Overview

overview

1

Static

static

1

URLScan

urlscan

1

https://download.moo...

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2023, 10:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    https://download.moodle.org/mobile?version=2021051705&lang=pt&iosappid=633359593&androidappid=com.moodle.moodlemobile

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://download.moodle.org/mobile?version=2021051705&lang=pt&iosappid=633359593&androidappid=com.moodle.moodlemobile
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4208 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1396
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8M28FTI\moodlemobile-android-v400.apk"
      2⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:456
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=20F542C2ED5F56389C6B80C816B701FD --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
            PID:1336
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DF03191406700E4DF3DB72619D51917E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DF03191406700E4DF3DB72619D51917E --renderer-client-id=2 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job /prefetch:1
            4⤵
              PID:448
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=46EB0A7B15C77C438346ABECDC8B05F1 --mojo-platform-channel-handle=2152 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
                PID:4400
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=51ECB159DF8A7EC7F04072B8DF228BAE --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                4⤵
                  PID:228
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=35E67E05A5C7FB6B283C00A2EC4626DA --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  4⤵
                    PID:4436
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:4708

              Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      36KB

                      MD5

                      b30d3becc8731792523d599d949e63f5

                      SHA1

                      19350257e42d7aee17fb3bf139a9d3adb330fad4

                      SHA256

                      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                      SHA512

                      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      56KB

                      MD5

                      752a1f26b18748311b691c7d8fc20633

                      SHA1

                      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                      SHA256

                      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                      SHA512

                      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      64KB

                      MD5

                      c8294db21855d1e1f68e6511b96ae580

                      SHA1

                      1201c0a0f18cffb4b3b9cc60025464f7b83f2419

                      SHA256

                      7666884687b67c4ac85f29a63c90a5c5baa7fa4c783da86dc8aa97edf9a2fce8

                      SHA512

                      ba44abba74178d289ff7c2d9bbc88c7080820268df382374195af8ca0dceb0943f8b26a7ad9e0df36e5a7cde14662a417d9d262a0e0866451e64eaad8f872fe1

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                      Filesize

                      471B

                      MD5

                      bbd7a036bb694cf78e8d3a33ea129585

                      SHA1

                      6ca1e6f1b267de89d01dec1453f8d48aabce7d50

                      SHA256

                      c918cafa4bdd06e21d100feaf7bda57150a4004c8755aa9a9040d36a1c370206

                      SHA512

                      b21a6dd06f1ca2d9da5a19a246a489e4c2ff92124bc988b237a0b78fdabd7c2128e97ef1fc1f82c17c2d54f821b6e2740aa2c56719706b11a1a69f194d3da135

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                      Filesize

                      404B

                      MD5

                      832ac802bdee68264e564cf098f297d7

                      SHA1

                      be0b9579974ee44b0b45c50aa638ffa7df6f915f

                      SHA256

                      06867f7ecd0f40c15e8ffd2f8592f4dbd5115dfa3e5e93abfee00a53d43a56e5

                      SHA512

                      4cb0aa6202c9d305b9c1c9a328803299d3da1a511bdc412d085ab90cef8c240da7c39fc1599788728165276b3d43dc9b159c50c3caa6e1bf4f943b5854b7b2a6

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\348R9X3R\download.moodle[1].xml
                      Filesize

                      86B

                      MD5

                      7a500b04bb16506f97c8a0d8d846de18

                      SHA1

                      b394216d3e0e1b398280a638813c8d2bbf117d33

                      SHA256

                      f8bed764d15beced7d86b1c7daf3649a56e2eb1accdd7b8d84aa58953642499a

                      SHA512

                      ebf93b039cd564fc38f0ba3026b482fb510ee72c0bf2d3172e0120024dfff3ce159db067821e4c43036411b1ef5b316aa4a49be41f8fe8ad77c6fea352913e0c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7ysgaof\imagestore.dat
                      Filesize

                      9KB

                      MD5

                      e6ae839698c716a8bf957638270de9f3

                      SHA1

                      ee36d1d742074086c7a0c6ffebaa06af1c587c04

                      SHA256

                      ff165cb6d3269e577849aa78884034346fa9322f751b372669acb236c0257e00

                      SHA512

                      fb1c4dcd37d06f310830f4b2f84f52d0278a2a18b54d9c6bab737bc545304563b6ae7280a5739fc83c157180ef4d45e534f1eff5c04de5bf84436331bc2f83c2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YMNL2J1\favicon-195[1].png
                      Filesize

                      9KB

                      MD5

                      4218a2c9b582da3a82c528471f77b484

                      SHA1

                      5f614c6710d958c8e2a2aeb7f21f3919b861b631

                      SHA256

                      6f3361e567ab8176917b88b2a376c1bb55d738c492a5d1efa944b611a1b207f1

                      SHA512

                      5cebc509e0b47e7ac425a2bcab78f23a63450cf25df5eb7338cb523fc00fcfe660710cb0b88b5098377d3aeb694e6bb00463449fea60c7e5667be53748a414a5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YMNL2J1\moodlemobile-android-v400[1].apk
                      Filesize

                      15.5MB

                      MD5

                      ce4a5317f003301ff7f059ba8e44e3d1

                      SHA1

                      c22919ee1f3f8af7efca70138dffb69f95138589

                      SHA256

                      df7bcb8a81210343f6388d5a92f6d402cbc549bf297ccd52344e1ea49e0cb378

                      SHA512

                      9a16eef880d51f46ca8e91012581db96c968da4c4c566b94c93b09b713ed6f83dc6f526cc5578d4c1486affb586a2e94ffe30025bdcaab4fd113568c028096d1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YMNL2J1\suggestions[1].en-US
                      Filesize

                      17KB

                      MD5

                      5a34cb996293fde2cb7a4ac89587393a

                      SHA1

                      3c96c993500690d1a77873cd62bc639b3a10653f

                      SHA256

                      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                      SHA512

                      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8M28FTI\moodlemobile-android-v400.apk.7yrlnbz.partial
                      Filesize

                      15.5MB

                      MD5

                      ce4a5317f003301ff7f059ba8e44e3d1

                      SHA1

                      c22919ee1f3f8af7efca70138dffb69f95138589

                      SHA256

                      df7bcb8a81210343f6388d5a92f6d402cbc549bf297ccd52344e1ea49e0cb378

                      SHA512

                      9a16eef880d51f46ca8e91012581db96c968da4c4c566b94c93b09b713ed6f83dc6f526cc5578d4c1486affb586a2e94ffe30025bdcaab4fd113568c028096d1

                      Download Submit