b4474348e53f927c304f9b7da84928aa3425484ec7715590b130bf71ea8afe1d

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SparxMaths-Solver.exe
Size

154.7MB
MD5

cf13faa611382584795946cc3006953a
SHA1

24cbc29c5ba7bc05e74c10aefe5a8785036dc0a7
SHA256

65e65a584a8f71f033a76d9fa616f655e0a8a7ba83df27e0b461d311258eb995
SHA512

7af524a5d5ba47e749d671373accafd5085aca0c3c3364a9fe6b71361a82358ec311a0407e942f0adfb12a43d4c761a70b1c3e0eb6910475222539ce04cc8bd8
SSDEEP

1572864:mTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:hv6E70+Mk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SparxMaths-Solver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SparxMaths-Solver.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
15	discord.com
16	discord.com
17	discord.com
14	discord.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4312	SparxMaths-Solver.exe
4312	SparxMaths-Solver.exe
3624	SparxMaths-Solver.exe
3624	SparxMaths-Solver.exe
3624	SparxMaths-Solver.exe
3624	SparxMaths-Solver.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe
Token: SeShutdownPrivilege	3220	SparxMaths-Solver.exe
Token: SeCreatePagefilePrivilege	3220	SparxMaths-Solver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 2460	3220	SparxMaths-Solver.exe	85
PID 3220 wrote to memory of 4312	3220	SparxMaths-Solver.exe	86
PID 3220 wrote to memory of 4312	3220	SparxMaths-Solver.exe	86
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87
PID 3220 wrote to memory of 2180	3220	SparxMaths-Solver.exe	87

C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe
"C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe
  "C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SparxMaths-Solver" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 --field-trial-handle=2028,i,3746014266779275966,14646880832099583205,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe
  "C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SparxMaths-Solver" --mojo-platform-channel-handle=2328 --field-trial-handle=2028,i,3746014266779275966,14646880832099583205,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe
  "C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\SparxMaths-Solver" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2648 --field-trial-handle=2028,i,3746014266779275966,14646880832099583205,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe
  "C:\Users\Admin\AppData\Local\Temp\SparxMaths-Solver.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SparxMaths-Solver" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3292 --field-trial-handle=2028,i,3746014266779275966,14646880832099583205,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\SparxMaths-Solver\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d9022007df186eca462709da94a36d45

SHA1
320ed95bf1510a256450670c63bf98228bc439f7

SHA256
994cc8fb7bf1fec4c4f6a9bd6dbc58cdc13a1d041730fa3582b50d8a58cdcf36

SHA512
e29febc428ddf0949ea373c9ed2d8ce7ff7f79dd7bb4be7ed1d9e687f9d78a6c736c007072669fa84572591ba5f4b8682fd24c5efa495e752c68c95934239287

Download Submit
C:\Users\Admin\AppData\Roaming\SparxMaths-Solver\Code Cache\js\index-dir\the-real-index~RFe57e5bc.TMP

Filesize
48B

MD5
aa0225b9ae1495aa1c025a75dd85ba04

SHA1
bbb3f6d5dfeebf0c6fcf5b106df79a551f38a94f

SHA256
d7478f99f340852ef1810e1a5911276f87b83a16d05b570f7a88ab49cae4d4f7

SHA512
c3f7a5e8b28dc852316d81f95e71a5fc259c350597fdb6ba58aaa178deb47be855a085e431b61623d2a8c3d23744d91230de2aeeb7777c802955a54a67b1cada

Download Submit
C:\Users\Admin\AppData\Roaming\SparxMaths-Solver\Network\Network Persistent State

Filesize
300B

MD5
e667c5fcc86126120655ed266cc8031b

SHA1
78daa9a0f21abc8789eb69476fa2d9246cf9f442

SHA256
5bafe110b424be560814265f3377088e3df9ed6965cddf503a6fe6844f208c65

SHA512
d3b4e4d48555b76b7963c6ecab4ecca7bb2e2c5645ec3e16fb5f36d8575e992c76c40a70305a57d23eb6067236dc17c3a94b866661311e104c7e197faba37911

Download Submit
C:\Users\Admin\AppData\Roaming\SparxMaths-Solver\Network\Network Persistent State~RFe58bc37.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\SparxMaths-Solver\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/2180-48-0x00007FFF8DA60000-0x00007FFF8DA61000-memory.dmp

Filesize
4KB

Download
memory/2180-49-0x00007FFF8CD70000-0x00007FFF8CD71000-memory.dmp

Filesize
4KB

Download
memory/3624-102-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-104-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-103-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-108-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-111-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-114-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-113-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-112-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-110-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download
memory/3624-109-0x000001665FC40000-0x000001665FC41000-memory.dmp

Filesize
4KB

Download