Resubmissions
02-10-2022 16:34
221002-t3c2esegb2 1002-10-2022 16:31
221002-t1wezsgbhl 1019-09-2022 13:21
220919-qlrxgaafe8 1015-09-2022 14:04
220915-rdlwxshabn 1026-08-2022 08:00
220826-jwaydaaeg2 9Analysis
-
max time kernel
36s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 16:31
Static task
static1
Behavioral task
behavioral1
Sample
lsassd.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
lsassd.exe
-
Size
58KB
-
MD5
d197883d8745a61fe25aebea85622a65
-
SHA1
5d22d359e7b8dc70ccf5e369fb07f2e0960ef76f
-
SHA256
b3ebc327773f5f846deeb1255475644a630c4d0d3b4eda3bbf995a36599c07cf
-
SHA512
da074afa91c88ba5f2ee95ca515e8c608686f8b8e63a28e2fbf21074d311f6c6aab6a433f19f990693c077db9087cf58322f683219401c7c05d3c3cb9a377b7b
-
SSDEEP
1536:BvJwvssB+bN7VkeiQMK9ZPbrJhKYUWXWjkC:B4sLbNizg9ZPbreSAkC
Score
10/10
Malware Config
Extracted
Path
C:\odt\!!!READ TO RECOVER YOUR DATA!!!.txt
Family
moisha
Ransom Note
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~~####~
###~##~~~~##~~##~~~~~~##~~~~~~##~~~~~~~~##~~##~~~~##~~##
##~#~#~~~~##~~##~~~~~~##~~~~~~~####~~~~~######~~~~######
##~~~#~~~~##~~##~~~~~~##~~~~~~~~~~##~~~~##~~##~~~~##~~##
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~##~~##
Hi Jewels Infosystems, this is Moisha!
What happened?
All just our Poles Testers team penetrated your network!
What do we want? We want money for our silence and decrypting your files!
What did we do?, We entered your corporate network, stole your work files among them the source codes
of your projects! Leaving, we encrypted them, more than you are sure of you have their copy!
What do we do? We will contact your every client, and let us inform you that you were hacked and all
your customers are now at risk working with the programs of whose source code we have!
What to do that all this would not be and return all to places?
All we just want money, namely 55.5555 dollars, for our silence and decryption of your network.
What will happen if you do not get in touch? :
1. We will publish part of the source of your projects (this will cause reputational harm to your company)
2. We will sell part of the sources to your competitors or anyone who wants to buy them!
3. We are knitted with everyone who works with you or has any connection with your company, be your
partners or clients of your company.
4. We will report to regional news that you were hacked!
All this can be avoided, how?
1. You get in touch with us.
2. We agree in the first 48 hours it will be fast!
3. You pay the agreed amount.
4. We restore everything that we encrypted.
5. We will return your source codes to you and will not publish them on forums and sell them to second
and third parties.
Make sure that we are not the time you wash, looking at the provider’s report and understand that all
your sources and projects merged from you !!
We have downloaded all your program sources! over 200 gigabytes! Don't delay! we are waiting for you at
the negotiations, we will be able to confirm the availability of your files!
You can contact us:
To quickly communicate, use mail ([email protected] [email protected])
- Use the Tox Messenger, You Can download heere https://tox.chat/
to comunicate with the Operator Via Tox Messenger:
Moisha Id Operator in Tox Messenger
693E9B36480678C055555A135337A72913FA16FA704919191919BCEBDFC647ACB0BCACF160AA408304642B
Sincerely MOISHA !!
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~~####~~~~~##~~~~~~####~~~####~~##~~##
###~##~~~~##~~##~~~~~~##~~~~~~##~~~~~~~~##~~##~~~~##~~##~~~~##~~~~~##~~##~##~~##~##~##~
##~#~#~~~~##~~##~~~~~~##~~~~~~~####~~~~~######~~~~######~~~~##~~~~~##~~##~##~~~~~####~~
##~~~#~~~~##~~##~~~~~~##~~~~~~~~~~##~~~~##~~##~~~~##~~##~~~~##~~~~~##~~##~##~~##~##~##~
##~~~#~~~~~####~~~~~######~~~~~####~~~~~##~~##~~~~##~~##~~~~######~~####~~~####~~##~~##
URLs
https://tox.chat/
Signatures
-
Moisha
Moisha is a ransomware family first seen in August 2022.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml lsassd.exe File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\Logo.png lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar lsassd.exe File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml lsassd.exe File opened for modification C:\Program Files\7-Zip\License.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\updater.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt lsassd.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml lsassd.exe File opened for modification C:\Program Files\7-Zip\readme.txt lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt lsassd.exe File created C:\Program Files\Internet Explorer\SIGNUP\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\HideSubmit.mpeg lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\LINEAR_RGB.pf lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\jfluid-server-15.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.policy lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-compat.xml lsassd.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\!!!READ TO RECOVER YOUR DATA!!!.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt lsassd.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html lsassd.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar lsassd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe 4900 lsassd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4900 lsassd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsassd.exe"C:\Users\Admin\AppData\Local\Temp\lsassd.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2164