Resubmissions
02-10-2022 16:34
221002-t3c2esegb2 1002-10-2022 16:31
221002-t1wezsgbhl 1019-09-2022 13:21
220919-qlrxgaafe8 1015-09-2022 14:04
220915-rdlwxshabn 1026-08-2022 08:00
220826-jwaydaaeg2 9Analysis
-
max time kernel
15s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2022 14:04
Static task
static1
Behavioral task
behavioral1
Sample
lsassd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
lsassd.exe
Resource
win10v2004-20220901-en
General
-
Target
lsassd.exe
-
Size
58KB
-
MD5
d197883d8745a61fe25aebea85622a65
-
SHA1
5d22d359e7b8dc70ccf5e369fb07f2e0960ef76f
-
SHA256
b3ebc327773f5f846deeb1255475644a630c4d0d3b4eda3bbf995a36599c07cf
-
SHA512
da074afa91c88ba5f2ee95ca515e8c608686f8b8e63a28e2fbf21074d311f6c6aab6a433f19f990693c077db9087cf58322f683219401c7c05d3c3cb9a377b7b
-
SSDEEP
1536:BvJwvssB+bN7VkeiQMK9ZPbrJhKYUWXWjkC:B4sLbNizg9ZPbreSAkC
Malware Config
Extracted
C:\Program Files\!!!READ TO RECOVER YOUR DATA!!!.txt
moisha
https://tox.chat/
Signatures
-
Moisha
Moisha is a ransomware family first seen in August 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml lsassd.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\amd64\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\7-Zip\License.txt lsassd.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt lsassd.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklisted.certs lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt lsassd.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb lsassd.exe File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF lsassd.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3528 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe 3492 lsassd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3492 lsassd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsassd.exe"C:\Users\Admin\AppData\Local\Temp\lsassd.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rm lsassd.exe2⤵PID:5188
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5840