analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.tinyurl.com/Doc10Jan2019dddd

Full analysis: https://app.any.run/tasks/1b34605c-83ac-4c65-8d3f-7125f1d6b2aa
Verdict: Malicious activity
Analysis date: January 10, 2019, 20:18:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C4DD51FF298485E966A913509AFCA4DE

SHA1:

AAAC0E1FAE67AB89684BD75D23A8D646F199C4C5

SHA256:

5660CF6A3731E0261A82E5C1DA7167F98C1E891A25C1A862878B9E21D3B4C395

SSDEEP:

3:N8DSL+ZLdIQUFiT33:2OL+1dUFW33

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3268)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3268)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4064)
      • iexplore.exe (PID: 3268)
      • iexplore.exe (PID: 2988)
    • Application launched itself

      • iexplore.exe (PID: 2988)
    • Changes internet zones settings

      • iexplore.exe (PID: 2988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3268"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2988 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4064C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
445
Read events
374
Write events
68
Delete events
3

Modification events

(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{F26ED5F3-1514-11E9-AA93-5254004A04AF}
Value:
0
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307010004000A001400120035003103
Executable files
0
Suspicious files
0
Text files
53
Unknown types
2

Dropped files

PID
Process
Filename
Type
2988iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2988iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\redirect[1].php
MD5:
SHA256:
3268iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@tribalfusion[1].txt
MD5:
SHA256:
3268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\displayAd[1].js
MD5:
SHA256:
3268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\p[1].media
MD5:
SHA256:
3268iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@adnxs[1].txt
MD5:
SHA256:
3268iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@tinyurl[2].txttext
MD5:B40A6F6A8BB386F176A7D79B6EBAB188
SHA256:DF81C9096B96E7347A54CF05417EF1BD5DA213EBCD0CC2486A2CE1AB59D3A121
3268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\quant[1].jstext
MD5:E2B9884A917FABCB8015A0D44F734043
SHA256:404A9B0FFBCC813E8DDBB8D8510A24A69C09079282F8083EE94F4ADC5D627176
3268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\j[1].adtext
MD5:85E4C7061FA82A62F632AB83D329141C
SHA256:5957697D01DFA88C639CFEF70575F5BED0D72A569C87DA093E8471143F76C283
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
33
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3268
iexplore.exe
GET
200
204.11.109.65:80
http://a.tribalfusion.com/real/tags/TinyURLcom/ROS/tags.js
US
text
13.6 Kb
whitelisted
3268
iexplore.exe
GET
200
204.11.109.77:80
http://tags.expo9.exponential.com/tags/TinyURLcom/ROS/tags.js
US
html
2.25 Kb
whitelisted
3268
iexplore.exe
GET
200
18.194.121.63:80
http://edge.quantserve.com/quant.js
DE
text
5.33 Kb
whitelisted
3268
iexplore.exe
GET
200
104.20.219.42:80
http://tinyurl.com/redirect.php?num=Doc10Jan2019dddd
US
html
1.91 Kb
shared
3268
iexplore.exe
GET
200
204.11.109.65:80
http://a.tribalfusion.com/displayAd.js?dver=0.8&th=6263147382
US
text
333 b
whitelisted
3268
iexplore.exe
GET
200
204.11.109.65:80
http://a.tribalfusion.com/displayAd.js?dver=0.8&th=6263147382
US
text
335 b
whitelisted
3268
iexplore.exe
GET
200
204.11.109.65:80
http://a.tribalfusion.com/j.ad?flashVer=9&ver=1.28&th=6263147382&tagKey=2439653603&loaderVer=0.1&site=tinyurlcom&adSpace=ros&center=1&json=1&callback=e9Manager.setSingleAdResponse&env=display&size=728x90,468x60&busted=1&url=http%3A%2F%2Ftinyurl.com%2Fredirect.php%3Fnum%3DDoc10Jan2019dddd&f=0&p=11462657&tKey=a0mneMndix4mUS4VYdTVBd1U7YR8ZbBXq&a=1&adContainerId=richmedia_2&rnd=11464260
US
text
3.36 Kb
whitelisted
3268
iexplore.exe
GET
200
173.194.76.156:80
http://stats.g.doubleclick.net/dc.js
US
text
16.6 Kb
whitelisted
3268
iexplore.exe
GET
200
18.185.82.66:80
http://pixel.quantserve.com/pixel;r=2065329128;rf=2;a=p-85Tqni4j2acvI;url=http%3A%2F%2Ftinyurl.com%2Fredirect.php%3Fnum%3DDoc10Jan2019dddd;fpan=1;fpa=P0-185655731-1547151537020;ns=0;ce=1;qjs=1;qv=4c19192-20180628134937;cm=;ref=;je=1;sr=1280x720x32;enc=n;dst=1;et=1547151537020;tzo=0;ogl=
US
image
35 b
whitelisted
3268
iexplore.exe
GET
200
204.11.109.65:80
http://a.tribalfusion.com/real/tags/TinyURLcom/ROS/tags.js
US
text
13.6 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2988
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3268
iexplore.exe
157.240.1.23:443
connect.facebook.net
Facebook, Inc.
US
whitelisted
3268
iexplore.exe
104.20.219.42:80
www.tinyurl.com
Cloudflare Inc
US
shared
3268
iexplore.exe
104.20.219.42:443
www.tinyurl.com
Cloudflare Inc
US
shared
3268
iexplore.exe
204.11.109.77:80
tags.expo9.exponential.com
Exponential Interactive, Inc.
US
unknown
3268
iexplore.exe
173.194.76.156:80
stats.g.doubleclick.net
Google Inc.
US
whitelisted
3268
iexplore.exe
204.11.109.65:80
a.tribalfusion.com
Exponential Interactive, Inc.
US
unknown
3268
iexplore.exe
52.222.150.201:80
rules.quantcount.com
Amazon.com, Inc.
US
unknown
3268
iexplore.exe
18.194.121.63:80
edge.quantserve.com
Amazon.com, Inc.
DE
unknown
3268
iexplore.exe
18.185.82.66:80
edge.quantserve.com
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.tinyurl.com
  • 104.20.219.42
  • 104.20.218.42
suspicious
tinyurl.com
  • 104.20.219.42
  • 104.20.218.42
shared
tags.expo9.exponential.com
  • 204.11.109.77
  • 204.11.109.75
  • 204.11.109.78
whitelisted
connect.facebook.net
  • 157.240.1.23
whitelisted
stats.g.doubleclick.net
  • 173.194.76.156
  • 173.194.76.157
  • 173.194.76.155
  • 173.194.76.154
whitelisted
a.tribalfusion.com
  • 204.11.109.65
  • 204.11.110.63
  • 204.11.109.67
  • 204.11.109.66
  • 204.11.110.64
  • 204.11.110.61
  • 204.11.109.68
  • 204.11.110.62
whitelisted
edge.quantserve.com
  • 18.194.121.63
  • 18.185.191.3
  • 18.185.82.66
  • 18.195.162.149
  • 18.185.180.110
  • 18.194.201.158
  • 18.185.206.161
  • 18.195.36.13
whitelisted
rules.quantcount.com
  • 52.222.150.201
  • 52.222.150.196
  • 52.222.150.136
  • 52.222.150.69
whitelisted
pixel.quantserve.com
  • 18.185.82.66
  • 18.185.180.110
  • 18.185.206.161
  • 18.185.191.3
  • 18.185.153.197
  • 18.184.40.88
  • 35.156.2.6
  • 35.157.170.79
whitelisted

Threats

No threats detected
No debug info