analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

Https://download.mapfinderz.com/index.jhtml

Full analysis: https://app.any.run/tasks/a85cf232-a2a2-4f70-b325-d0adeb8e1ef3
Verdict: Malicious activity
Analysis date: October 19, 2020, 23:14:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
mindspark
Indicators:
MD5:

0118D05E40AECFECD6901DB778BD5442

SHA1:

2E06609EAE27FCE98899BEAA768E94CCF013D0FE

SHA256:

A38CCCFD17411FD1C6F193BFD5CA68FBFA3845E9C29AE6C4B32E390948C33F9A

SSDEEP:

3:nnBElbPtMKBUJ:nBKztMKBUJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)

    • Loads dropped or rewritten executable

      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)
      • Rundll32.exe (PID: 3712)

    • MINDSPARK was detected

      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 464)
      • iexplore.exe (PID: 2728)
      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)

    • Reads Internet Cache Settings

      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)

    • Creates files in the user directory

      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)

    • Changes the started page of IE

      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)

    • Creates a software uninstall entry

      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)

    • Uses RUNDLL32.EXE to load library

      • MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe (PID: 1712)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 464)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 2872)
      • iexplore.exe (PID: 544)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 464)
      • iexplore.exe (PID: 544)
      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2872)

    • Changes internet zones settings

      • iexplore.exe (PID: 2728)

    • Creates files in the user directory

      • iexplore.exe (PID: 464)
      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2872)

    • Application launched itself

      • iexplore.exe (PID: 2728)

    • Reads internet explorer settings

      • iexplore.exe (PID: 464)
      • iexplore.exe (PID: 2872)
      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 544)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2728)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2728)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe #MINDSPARK mapfinderz.1e897ecfc75a475ca558c707c82f3d89.exe rundll32.exe no specs iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2728"C:\Program Files\Internet Explorer\iexplore.exe" Https://download.mapfinderz.com/index.jhtmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
464"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2728 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1712"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
iexplore.exe
User:
admin
Company:
Mindspark Interactive Network, Inc.
Integrity Level:
MEDIUM
Description:
MapFinderz Setup
Exit code:
0
Version:
2.8.1.1000
3712"Rundll32.exe" "C:\Users\admin\AppData\Local\MapFinderzTooltab\TooltabExtension.dll",A -hp=https://hp.myway.com/mapfinderz/ttab02/index.html -ua="(Windows NT 6.1; Win32; MSIE 11.0; Build 7601; SP 1)" -ul=http://anx.mindspark.com/anx.gif?anxa=%251&anxe=%252&anxt=A9E71789-B23B-4662-985D-F40D575D6750&anxtv=2.8.1.1000&anxp=^CNG^yyyyyy^TTAB02^nl&anxsi=&anxv=%253&anxd=2020-10-20&anxr=%254 -hu=SHOWC:\Windows\system32\Rundll32.exeMapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2872"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2728 CREDAT:1316132 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3452"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2728 CREDAT:3478797 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
544"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2728 CREDAT:988432 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 777
Read events
1 558
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
111
Text files
122
Unknown types
56

Dropped files

PID
Process
Filename
Type
464iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab423E.tmp
MD5:
SHA256:
464iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar423F.tmp
MD5:
SHA256:
464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B844EFFFE16D17B3AA37AA9520BA7C44der
MD5:7BDA7AAAB3831CD8D911FD007427A442
SHA256:F6D9F6218E804AFD9D17DE4A8675B7B176AB58929D53CC5399CC45B009517905
464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\index[1].htmhtml
MD5:B4884E0927C2E24BB22C725310538B20
SHA256:788CBFB41CA1150E8F41B53DD68C84B15EACEAF40771379169C5B438E73DA0D1
464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B844EFFFE16D17B3AA37AA9520BA7C44binary
MD5:3E3C55C6827BA9BC02EC4D6B92B2DAFB
SHA256:6284E95FA114A797EE0A077E7E70A293215A9CD3655EB2BB94E465BFF810F8CC
464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:AF315FA1A389D30310D95403D7DC486E
SHA256:E080E402317DE429DC4A761928298D49107D3D7CDCEDBB0BA06AA90CC214C501
464iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ASN6T45Z.txt
MD5:
SHA256:
464iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GE5EE42T.txttext
MD5:829518D387BD202594912DC227B06F10
SHA256:55E4D55D051498E36B33D925C64D0EBFBF7905510BEE4FEA3DE3983F5B45548F
464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08binary
MD5:DA1414A40E49DA1ACCB21E8A97824F4A
SHA256:1DF7EF8B3967F8143F95527DD205730EAEEFEF662880D3F7DE0BFEA69361F9A1
464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27Cbinary
MD5:B21362D5A5267F08D318CFF08DB3FE7E
SHA256:963401E570BE4F36C1997130463203C59AC942C2B0DD9E860943DE03D9A2F981
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
66
TCP/UDP connections
118
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
464
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
der
471 b
whitelisted
464
iexplore.exe
GET
200
2.16.186.35:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
464
iexplore.exe
GET
200
2.16.186.35:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
464
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
whitelisted
464
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
whitelisted
464
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
whitelisted
464
iexplore.exe
GET
200
2.16.186.27:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgNuLkd4xwZBlZHjBXjBubOocw%3D%3D
unknown
der
527 b
whitelisted
464
iexplore.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCOUTy4wn8XWggAAAAAWy8I
US
der
472 b
whitelisted
464
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
der
471 b
whitelisted
464
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.16.186.35:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
464
iexplore.exe
2.16.186.27:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
whitelisted
464
iexplore.exe
216.58.212.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
464
iexplore.exe
35.244.218.203:443
download.mapfinderz.com
US
whitelisted
464
iexplore.exe
23.43.121.26:443
ak.imgfarm.com
Akamai International B.V.
NL
unknown
464
iexplore.exe
104.111.214.175:443
akz.imgfarm.com
Akamai International B.V.
NL
whitelisted
464
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
464
iexplore.exe
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
464
iexplore.exe
172.217.23.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
464
iexplore.exe
172.217.22.67:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
download.mapfinderz.com
  • 35.244.218.203
malicious
isrg.trustid.ocsp.identrust.com
  • 2.16.186.35
  • 2.16.186.11
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.27
  • 2.16.186.11
whitelisted
ak.imgfarm.com
  • 23.43.121.26
whitelisted
fonts.googleapis.com
  • 216.58.212.170
whitelisted
ak.staticimgfarm.com
  • 23.43.121.26
whitelisted
akz.imgfarm.com
  • 104.111.214.175
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.pki.goog
  • 172.217.23.99
whitelisted
mapfinderz.dl.myway.com
  • 35.244.218.203
unknown

Threats

PID
Process
Class
Message
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
1712
MapFinderz.1e897ecfc75a475ca558c707c82f3d89.exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Https://download.mapfinderz.com/index.jhtml