hxxps://download[.]moodle[.]org/mobile?version=2023100902[.]05&lang=es_co&iosappid=633359593&androidappid=com[.]moodle[.]moodlemobile

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.moodle.org/mobile?version=2023100902.05&lang=es_co&iosappid=633359593&androidappid=com.moodle.moodlemobile

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579957119855849"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3808	chrome.exe
3808	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1348	3420	chrome.exe	84
PID 3420 wrote to memory of 1348	3420	chrome.exe	84
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 4820	3420	chrome.exe	87
PID 3420 wrote to memory of 1480	3420	chrome.exe	88
PID 3420 wrote to memory of 1480	3420	chrome.exe	88
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89
PID 3420 wrote to memory of 4596	3420	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.moodle.org/mobile?version=2023100902.05&lang=es_co&iosappid=633359593&androidappid=com.moodle.moodlemobile
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9872eab58,0x7ff9872eab68,0x7ff9872eab78
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1884,i,12850801142881973206,18371536800731468840,131072 /prefetch:2
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,12850801142881973206,18371536800731468840,131072 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1884,i,12850801142881973206,18371536800731468840,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1884,i,12850801142881973206,18371536800731468840,131072 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1884,i,12850801142881973206,18371536800731468840,131072 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1884,i,12850801142881973206,18371536800731468840,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1884,i,12850801142881973206,18371536800731468840,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2600 --field-trial-handle=1884,i,12850801142881973206,18371536800731468840,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
80616e89509d7e17a78121ca7dd18d51

SHA1
5ffd07dd764e6ba638697a1ff7ebad7f510b9cc9

SHA256
1e29fdb3f3fb855f383d62bac5ef13b44428af12ca33000aa11a5aff8aa5a332

SHA512
5f46ae0b2ee2c25202e1fd63fd644db872fbb7325fb308c246de58c4af22d882b2e54f0b717c02eba286f730067bcef55bfde7713ac37e5978beb39bd8e8ae0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9f1740db0428c7a152de8ad561a569ef

SHA1
18ac97df09eabbe118488d6af96d71b4714f8be9

SHA256
2088a316ef1dd8cd5ba43ad7a8f0d1cb119fcf73366176a651f16b3c34dd9a65

SHA512
a7b8ab9a0e599b81b8f3aab342f5c234622fa42b1067e532a17327cde72348048f765353492bc47bcbdaed603f34331ca252df5e03d33ed1284fa1c81ae5c4b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
9b24e41e675250adb7a132d4b944e98a

SHA1
77ba542fceb61e6e79deec0e0bf1e9536b68ea64

SHA256
7df68d02fe238914131463886f74ea8eecbc354ea15182bf824ad4d37c651015

SHA512
cb42653cb2a9327588757148d6eb83aba0071f7f9ac6a919d1ca987723fbebe840f803e194d9afc80b600e630068a3a0f0d9a3b4ecb6ce75c1076e538e2f8edb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f0393dadcda9d9235390a6b145417315

SHA1
a3b4c0ed46fbeed181e7d16f1ce6d1dfb7021147

SHA256
14c5ef7bf54be573005228247ba6aa6cde9acb3e8a135d81d3b8b332d7405c6c

SHA512
145d56888ef40ceea59b24e4ebdf5504ab1ea1c716bc29c38e1a3a33991b94a495ae5af9c00c2fb9ac95ddc3f274af38035b59f4a6d87a66b0d78c4eca9aa777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
0e25bb5d3710937939a421db9cfa5ef3

SHA1
e4cb388781a0717a9844ebbf965bb3141478c784

SHA256
ce7120dedcfe591737e4e62e8edbf07c9dac63acf38e034d69212b1856b80489

SHA512
3fbe4276d8d4db0a32f78bcafce9a0d92044bcdf0fb7780e3127f1ad53b1d8e0b37f7f01c491b0f6a8e9a91d5635bf1688cac601b5333ec17031fe074994c6f5

Download Submit