analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://syndication.dynsrvtyu.comcimp.php?data=MTU2ODM1MTQ3OXxiNTFmNmEwMTBhYmU2MjFmNDhkNzJmZGEyMzkzZTE1Mg==|http://tutza.com/category/music/?&utm_campaign=2907862&utm_source=adexchange-802527.com&utm_medium=popunder&exotracker=

Full analysis: https://app.any.run/tasks/a3b241ef-3514-4302-8dd3-e191ce583db9
Verdict: Malicious activity
Analysis date: October 14, 2019, 19:03:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

AFB6C98FD0A566FBAE8BA55B6FA65466

SHA1:

E2FAFA1E328C689B465A7065FF4568452F0E1484

SHA256:

C50C2046FE9D2E725935A66987A9AC32F9A7FDDA747D9EA8FF85C35AAEC7C916

SSDEEP:

6:COi0e4ij3yyjYbshEYU/2i12RcmEWnkE2v7yB1LiF:xUh3yy+UETbmil7yB16

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • sdiagnhost.exe (PID: 2844)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1072)

    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 2844)

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 3968)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2108)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2448)

    • Application launched itself

      • iexplore.exe (PID: 2108)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2448)

    • Creates files in the user directory

      • iexplore.exe (PID: 2448)
      • iexplore.exe (PID: 2108)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1072)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Program Files\Internet Explorer\iexplore.exe" "http://syndication.dynsrvtyu.comcimp.php?data=MTU2ODM1MTQ3OXxiNTFmNmEwMTBhYmU2MjFmNDhkNzJmZGEyMzkzZTE1Mg==|http://tutza.com/category/music/?&utm_campaign=2907862&utm_source=adexchange-802527.com&utm_medium=popunder&exotracker="C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2448"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2108 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3968 -modal 327972 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF5549.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2844C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1016"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1028"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3996"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1072C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
710
Read events
575
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
9
Text files
244
Unknown types
17

Dropped files

PID
Process
Filename
Type
2108iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2108iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2448iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4B1SHP2O\dnserror[1]html
MD5:68E03ED57EC741A4AFBBCD11FAB1BDBE
SHA256:1FF3334C3EB27033F8F37029FD72F648EDD4551FCE85FC1F5159FEAEA1439630
2448iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2RDA1VC6\errorPageStrings[1]text
MD5:1A0563F7FB85A678771450B131ED66FD
SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C
2448iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SI590S7D\dnserror[1]html
MD5:68E03ED57EC741A4AFBBCD11FAB1BDBE
SHA256:1FF3334C3EB27033F8F37029FD72F648EDD4551FCE85FC1F5159FEAEA1439630
2448iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PFVS32U1\httpErrorPagesScripts[1]text
MD5:E7CA76A3C9EE0564471671D500E3F0F3
SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
2448iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4B1SHP2O\noConnect[1]image
MD5:3CB8FACCD5DE434D415AB75C17E8FD86
SHA256:6976C426E3AC66D66303C114B22B2B41109A7DE648BA55FFC3E5A53BD0DB09E7
2448iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:675632815FA20A496A584221662E7F9B
SHA256:810A8897F8E9AF3168ACA212605ADEC3225D7793124B9F7B50015C517C400E83
2448iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SI590S7D\errorPageStrings[1]text
MD5:1A0563F7FB85A678771450B131ED66FD
SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C
2448iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PFVS32U1\favcenter[1]image
MD5:25D76EE5FB5B890F2CC022D94A42FE19
SHA256:07D07A467E4988D3C377ACD6DC9E53ABCA6B64E8FBF70F6BE19D795A1619289B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
159
TCP/UDP connections
75
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2448
iexplore.exe
GET
301
104.18.50.189:80
http://tutza.com/category/music/?&utm_campaign=2907862&utm_source=adexchange-802527.com&utm_medium=popunder&exotracker=
US
shared
2448
iexplore.exe
GET
200
104.18.50.189:80
http://tutza.com/wp/wp-content/plugins/facebook-page-promoter-lightbox/includes/featherlight/featherlight.min.css?ver=5.2.3
US
text
705 b
shared
2448
iexplore.exe
GET
200
104.18.50.189:80
http://tutza.com/wp/wp-content/themes/musiks-child/style.css?ver=5.2.3
US
text
3.15 Kb
shared
2448
iexplore.exe
GET
200
104.18.50.189:80
http://tutza.com/category/music/?utm_campaign=2907862&utm_source=adexchange-802527.com&utm_medium=popunder&exotracker=
US
html
16.4 Kb
shared
2448
iexplore.exe
GET
200
104.18.50.189:80
http://tutza.com/wp/wp-content/plugins/buddypress/bp-templates/bp-nouveau/css/buddypress.min.css?ver=4.4.0
US
text
14.4 Kb
shared
2448
iexplore.exe
GET
200
104.18.50.189:80
http://tutza.com/wp/wp-content/plugins/tutza-ad-manager/public/css/tutza_ad_manager-public.css?ver=1.0.0
US
text
603 b
shared
2448
iexplore.exe
GET
200
104.18.50.189:80
http://tutza.com/wp/wp-content/plugins/easy-digital-downloads/templates/edd.min.css?ver=2.9.17
US
text
4.13 Kb
shared
2448
iexplore.exe
GET
200
104.18.50.189:80
http://tutza.com/wp/wp-includes/css/dashicons.min.css?ver=5.2.3
US
text
27.8 Kb
shared
2448
iexplore.exe
GET
200
104.18.50.189:80
http://tutza.com/wp/wp-content/plugins/sharethis-share-buttons/css/mu-style.css?ver=5.2.3
US
text
26 b
shared
2448
iexplore.exe
GET
200
172.217.16.130:80
http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?ver=5.2.3
US
text
35.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2108
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2448
iexplore.exe
172.217.16.130:80
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
2448
iexplore.exe
216.58.207.72:443
www.googletagmanager.com
Google Inc.
US
whitelisted
2448
iexplore.exe
108.177.15.155:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted
2448
iexplore.exe
104.18.50.189:80
tutza.com
Cloudflare Inc
US
shared
2448
iexplore.exe
104.19.195.151:80
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
2448
iexplore.exe
172.217.16.206:443
www.google-analytics.com
Google Inc.
US
whitelisted
2448
iexplore.exe
52.222.157.56:80
platform-api.sharethis.com
Amazon.com, Inc.
US
suspicious
2448
iexplore.exe
157.240.20.19:443
connect.facebook.net
Facebook, Inc.
US
whitelisted
2448
iexplore.exe
104.16.122.175:443
unpkg.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
syndication.dynsrvtyu.comcimp.php
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
tutza.com
  • 104.18.50.189
  • 104.18.51.189
unknown
www.googletagmanager.com
  • 216.58.207.72
whitelisted
platform-api.sharethis.com
  • 52.222.157.56
  • 52.222.157.159
  • 52.222.157.29
  • 52.222.157.19
whitelisted
pagead2.googlesyndication.com
  • 172.217.16.130
whitelisted
cdnjs.cloudflare.com
  • 104.19.195.151
  • 104.19.198.151
  • 104.19.196.151
  • 104.19.197.151
  • 104.19.199.151
whitelisted
www.google-analytics.com
  • 172.217.16.206
whitelisted
stats.g.doubleclick.net
  • 108.177.15.155
  • 108.177.15.154
  • 108.177.15.157
  • 108.177.15.156
whitelisted
media.tutza.com
  • 88.202.180.157
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://syndication.dynsrvtyu.comcimp.php?data=MTU2ODM1MTQ3OXxiNTFmNmEwMTBhYmU2MjFmNDhkNzJmZGEyMzkzZTE1Mg==|http://tutza.com/category/music/?&utm_campaign=2907862&utm_source=adexchange-802527.com&utm_medium=popunder&exotracker=