misp-circl-feed/feeds/circl/misp/a57a8551-4e22-44b9-a72d-fa8345532029.json

1039 lines
1.4 MiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "0",
"date": "2023-04-13",
"extends_uuid": "",
"info": "HALFRIG - Malware Analysis Report",
"publish_timestamp": "1681907498",
"published": true,
"threat_level_id": "1",
"timestamp": "1681907481",
"uuid": "a57a8551-4e22-44b9-a72d-fa8345532029",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:tool=\"HALFRIG\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"",
"relationship_type": ""
},
{
"colour": "#054300",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "admiralty-scale:source-reliability=\"a\"",
"relationship_type": ""
},
{
"colour": "#0029ff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "estimative-language:confidence-in-analytic-judgment=\"high\"",
"relationship_type": ""
},
{
"colour": "#001fc2",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "estimative-language:likelihood-probability=\"almost-certain\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Pattern-ENVYSCOUT backend fingerprint collector",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681903524",
"to_ids": true,
"type": "pattern-in-traffic",
"uuid": "e7963e75-00ed-4542-8e3d-4d7bc73fee77",
"value": "sawabfoundation.net/p.php?ip=<IP>&ua=<USER_AGENT>"
},
{
"category": "Network activity",
"comment": "ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681903127",
"to_ids": true,
"type": "url",
"uuid": "da0840d2-552d-4198-9f22-bb212dd53880",
"value": "sawabfoundation.net/note.html"
},
{
"category": "Network activity",
"comment": "compromised hosting used for ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681903133",
"to_ids": true,
"type": "domain",
"uuid": "2295b11f-5b27-43ea-b152-f2f2b0580e8f",
"value": "sawabfoundation.net"
},
{
"category": "Network activity",
"comment": "CobaltStrike redirector",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681903139",
"to_ids": true,
"type": "domain",
"uuid": "5ef9091e-b65c-4033-8136-878f4ddea0b5",
"value": "communitypowersports.com"
},
{
"category": "Network activity",
"comment": "Actual CobaltStrike C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681903145",
"to_ids": true,
"type": "domain",
"uuid": "a04f9dd8-a1c0-43d3-9b3b-bcfd9c95747b",
"value": "sanjosemotosport.com"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1681803944",
"uuid": "9a5c7967-ce23-4e98-956b-f1e09bc6f77b",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1681803944",
"to_ids": false,
"type": "link",
"uuid": "c5e93a26-3edb-468d-8231-548ab7518f30",
"value": "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1681803944",
"to_ids": false,
"type": "text",
"uuid": "4433e9c9-7e46-4bd1-a31b-31ec7fd42fe7",
"value": "HALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly\r\noverlapping with publicly described activity linked to the APT291 and NOBELIUM2 activity sets. HALFRIG\r\nhas significant code overlap with the QUARTERRIG and it is highly probable that it was developed\r\nby the same team."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1681803944",
"to_ids": false,
"type": "text",
"uuid": "a2b33d90-ff72-47d1-af81-a90215d00c96",
"value": "Report"
},
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDEzNSAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDEwNjYgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDEwNjcgMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyMC9LaWRzWyAzIDAgUiAxNSAwIFIgMjQgMCBSIDI2IDAgUiAyOSAwIFIgMzcgMCBSIDQwIDAgUiA0MiAwIFIgNDMgMCBSIDQ1IDAgUiA0NiAwIFIgNDggMCBSIDQ5IDAgUiA1MCAwIFIgNTIgMCBSIDU0IDAgUiA1NyAwIFIgNTggMCBSIDYwIDAgUiAxMzAgMCBSXSA+Pg0KZW5kb2JqDQozIDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8L0ZvbnQ8PC9GMSA1IDAgUi9GMiA5IDAgUi9GMyAxMSAwIFIvRjQgMTMgMCBSPj4vRXh0R1N0YXRlPDwvR1M3IDcgMCBSL0dTOCA4IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0ltYWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDU5NS4zMiA4NDEuOTJdIC9Db250ZW50cyA0IDAgUi9Hcm91cDw8L1R5cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMgMD4+DQplbmRvYmoNCjQgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMTA1Nz4+DQpzdHJlYW0NCnicvVhLb9s4EL4L8H/gaSEVMM3hm4uigOumaYsGyMYG9hD0oCaKa8DrpIqbwv++M/KjsiXFj6jrg2CSQ8033wxnRuz18/nkLr2Zs9eve/35PL35lt2y697o/uFLb7R4yHqX6XgyS+eT+1lv+OPrnKY+ZOltlr95w96+G7DvnUhwQT/vHTDBTDBcSeY18CBZnnWif1+xWSd6O+pEvffAALjQbHTXiUhaMGAyOG4dc8HSxtF/KHc+dGz8iK9m42LkV6PzTnQds6Sr8WHLf76w0adOdIY6/ulELWBSILmCMqYCygbBafpQlp1dDBjrXRLhF4OP75hoj0gnuJeaOStoxx7QFSBwGhDJwPBga4FIw709GohsH4iwXB/PiGoPiFKWu8Cstzz4o4Ho1hmx1nGjjwZiTgOingGiA1dH47Dt45Ceh6NxuFNxqFoQxocaEB8SgLifgIk/J6Di9wno+CoBGX+k4fkeiL4liOA9t6EB4j6ewmkgNGqt5QkznFmh4Ma4YjUfl0dXBa6LdPozzTPWn6XTxSOVi0ni4kd2lT3c54mK5y8qHBV40miuzeHw9qbkUnHoLpGBlM6vAaGCbYTTzUQhDV4B0OTW5u2lpUGFMxtUSKw0tqRhS8wqQepw+lsnunu1pvFPo0X6Xg532MA6VFnXHsLBdkgpXEmzEMbanaWVHdwDrXjhV0+KEqkVD6jNeq5DYZHVxYR2XPvixcpT7Te6CDeaMAEnACPPcG0bvfF/WUHR3ZoZTV6SFS+JoMLB0SYsCGVKBmrvrN9dK50OQ20q6wbPHa7h65X/PZyu1wEbR++aPPAHERLlJ0BsYldVzwBYC6dGj3JauoboKWdIQmgMkxgWqMJqwTUWbQt8efyVwthhXdjolEFzI9FGDJzdNFQ1at1HAflTacOdwQZEc+WYxAYtYFBho1jkeXqHoPWflN6J3Oflhyt93+nFlgMJeq50IajQBvAU0r9LyBawUl912O5NAZLbbaZRHF3tjOG22t19up8kXRnPqPCx9PZpWQ9x5hGLYVfFC/aVRou/K1XxRaA0ekvKJlB7a6BtmRupua1+lFwQAQUZU3oU/+ZpvmCD+x+zRMfzDBuHfEJSBX80nG6Lj7NkuXiTJSZmwyx/KuZx2CqfRgaOeaDBkL18upb5FKHu2+qvdm1W2FLh91ODsr02+3Zttph1RJX6wRm5+4oeIwwDjmFz+bllHgKQ0xsA7PBQS8W6FadWmk4DtwgGHHX1eEAx966zX/SsRCnfOczOnq4d0AJdCCqGNd7qhmwnS13tIXs3VFQvPJBCTwuq5psEVHE91Mez+ICeyCfT5XXRrj9eBoF0Y19ZB4FR7aOyN7q5jqWQqm3VytBlQr31ey9ZoGUneM19TXp/Ak60i5Ztp1ZDNCptOAe/AF5qCdENCmVuZHN0cmVhbQ0KZW5kb2JqDQo1IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YxL0Jhc2VGb250L0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9Gb250RGVzY3JpcHRvciA2IDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTIyL1dpZHRocyAxMDQ0IDAgUj4+DQplbmRvYmoNCjYgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNERUVFK1JhamRoYW5pLVJlZ3VsYXIvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgOTMwL0Rlc2NlbnQgLTM0Ni9DYXBIZWlnaHQgOTMwL0F2Z1dpZHRoIDQ3Ny9NYXhXaWR0aCAyNDM2L0ZvbnRXZWlnaHQgNDAwL1hIZWlnaHQgMjUwL1N0ZW1WIDQ3L0ZvbnRCQm94WyAtNDE2IC0zNDYgMjAyMCA5MzBdIC9Gb250RmlsZTIgMTA0MiAwIFI+Pg0KZW5kb2JqDQo3IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvY2EgMT4+DQplbmRvYmoNCjggMCBvYmoNCjw8L1R5cGUvRXh0R1N0YXRlL0JNL05vcm1hbC9DQSAxPj4NCmVuZG9iag0KOSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMi9CYXNlRm9udC9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9Gb250RGVzY3JpcHRvciAxMCAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDMyL1dpZHRocyAxMDQ1IDAgUj4+DQplbmRvYmoNCjEwIDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREZFRStWZXJkYW5hLUJvbGQvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgMTAwNS9EZXNjZW50IC0yMDcvQ2FwSGVpZ2h0IDc2NS9BdmdXaWR0aCA1NjgvTWF4V2lkdGggMjI1Ny9Gb250V2VpZ2h0IDcwMC9YSGVpZ2h0IDI1MC9TdGVtViA1Ni9Gb250QkJveFsgLTU1MCAtMjA3IDE3MDcgNzY1XSAvRm9udEZpbGUyIDEwNDYgMCBSPj4NCmVuZG9iag0KMTEgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjMvQmFzZUZvbnQvQkNER0VFK1JhamRoYW5pLVNlbWlCb2xkL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9Gb250RGVzY3JpcHRvciAxMiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyMS9XaWR0aHMgMTA1MCAwIFI+Pg0KZW5kb2JqDQoxMiAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RHRUUrUmFqZGhhbmktU2VtaUJvbGQvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgOTMwL0Rlc2NlbnQgLTM0Ni9DYXBIZWlnaH
"deleted": false,
"disable_correlation": false,
"object_relation": "report-file",
"timestamp": "1681803944",
"to_ids": false,
"type": "attachment",
"uuid": "acb1b478-874b-4e5d-adbe-54b25f38c80f",
"value": "HALFRIG_.pdf"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1681826311",
"uuid": "fee5eb3a-c2dd-40ea-97ff-78d827b5848c",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "comment",
"timestamp": "1681826311",
"to_ids": false,
"type": "comment",
"uuid": "d5fa3ac4-88c8-43e3-a834-3d73bc4b5991",
"value": "A rule that can be used to scan for HALFRIG"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "reference",
"timestamp": "1681826311",
"to_ids": false,
"type": "link",
"uuid": "71b8533b-8bbb-4e1c-a3d8-d2d3a5d58ddc",
"value": "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1681826311",
"to_ids": true,
"type": "yara",
"uuid": "3bbad14a-c57a-4778-8859-66a3e31088be",
"value": "rule APT29_HALFRIG_OBFUSCATION\r\n{\r\nmeta:\r\ndescription = \"Detects obfuscation patterns used in HALFRIG. This rule wasn't tested against large dataset, it should be used for threat hunting and not on services like VTI.\"\r\n\r\nstrings:\r\n\r\n// Decryption constants and decryption operation\r\n\r\n$ = {48 BB 0B 91 09 19 4D FD 9B F3 }\r\n\r\n\r\n$ = {4D 8D 40 01 48 8B CA 48 8B C2 48 C1 E9 38 48 83 C9 01 48 C1 E0 08 48 8B D1 48 33 D0}\r\n\r\n\r\n$ = {C7 05 [3] 00 F7 91 4D 01 }\r\n\r\n condition:\r\n\r\nuint16(0) == 0x5A4D\r\n\r\nand\r\n\r\nfilesize < 500KB\r\n\r\nand\r\n\r\nall of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1681826311",
"to_ids": false,
"type": "text",
"uuid": "a88c93a9-2b8d-408b-b7f7-5e913125dc8e",
"value": "APT29_HALFRIG_OBFUSCATION"
}
]
},
{
"comment": "Legitimate binary used for loading malicious DLL",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681902818",
"uuid": "fad6bb9e-862f-428a-9ded-fe90217d1c18",
"ObjectReference": [
{
"comment": "",
"object_uuid": "fad6bb9e-862f-428a-9ded-fe90217d1c18",
"referenced_uuid": "f7585879-72a8-4a51-a414-cdae1aa8947c",
2023-04-21 13:25:09 +00:00
"relationship_type": "followed-by",
2023-12-14 14:30:15 +00:00
"timestamp": "1681902818",
"uuid": "f636a565-39e9-4139-8622-b445f2523766"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681894020",
"to_ids": true,
"type": "sha1",
"uuid": "76b9f785-a452-4d6b-b542-ee53d98c874f",
"value": "d9d40cb3e2fe05cf223dc0b592a592c132340042"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681894020",
"to_ids": true,
"type": "md5",
"uuid": "8c520e11-bc0e-49f3-9fba-a9a1dc002990",
"value": "83863beee3502e42ced7e4b6dacb9eac"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681894020",
"to_ids": true,
"type": "sha256",
"uuid": "a6d6ca06-9010-4e37-9846-3fcea0397cc9",
"value": "cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681894020",
"to_ids": true,
"type": "filename",
"uuid": "6e965e9f-bf16-4ff7-852a-f706629443f7",
"value": "Note.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681894020",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "f7e9dcd2-4d67-4ac7-8048-660913a90ec6",
"value": "1597000"
}
]
},
{
"comment": "Virtual disc container",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681897981",
"uuid": "b1dd9581-897d-4ac8-bd2f-98f30d601147",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b1dd9581-897d-4ac8-bd2f-98f30d601147",
"referenced_uuid": "fad6bb9e-862f-428a-9ded-fe90217d1c18",
2023-04-21 13:25:09 +00:00
"relationship_type": "contains",
2023-12-14 14:30:15 +00:00
"timestamp": "1681897910",
"uuid": "e7afba87-3c9b-4df2-a5fe-64fdaeb68403"
},
{
"comment": "",
"object_uuid": "b1dd9581-897d-4ac8-bd2f-98f30d601147",
"referenced_uuid": "f7585879-72a8-4a51-a414-cdae1aa8947c",
2023-04-21 13:25:09 +00:00
"relationship_type": "contains",
2023-12-14 14:30:15 +00:00
"timestamp": "1681897932",
"uuid": "332592ba-f3be-4068-aa6e-d00d0f3e5654"
},
{
"comment": "",
"object_uuid": "b1dd9581-897d-4ac8-bd2f-98f30d601147",
"referenced_uuid": "fab51584-fda0-4be9-88e2-d301c21dacd8",
2023-04-21 13:25:09 +00:00
"relationship_type": "contains",
2023-12-14 14:30:15 +00:00
"timestamp": "1681897950",
"uuid": "4ecd062f-0300-4c88-bbc3-0e450490859c"
},
{
"comment": "",
"object_uuid": "b1dd9581-897d-4ac8-bd2f-98f30d601147",
"referenced_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
2023-04-21 13:25:09 +00:00
"relationship_type": "contains",
2023-12-14 14:30:15 +00:00
"timestamp": "1681897966",
"uuid": "b07733b1-2d8e-44e9-9cb1-30c4a9649eb7"
},
{
"comment": "",
"object_uuid": "b1dd9581-897d-4ac8-bd2f-98f30d601147",
"referenced_uuid": "09833510-9b3b-4e7f-974a-423e25b96e5b",
2023-04-21 13:25:09 +00:00
"relationship_type": "contains",
2023-12-14 14:30:15 +00:00
"timestamp": "1681897981",
"uuid": "6c927fd4-5d82-411e-be5c-ee93c999b5cd"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681894160",
"to_ids": true,
"type": "sha1",
"uuid": "f9911630-a510-4de8-860e-dd28a2c54cdc",
"value": "fbb482415f5312ed64b3a0ebee7fed5e6610c21a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681894160",
"to_ids": true,
"type": "md5",
"uuid": "bed8b637-3828-49fd-b5ca-19a97848e783",
"value": "0e5ed33778ee9c020aa067546384abcb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681894160",
"to_ids": true,
"type": "sha256",
"uuid": "e6386cb8-ba5f-4f13-88bb-92880808a1c9",
"value": "d1455c42553fab54e78c874525c812aaefb1f3cc69f9c314649bd6e4e57b9fa9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681894160",
"to_ids": true,
"type": "filename",
"uuid": "c4234de5-f1f8-4289-975c-5adcdcaa7264",
"value": "Note.iso"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681894160",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "27b0b487-84e3-4991-802d-f49805942220",
"value": "2688000"
}
]
},
{
"comment": "1st module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681902838",
"uuid": "f7585879-72a8-4a51-a414-cdae1aa8947c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f7585879-72a8-4a51-a414-cdae1aa8947c",
"referenced_uuid": "fab51584-fda0-4be9-88e2-d301c21dacd8",
2023-04-21 13:25:09 +00:00
"relationship_type": "followed-by",
2023-12-14 14:30:15 +00:00
"timestamp": "1681902838",
"uuid": "6df759b9-eb76-404a-aa97-8c6a47863dc7"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681894547",
"to_ids": true,
"type": "sha1",
"uuid": "6b89113e-af2f-4b48-970d-4a177ddd940c",
"value": "f61e0d09be2fc81d6f325aa7041be6136a747c2d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681894547",
"to_ids": true,
"type": "md5",
"uuid": "30d4314f-555d-4f81-8240-27f73229d435",
"value": "f532c0247b683de8936982e86876093b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681894547",
"to_ids": true,
"type": "sha256",
"uuid": "4b1ee9fc-8757-411d-8496-263296e00302",
"value": "ddf218e4e7ccd5e8bd502fb115d1e7fbfaa393fb7e0b3b9001168caebc771c50"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681894547",
"to_ids": true,
"type": "filename",
"uuid": "22680f2f-2f51-4a77-bbbe-879f35f0505f",
"value": "AppvIsvSubsystems64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681894547",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "6bc25a0f-be75-41f1-8d2b-c16fc8ca1a92",
"value": "27000"
}
]
},
{
"comment": "2nd module\r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681902852",
"uuid": "fab51584-fda0-4be9-88e2-d301c21dacd8",
"ObjectReference": [
{
"comment": "",
"object_uuid": "fab51584-fda0-4be9-88e2-d301c21dacd8",
"referenced_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
2023-04-21 13:25:09 +00:00
"relationship_type": "followed-by",
2023-12-14 14:30:15 +00:00
"timestamp": "1681902852",
"uuid": "78478ab8-e9d5-4c16-9291-c7651dd46296"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681894650",
"to_ids": true,
"type": "sha1",
"uuid": "3de0eeae-a046-4467-9f2d-7701a4f774eb",
"value": "e418d37fdcf4c288884bfe744b416cbdb0243a9e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681894650",
"to_ids": true,
"type": "md5",
"uuid": "99b266dd-f6df-4ba7-a601-5ff4c9210ad0",
"value": "abc87df854f31725dd1d7231f6f07354"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681894650",
"to_ids": true,
"type": "sha256",
"uuid": "9b395459-acf6-443a-8c6d-181d78501a70",
"value": "efeb7d9d0fabe464a32c4e33fe756d6ef7a9b369c0f1462b3dd573b6b667488e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681894650",
"to_ids": true,
"type": "filename",
"uuid": "b4d94f8e-718b-4522-a059-1c9796cabb04",
"value": "msword.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681894650",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "12721c3c-55bb-4cd1-b1ed-512f6635b983",
"value": "53000"
}
]
},
{
"comment": "3rd module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681902873",
"uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"referenced_uuid": "a6b876c3-c517-48a4-9b4e-0ae68492089a",
2023-04-21 13:25:09 +00:00
"relationship_type": "injected-into",
2023-12-14 14:30:15 +00:00
"timestamp": "1681895258",
"uuid": "df621e8c-a1f8-4563-ae58-5056d8721bc8"
},
{
"comment": "",
"object_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"referenced_uuid": "b3ddd480-33ba-462a-a783-98bc0315ba43",
2023-04-21 13:25:09 +00:00
"relationship_type": "injected-into",
2023-12-14 14:30:15 +00:00
"timestamp": "1681895268",
"uuid": "69f1e492-92be-4ddb-9065-5875c300fb64"
},
{
"comment": "",
"object_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"referenced_uuid": "6f954c43-b864-43ad-8579-5eda4026a3b7",
2023-04-21 13:25:09 +00:00
"relationship_type": "injected-into",
2023-12-14 14:30:15 +00:00
"timestamp": "1681895296",
"uuid": "bdea8655-236e-4d3f-be72-bccaaba00945"
},
{
"comment": "",
"object_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"referenced_uuid": "ad1e8e48-20db-488e-95fd-bb75b6f96293",
2023-04-21 13:25:09 +00:00
"relationship_type": "injected-into",
2023-12-14 14:30:15 +00:00
"timestamp": "1681895310",
"uuid": "ed112259-cb70-47ce-8199-0b25042bb40a"
},
{
"comment": "",
"object_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"referenced_uuid": "77bba20a-f103-402c-9fd6-40fd2641f7f9",
2023-04-21 13:25:09 +00:00
"relationship_type": "injected-into",
2023-12-14 14:30:15 +00:00
"timestamp": "1681895335",
"uuid": "00fa2c4d-9637-4ba5-9078-25868ba303e3"
},
{
"comment": "",
"object_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"referenced_uuid": "ca7257d8-9bdc-459e-9f7f-5cdeecbd549d",
2023-04-21 13:25:09 +00:00
"relationship_type": "injected-into",
2023-12-14 14:30:15 +00:00
"timestamp": "1681895343",
"uuid": "fc13195d-b616-4436-9696-a39d01b360ea"
},
{
"comment": "",
"object_uuid": "4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"referenced_uuid": "09833510-9b3b-4e7f-974a-423e25b96e5b",
2023-04-21 13:25:09 +00:00
"relationship_type": "followed-by",
2023-12-14 14:30:15 +00:00
"timestamp": "1681902873",
"uuid": "8593c2b5-1b05-429a-ae76-b35b83597640"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681894839",
"to_ids": true,
"type": "sha1",
"uuid": "9b9287f4-c070-483a-b72b-918375565821",
"value": "6dff9a9f13300a5ce72a70d907ff7854599e990a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681894839",
"to_ids": true,
"type": "md5",
"uuid": "f7493629-d3d7-4c9e-be47-58454542f20c",
"value": "2ffaa8cbc7f0d21d03d3dd897d974dba"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681894839",
"to_ids": true,
"type": "sha256",
"uuid": "f52ccaf4-bbb5-435f-864b-9a1b48bdae3f",
"value": "cfa65036aff012d7478694ea733e3e882cf8e18f336af5fba3ed2ef29160d45b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681894839",
"to_ids": true,
"type": "filename",
"uuid": "0833e9ca-92e9-455f-ac43-9dcfe1d94220",
"value": "envsrv.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681894839",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "d5f94a8e-0cdc-47aa-8829-2bba3fe69a41",
"value": "56000"
}
]
},
{
"comment": "4 module (shellcode stager)",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681894913",
"uuid": "09833510-9b3b-4e7f-974a-423e25b96e5b",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681894913",
"to_ids": true,
"type": "sha1",
"uuid": "338c8740-dbf4-4315-b0f9-6f0e6be71fcb",
"value": "a677b6aa958fe02cac0730d36e8123648e02884f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681894913",
"to_ids": true,
"type": "md5",
"uuid": "20579f5c-1163-4ce7-a897-f405ee8a279b",
"value": "5b6d8a474c556fe327004ed8a33edcdb"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681894913",
"to_ids": true,
"type": "sha256",
"uuid": "995ba181-aa8f-4894-9939-b4e41f4b19d8",
"value": "86edfd6c7a2fab8c50a372494e3d5b08c032cca754396f6e288d5d4c5738cb4c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681894913",
"to_ids": true,
"type": "filename",
"uuid": "77d38de7-27dd-4d64-85ea-cc70d7a6ceea",
"value": "mschost.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681894913",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "2a734e66-beec-4d1c-9d86-6f6dce879364",
"value": "391000"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a system process.",
"meta-category": "misc",
"name": "process",
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"template_version": "10",
"timestamp": "1681894972",
"uuid": "a6b876c3-c517-48a4-9b4e-0ae68492089a",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1681894972",
"to_ids": false,
"type": "text",
"uuid": "074efb8b-4300-44e1-b81b-85c33a3f61f8",
"value": "RunTimeBroker.exe"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a system process.",
"meta-category": "misc",
"name": "process",
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"template_version": "10",
"timestamp": "1681895005",
"uuid": "b3ddd480-33ba-462a-a783-98bc0315ba43",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1681895005",
"to_ids": false,
"type": "text",
"uuid": "68894fb2-fa01-453b-9af5-015195c38906",
"value": "TaskHostW.exe"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a system process.",
"meta-category": "misc",
"name": "process",
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"template_version": "10",
"timestamp": "1681895042",
"uuid": "6f954c43-b864-43ad-8579-5eda4026a3b7",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1681895042",
"to_ids": false,
"type": "text",
"uuid": "8ea48407-6a1b-4233-a836-3d8c6783a85d",
"value": "Svchost.exe"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a system process.",
"meta-category": "misc",
"name": "process",
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"template_version": "10",
"timestamp": "1681895104",
"uuid": "ad1e8e48-20db-488e-95fd-bb75b6f96293",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1681895104",
"to_ids": false,
"type": "text",
"uuid": "6dccd3a5-bbd3-4d7a-9feb-5938f484bff7",
"value": "IpfHelper.exe"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a system process.",
"meta-category": "misc",
"name": "process",
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"template_version": "10",
"timestamp": "1681895119",
"uuid": "77bba20a-f103-402c-9fd6-40fd2641f7f9",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1681895119",
"to_ids": false,
"type": "text",
"uuid": "8ac9b619-8143-4553-9793-2728db1d3e9a",
"value": "SecurityHealthService.exe"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Object describing a system process.",
"meta-category": "misc",
"name": "process",
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"template_version": "10",
"timestamp": "1681895145",
"uuid": "ca7257d8-9bdc-459e-9f7f-5cdeecbd549d",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1681895145",
"to_ids": false,
"type": "text",
"uuid": "b30ddce2-82a8-46a9-838c-a019c2549d00",
"value": "ApplicationFrameHost.exe"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}