Resubmissions
02-10-2022 16:34
221002-t3c2esegb2 1002-10-2022 16:31
221002-t1wezsgbhl 1019-09-2022 13:21
220919-qlrxgaafe8 1015-09-2022 14:04
220915-rdlwxshabn 1026-08-2022 08:00
220826-jwaydaaeg2 9Analysis
-
max time kernel
15s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
submitted
26-08-2022 08:00
General
-
Target
lsassd.exe
-
Size
58KB
-
MD5
d197883d8745a61fe25aebea85622a65
-
SHA1
5d22d359e7b8dc70ccf5e369fb07f2e0960ef76f
-
SHA256
b3ebc327773f5f846deeb1255475644a630c4d0d3b4eda3bbf995a36599c07cf
-
SHA512
da074afa91c88ba5f2ee95ca515e8c608686f8b8e63a28e2fbf21074d311f6c6aab6a433f19f990693c077db9087cf58322f683219401c7c05d3c3cb9a377b7b
-
SSDEEP
1536:BvJwvssB+bN7VkeiQMK9ZPbrJhKYUWXWjkC:B4sLbNizg9ZPbreSAkC
Score
10/10
Malware Config
Extracted
Path
C:\odt\!!!READ TO RECOVER YOUR DATA!!!.txt
Family
moisha
Ransom Note
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~~####~
###~##~~~~##~~##~~~~~~##~~~~~~##~~~~~~~~##~~##~~~~##~~##
##~#~#~~~~##~~##~~~~~~##~~~~~~~####~~~~~######~~~~######
##~~~#~~~~##~~##~~~~~~##~~~~~~~~~~##~~~~##~~##~~~~##~~##
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~##~~##
Hi Jewels Infosystems, this is Moisha!
What happened?
All just our Poles Testers team penetrated your network!
What do we want? We want money for our silence and decrypting your files!
What did we do?, We entered your corporate network, stole your work files among them the source codes
of your projects! Leaving, we encrypted them, more than you are sure of you have their copy!
What do we do? We will contact your every client, and let us inform you that you were hacked and all
your customers are now at risk working with the programs of whose source code we have!
What to do that all this would not be and return all to places?
All we just want money, namely 55.5555 dollars, for our silence and decryption of your network.
What will happen if you do not get in touch? :
1. We will publish part of the source of your projects (this will cause reputational harm to your company)
2. We will sell part of the sources to your competitors or anyone who wants to buy them!
3. We are knitted with everyone who works with you or has any connection with your company, be your
partners or clients of your company.
4. We will report to regional news that you were hacked!
All this can be avoided, how?
1. You get in touch with us.
2. We agree in the first 48 hours it will be fast!
3. You pay the agreed amount.
4. We restore everything that we encrypted.
5. We will return your source codes to you and will not publish them on forums and sell them to second
and third parties.
Make sure that we are not the time you wash, looking at the provider’s report and understand that all
your sources and projects merged from you !!
We have downloaded all your program sources! over 200 gigabytes! Don't delay! we are waiting for you at
the negotiations, we will be able to confirm the availability of your files!
You can contact us:
To quickly communicate, use mail ([email protected] [email protected])
- Use the Tox Messenger, You Can download heere https://tox.chat/
to comunicate with the Operator Via Tox Messenger:
Moisha Id Operator in Tox Messenger
693E9B36480678C055555A135337A72913FA16FA704919191919BCEBDFC647ACB0BCACF160AA408304642B
Sincerely MOISHA !!
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~~####~~~~~##~~~~~~####~~~####~~##~~##
###~##~~~~##~~##~~~~~~##~~~~~~##~~~~~~~~##~~##~~~~##~~##~~~~##~~~~~##~~##~##~~##~##~##~
##~#~#~~~~##~~##~~~~~~##~~~~~~~####~~~~~######~~~~######~~~~##~~~~~##~~##~##~~~~~####~~
##~~~#~~~~##~~##~~~~~~##~~~~~~~~~~##~~~~##~~##~~~~##~~##~~~~##~~~~~##~~##~##~~##~##~##~
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~##~~##~~~~######~~####~~~####~~##~~##
URLs
https://tox.chat/
Signatures
-
Moisha
Moisha is a ransomware family first seen in August 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 64 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsassd.exe"C:\Users\Admin\AppData\Local\Temp\lsassd.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rm lsassd.exe2⤵
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-