Resubmissions

02-10-2022 16:34

221002-t3c2esegb2 10

02-10-2022 16:31

221002-t1wezsgbhl 10

19-09-2022 13:21

220919-qlrxgaafe8 10

15-09-2022 14:04

220915-rdlwxshabn 10

26-08-2022 08:00

220826-jwaydaaeg2 9

Analysis

  • max time kernel
    15s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2022 14:04

General

  • Target

    lsassd.exe

  • Size

    58KB

  • MD5

    d197883d8745a61fe25aebea85622a65

  • SHA1

    5d22d359e7b8dc70ccf5e369fb07f2e0960ef76f

  • SHA256

    b3ebc327773f5f846deeb1255475644a630c4d0d3b4eda3bbf995a36599c07cf

  • SHA512

    da074afa91c88ba5f2ee95ca515e8c608686f8b8e63a28e2fbf21074d311f6c6aab6a433f19f990693c077db9087cf58322f683219401c7c05d3c3cb9a377b7b

  • SSDEEP

    1536:BvJwvssB+bN7VkeiQMK9ZPbrJhKYUWXWjkC:B4sLbNizg9ZPbreSAkC

Score
10/10

Malware Config

Extracted

Path

C:\Program Files\!!!READ TO RECOVER YOUR DATA!!!.txt

Family

moisha

Ransom Note
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~~####~ ###~##~~~~##~~##~~~~~~##~~~~~~##~~~~~~~~##~~##~~~~##~~## ##~#~#~~~~##~~##~~~~~~##~~~~~~~####~~~~~######~~~~###### ##~~~#~~~~##~~##~~~~~~##~~~~~~~~~~##~~~~##~~##~~~~##~~## ##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~##~~## Hi Jewels Infosystems, this is Moisha! What happened? All just our Poles Testers team penetrated your network! What do we want? We want money for our silence and decrypting your files! What did we do?, We entered your corporate network, stole your work files among them the source codes of your projects! Leaving, we encrypted them, more than you are sure of you have their copy! What do we do? We will contact your every client, and let us inform you that you were hacked and all your customers are now at risk working with the programs of whose source code we have! What to do that all this would not be and return all to places? All we just want money, namely 55.5555 dollars, for our silence and decryption of your network. What will happen if you do not get in touch? : 1. We will publish part of the source of your projects (this will cause reputational harm to your company) 2. We will sell part of the sources to your competitors or anyone who wants to buy them! 3. We are knitted with everyone who works with you or has any connection with your company, be your partners or clients of your company. 4. We will report to regional news that you were hacked! All this can be avoided, how? 1. You get in touch with us. 2. We agree in the first 48 hours it will be fast! 3. You pay the agreed amount. 4. We restore everything that we encrypted. 5. We will return your source codes to you and will not publish them on forums and sell them to second and third parties. Make sure that we are not the time you wash, looking at the provider’s report and understand that all your sources and projects merged from you !! We have downloaded all your program sources! over 200 gigabytes! Don't delay! we are waiting for you at the negotiations, we will be able to confirm the availability of your files! You can contact us: To quickly communicate, use mail ([email protected] [email protected]) - Use the Tox Messenger, You Can download heere https://tox.chat/ to comunicate with the Operator Via Tox Messenger: Moisha Id Operator in Tox Messenger 693E9B36480678C055555A135337A72913FA16FA704919191919BCEBDFC647ACB0BCACF160AA408304642B Sincerely MOISHA !! ##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~~####~~~~~##~~~~~~####~~~####~~##~~## ###~##~~~~##~~##~~~~~~##~~~~~~##~~~~~~~~##~~##~~~~##~~##~~~~##~~~~~##~~##~##~~##~##~##~ ##~#~#~~~~##~~##~~~~~~##~~~~~~~####~~~~~######~~~~######~~~~##~~~~~##~~##~##~~~~~####~~ ##~~~#~~~~##~~##~~~~~~##~~~~~~~~~~##~~~~##~~##~~~~##~~##~~~~##~~~~~##~~##~##~~##~##~##~ ##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~##~~##~~~~######~~####~~~####~~##~~##
URLs

https://tox.chat/

Signatures

  • Moisha

    Moisha is a ransomware family first seen in August 2022.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lsassd.exe
    "C:\Users\Admin\AppData\Local\Temp\lsassd.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3492
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:3528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rm lsassd.exe
      2⤵
        PID:5188
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:5840

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3492-133-0x0000000000D50000-0x0000000000D64000-memory.dmp

        Filesize

        80KB

      • memory/3492-134-0x00007FF984720000-0x00007FF9851E1000-memory.dmp

        Filesize

        10.8MB

      • memory/3492-135-0x00007FF984720000-0x00007FF9851E1000-memory.dmp

        Filesize

        10.8MB

      • memory/3492-138-0x00007FF984720000-0x00007FF9851E1000-memory.dmp

        Filesize

        10.8MB

      • memory/5188-139-0x00007FF984720000-0x00007FF9851E1000-memory.dmp

        Filesize

        10.8MB

      • memory/5188-140-0x000002A838ED0000-0x000002A838EF2000-memory.dmp

        Filesize

        136KB

      • memory/5188-141-0x00007FF984720000-0x00007FF9851E1000-memory.dmp

        Filesize

        10.8MB