Resubmissions
02-10-2022 16:34
221002-t3c2esegb2 1002-10-2022 16:31
221002-t1wezsgbhl 1019-09-2022 13:21
220919-qlrxgaafe8 1015-09-2022 14:04
220915-rdlwxshabn 1026-08-2022 08:00
220826-jwaydaaeg2 9Analysis
-
max time kernel
15s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
submitted
26-08-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
lsassd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
lsassd.exe
Resource
win10v2004-20220812-en
General
-
Target
lsassd.exe
-
Size
58KB
-
MD5
d197883d8745a61fe25aebea85622a65
-
SHA1
5d22d359e7b8dc70ccf5e369fb07f2e0960ef76f
-
SHA256
b3ebc327773f5f846deeb1255475644a630c4d0d3b4eda3bbf995a36599c07cf
-
SHA512
da074afa91c88ba5f2ee95ca515e8c608686f8b8e63a28e2fbf21074d311f6c6aab6a433f19f990693c077db9087cf58322f683219401c7c05d3c3cb9a377b7b
-
SSDEEP
1536:BvJwvssB+bN7VkeiQMK9ZPbrJhKYUWXWjkC:B4sLbNizg9ZPbreSAkC
Malware Config
Extracted
C:\odt\!!!READ TO RECOVER YOUR DATA!!!.txt
moisha
https://tox.chat/
Signatures
-
Moisha
Moisha is a ransomware family first seen in August 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml lsassd.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\meta-index lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf lsassd.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunpkcs11.jar lsassd.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml lsassd.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml lsassd.exe File opened for modification C:\Program Files\SendRequest.DVR lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar lsassd.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms lsassd.exe File opened for modification C:\Program Files\RepairReset.asx lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif lsassd.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar lsassd.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\LICENSE lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms lsassd.exe File created C:\Program Files\Common Files\Services\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml lsassd.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties lsassd.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\PYCC.pf lsassd.exe File created C:\Program Files\Microsoft Office\root\Office16\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5784 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe 460 lsassd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 460 lsassd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsassd.exe"C:\Users\Admin\AppData\Local\Temp\lsassd.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rm lsassd.exe2⤵PID:3600
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5784
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1828