windows\Installer\MSIE22F.tmp | executable | |
MD5:D87E82EAB792FF4118B1E9D3D0DE6E1F | SHA256:F7858AFF60C20490BCD779DE03E8ECA01061F6A7B4186DD326F8C400A0899D8C | |||
2372 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:26378C907F220EF77E69DB3A533AB76D | SHA256:CD1DC16BEA3DE46E8FD2093E765F5E15A8987D082D283432540F4BF75BF6995D | |||
2372 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{a4abe137-f84a-41bb-a6f4-a0d129b14468}_OnDiskSnapshotProp | binary | |
MD5:26378C907F220EF77E69DB3A533AB76D | SHA256:CD1DC16BEA3DE46E8FD2093E765F5E15A8987D082D283432540F4BF75BF6995D | |||
2372 | msiexec.exe | C:\Windows\Installer\39dbc4.msi | executable | |
MD5:ABF7120C686E46BC988114BE04A04231 | SHA256:CF0BCAC1130FA1AC0450656783AE0E4F01546942D146677692CE0027CE2D036F | |||
2216 | MSIE22F.tmp | C:\Users\admin\AppData\Roaming\Windata\CMTJKR.exe | executable | |
MD5:D87E82EAB792FF4118B1E9D3D0DE6E1F | SHA256:F7858AFF60C20490BCD779DE03E8ECA01061F6A7B4186DD326F8C400A0899D8C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2216 | MSIE22F.tmp | 79.142.76.244:2089 | success20.hopto.org | AltusHost B.V. | SE | malicious |
Domain | IP | Reputation |
---|---|---|
success20.hopto.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
2216 | MSIE22F.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Loda Logger CnC Beacon |