analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://ak.imgfarm.com/images/nocache/vicinio/installers/v2/232814194.TTAB02.1/nsis/867547-TTAB02.1/180518125138533/msnionlinemapsearch/onlinemapsearch.9ab007686f384d6487b2a30a83734eec.exe

Full analysis: https://app.any.run/tasks/ef6d3f79-d400-4204-a916-f1287e894510
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: April 15, 2019, 10:03:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
mindspark
Indicators:
MD5:

C29213E0FAF1861BF4C80C417A15109A

SHA1:

2E63B5D88252C2F9E10EEDE4F2F3CA445352BA78

SHA256:

E968BD6A8012A10E94F381FBE9C8FCB76CB3452A87A6513F11FDF22AA26D3CE6

SSDEEP:

3:N1KfeEKCA0GEaAp3LWgOXBcWGl3u9nPTt7xxkVcdVBWIQsrr/8hKR9l8hKoNYB7N:C5TLpigOXBGlu9nRq0BjcK4Ko9JA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe (PID: 1888)
    • Loads dropped or rewritten executable

      • onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe (PID: 1888)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2820)
    • MINDSPARK was detected

      • onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe (PID: 1888)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 2820)
      • onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe (PID: 1888)
    • Creates files in the user directory

      • onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe (PID: 1888)
    • Creates a software uninstall entry

      • onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe (PID: 1888)
    • Changes the started page of IE

      • onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe (PID: 1888)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 3568)
    • Creates files in the user directory

      • iexplore.exe (PID: 2820)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1924)
      • iexplore.exe (PID: 796)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2820)
      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 796)
    • Reads internet explorer settings

      • iexplore.exe (PID: 796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe #MINDSPARK onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3044"C:\Program Files\Internet Explorer\iexplore.exe" http://ak.imgfarm.com/images/nocache/vicinio/installers/v2/232814194.TTAB02.1/nsis/867547-TTAB02.1/180518125138533/msnionlinemapsearch/onlinemapsearch.9ab007686f384d6487b2a30a83734eec.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2820"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3044 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1888"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
iexplore.exe
User:
admin
Company:
Mindspark Interactive Network, Inc.
Integrity Level:
MEDIUM
Description:
OnlineMapSearch Setup
Exit code:
0
Version:
2.7.1.3000
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\i0488cjo\onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3568"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
796"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3568 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1924C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
1 153
Read events
993
Write events
158
Delete events
2

Modification events

(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{B784AA35-5F65-11E9-B63D-5254004A04AF}
Value:
0
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307040001000F000A0003001D00AE03
Executable files
5
Suspicious files
1
Text files
70
Unknown types
10

Dropped files

PID
Process
Filename
Type
3044iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF524A53239B709A89.TMP
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B784AA36-5F65-11E9-B63D-5254004A04AF}.datbinary
MD5:94403B8D692103C1CA6E4A71797CCC4C
SHA256:85606B71153F8A188A057A46F63EB6D0B27B3F55F4D1967780830EB315FF597B
2820iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019041520190416\index.datdat
MD5:22BE1F75072DEEBE91EB6CE16260C9BB
SHA256:5C30209226956BCDFC1DF4DBD8991BFFB1D2560C725AF423E169E79C0771D815
1888onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exeC:\Users\admin\AppData\Local\Temp\nsh7C76.tmp\OMS_msi_bg-copy_1501866548368.bmpimage
MD5:C8687205910208B581EC513826B01FF3
SHA256:CF317EF56295513FA42B6B58AC95C8A5862736B25AC27BF7D62ED3697D52623C
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exeexecutable
MD5:8186BEF4A54B3AB322C836FD821FD392
SHA256:EA778FF97E072FDF31C81149A34F5F864F3332986586DBE8D497B7056378F638
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019041520190416\index.datdat
MD5:CB46FC01F379C848DAD3FEF3D08A03F6
SHA256:4730CD48E9F79BFA44B498F0A822663D0F2F000F509B4514E97767F41A9D2F9E
2820iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:93FF6C420FEF2F89E4558E700AFB69E9
SHA256:06CDC7FD846048E7501A80D0C423FF8974A44E58E7B093393182A613D48661E5
2820iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\73BRE2EQ\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
GET
204
74.113.237.192:80
http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=InstallerInvoked&platform=vicinio&anxv=2.7.1.3000&anxd=2018-05-18&coid=9ab007686f384d6487b2a30a83734eec&refPartner=^CPP^mni000^TTAB02&refSub=&anxl=en-US&anxr=-2135832509&refCobrand=CPP&refCampaign=mni000&refTrack=TTAB02&refCountry=
US
whitelisted
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
GET
204
74.113.237.192:80
http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=Error&errorCode=-13&errorType=nsisError&errorDetails=EmptyPartnerId&platform=vicinio&anxv=2.7.1.3000&anxd=2018-05-18&coid=9ab007686f384d6487b2a30a83734eec&refPartner=^CPP^mni000^TTAB02&refSub=&anxl=en-US&anxr=2066230514&refCobrand=CPP&refCampaign=mni000&refTrack=TTAB02&refCountry=
US
whitelisted
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
GET
204
74.113.237.192:80
http://anx.mindspark.com/anx.gif?anxa=CAPDownloadProcess&anxe=InstallerFinished&tbUID=60E846AE-54A4-421F-9FE0-BC3989560BA6&tbVer=&platform=vicinio&anxv=2.7.1.3000&anxd=2018-05-18&coid=9ab007686f384d6487b2a30a83734eec&refPartner=^CPP^mni000^TTAB02&refSub=&anxl=en-US&anxr=-2127235693&refCobrand=CPP&refCampaign=mni000&refTrack=TTAB02&refCountry=
US
whitelisted
796
iexplore.exe
GET
200
23.210.248.179:80
http://hp.myway.com/onlinemapsearch/ttab02/assets/1553623361387/ie8.js
NL
html
871 b
whitelisted
796
iexplore.exe
GET
200
23.210.248.179:80
http://hp.myway.com/onlinemapsearch/ttab02/index.html?n=785820E7&p2=^CPP^mni000^TTAB02&ptb=60E846AE-54A4-421F-9FE0-BC3989560BA6&coid=9ab007686f384d6487b2a30a83734eec
NL
html
3.19 Kb
whitelisted
2820
iexplore.exe
GET
200
23.210.248.179:80
http://ak.imgfarm.com/images/nocache/vicinio/installers/v2/232814194.TTAB02.1/nsis/867547-TTAB02.1/180518125138533/msnionlinemapsearch/onlinemapsearch.9ab007686f384d6487b2a30a83734eec.exe
NL
executable
374 Kb
whitelisted
796
iexplore.exe
GET
200
23.210.248.179:80
http://ak.staticimgfarm.com/images/webtooltab/assets/logos/CPP.png
NL
image
4.40 Kb
whitelisted
3568
iexplore.exe
GET
200
23.210.248.179:80
http://ak.staticimgfarm.com/images/vicinio/chrome/spent/images/favicon/CPP.ico
NL
image
1.12 Kb
whitelisted
3568
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
796
iexplore.exe
GET
200
23.210.248.179:80
http://hp.myway.com/onlinemapsearch/ttab02/assets/1553623361387/app.js
NL
text
127 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2820
iexplore.exe
23.210.248.179:80
ak.imgfarm.com
Akamai International B.V.
NL
whitelisted
3044
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
74.113.237.192:80
anx.mindspark.com
Mindspark Interactive Network, Inc.
US
malicious
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
35.244.218.203:443
dp.tb.ask.com
US
whitelisted
74.113.237.192:80
anx.mindspark.com
Mindspark Interactive Network, Inc.
US
malicious
3568
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
796
iexplore.exe
23.210.248.179:80
ak.imgfarm.com
Akamai International B.V.
NL
whitelisted
796
iexplore.exe
74.113.235.189:80
anx.tb.ask.com
Mindspark Interactive Network, Inc.
IE
unknown
3568
iexplore.exe
23.210.248.179:80
ak.imgfarm.com
Akamai International B.V.
NL
whitelisted
796
iexplore.exe
35.227.202.20:80
weatherblink.wdgserv.com
US
unknown

DNS requests

Domain
IP
Reputation
ak.imgfarm.com
  • 23.210.248.179
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dp.tb.ask.com
  • 35.244.218.203
whitelisted
anx.mindspark.com
  • 74.113.237.192
whitelisted
hp.myway.com
  • 23.210.248.179
whitelisted
ak.staticimgfarm.com
  • 23.210.248.179
whitelisted
anx.tb.ask.com
  • 74.113.235.189
whitelisted
weatherblink.wdgserv.com
  • 35.227.202.20
unknown

Threats

PID
Process
Class
Message
2820
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2820
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
1888
onlinemapsearch.9ab007686f384d6487b2a30a83734eec[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
3 ETPRO signatures available at the full report
No debug info