2023-12-14 14:30:15 +00:00
{
"type" : "bundle" ,
"id" : "bundle--124008c0-e519-4f1d-b1fd-bd42bfae2198" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-06T07:58:07.000Z" ,
"modified" : "2023-12-06T07:58:07.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--124008c0-e519-4f1d-b1fd-bd42bfae2198" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-06T07:58:07.000Z" ,
"modified" : "2023-12-06T07:58:07.000Z" ,
"name" : "MAR-10478915-1.v1 Citrix Bleed" ,
"published" : "2023-12-06T07:58:30Z" ,
"object_refs" : [
"indicator--5c12b30f-2ece-411a-a2b6-905006a34587" ,
"indicator--84aeb797-4299-4ef7-b7ae-57f916ee5721" ,
"indicator--f6384914-d773-4d7e-b9ed-e1838371c145" ,
"indicator--e9f069da-febc-449d-b923-22793ec3f067" ,
"x-misp-object--dd1e10de-b0f8-4bcf-861b-76fe980f055e" ,
"indicator--49552673-c8ea-50b9-a196-4663a33bfae8" ,
"x-misp-object--a78aa17d-3dd4-483f-ba12-ca977debbc3b" ,
"x-misp-object--9f5db9a7-9ef7-44f8-9189-553c2cc276f5" ,
"x-misp-object--c2abd168-d969-4160-b427-dacaf686f65e" ,
"x-misp-object--4b0f18bd-e09a-408d-9d36-415ca54ad600" ,
"x-misp-object--5e485e81-7e00-42d7-9fc3-5c08690e9206" ,
"x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
"indicator--d9f8b89d-305b-4e39-89cc-aad2f4a4a9a1" ,
"x-misp-object--a13bb548-ac3e-49d3-a5e2-a171d5bc2b43" ,
"indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
"x-misp-object--d5260841-3693-4b4e-b3f8-bffccc184799" ,
"x-misp-object--5f447be4-9408-4da0-be20-a0a8ef7a2d5b" ,
"x-misp-object--d7c20040-9114-4709-b609-d1f230198e1f" ,
"x-misp-object--ac013608-5fc8-4eb4-93db-82e071ee002b" ,
"x-misp-object--440260c8-b268-471d-af38-b90279d8cd13" ,
"x-misp-object--47c9fa88-b331-4b2e-86e2-64282aab3fe6" ,
"x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930" ,
"indicator--a2ed1e76-995c-4ac2-96f3-361a818d7bf8" ,
"indicator--272aca0e-f758-5014-b7e6-75a0305837d5" ,
"indicator--e5ef55cc-e9d8-585e-baf5-4bebebe966a3" ,
"x-misp-object--768b3de5-0693-4cf1-9ee9-14d49bb338dd" ,
"x-misp-object--335344d0-7470-4ab8-a1ba-6d5e7474bacb" ,
2024-04-05 12:15:17 +00:00
"relationship--a332942c-adbd-4e03-831d-17686b67db09" ,
"relationship--1f46bbf7-d0df-4d5d-81fb-3ca11c77091a" ,
"relationship--d45711b3-6941-409f-a483-45e42a54c175" ,
"relationship--28bcbae1-371e-4f0c-9454-8d71e99b6866" ,
"relationship--74827f91-ac7c-451e-a124-bda786cae41d" ,
"relationship--aba49575-a6be-4586-93a9-c7bc2f3fbd1f" ,
"relationship--0c34fa91-203c-4d37-8e0e-6c826e213755" ,
"relationship--60e42e89-1228-48b9-973c-6d0a8a1dfe88" ,
"relationship--9634ed7b-8489-4069-9b80-408f1adcd0df" ,
"relationship--1da534cc-f78f-4c35-a1bc-77ea0835758f" ,
"relationship--329248b6-8624-45d1-8a95-8001c41ac645" ,
"relationship--6265ba6f-e649-4072-928a-9c390d0dd7f3" ,
"relationship--014d4e38-b1d1-44de-9c66-5c2f1150da55" ,
"relationship--a5ac1f16-43dd-4492-a265-99c0f7503ed7" ,
"relationship--9a9b4a6e-b294-4d05-a043-f960e385b06f" ,
"relationship--1d5ee2ce-69a6-456e-aa87-91639c4b3444" ,
"relationship--7dde07a4-eb91-462d-b4c5-4fc1ebec9507" ,
"relationship--72b26a67-0da8-45ae-96eb-597df62dfda0" ,
"relationship--f4805af6-ce01-4536-a815-085cb796de33" ,
"relationship--4b96e96d-4d89-403f-a337-73cda0dfa8ad" ,
"relationship--e109b6af-88c7-4380-8040-0de861b2e16d"
2023-12-14 14:30:15 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"tlp:clear" ,
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c12b30f-2ece-411a-a2b6-905006a34587" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"description" : "This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:\\Windows\\Tasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times. \r\n\r\nThe next command it runs is reg save to save the HKLM\\SYSTEM registry hive into the C:\\Windows\\tasks\\em directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLM\\SAM registry hive into the C:\\Windows\\Task\\am directory. Next, a.bat runs three makecab commands to create three Cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:\\Users\\Public\\a.png. The names of the .cab files are as follows:\r\n\r\n--Start names and paths of .cab files created--\r\nc:\\windows\\tasks\\em.cab\r\nc:\\windows\\tasks\\am.cab\r\nc:\\windows\\tasks\\a.cab\r\n--End names and paths of .cab files created--" ,
"pattern" : "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_01 rule_content=rule CISA_10478915_01 : trojan installs_other_components\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"installs-other-components\"\n\t\tmalware_Type = \"trojan\"\n\t\ttool_type = \"information-gathering\"\n\t\tdescription = \"Detects trojan .bat samples\"\n\t\tsha256 = \"98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9\"\n\tstrings:\n\t\t$s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 }\n\t\t$s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 65 6d }\n\t\t$s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 }\n\tcondition:\n\t\tall of them\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-11-16T14:40:15.681862Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload installation"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Payload installation\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--84aeb797-4299-4ef7-b7ae-57f916ee5721" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"description" : "This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the Remote Procedure Call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message \"[*]success\" in the console." ,
"pattern" : "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_02 rule_content=rule CISA_10478915_02 : trojan installs_other_components\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"installs-other-components\"\n\t\tmalware_type = \"trojan\"\n\t\ttool_type = \"unknown\"\n\t\tdescription = \"Detects trojan PE32 samples\"\n\t\tsha256 = \"e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068\"\n\tstrings:\n\t\t$s1 = { 57 72 69 74 65 46 69 6c 65 }\n\t\t$s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 }\n\t\t$s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 }\n\t\t$s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 }\n\t\t$s5 = { 64 65 6c 65 74 65 5b 5d }\n\t\t$s6 = { 4e 41 4e 28 49 4e 44 29 }\n\tcondition:\n\t\tuint16(0) == 0x5a4d and pe.imphash() == \"6e8ca501c45a9b85fff2378cffaa24b2\" and pe.size_of_code == 84480 and all of them\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-11-16T14:40:15.71802Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload installation"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Payload installation\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--f6384914-d773-4d7e-b9ed-e1838371c145" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"description" : "This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:\\Users\\Public.\r\n\r\nNext, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:\\Windows\\Tasks." ,
"pattern" : "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_03 rule_content=rule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"steals-authentication-credentials\"\n\t\tmalware_type = \"trojan\"\n\t\ttool_type = \"credential-exploitation\"\n\t\tdescription = \"Detects trojan DLL samples\"\n\t\tsha256 = \"17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994\"\n\tstrings:\n\t\t$s1 = { 64 65 6c 65 74 65 }\n\t\t$s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e }\n\t\t$s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 }\n\t\t$s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 }\n\t\t$s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }\n\t\t$s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 }\n\tcondition:\n\t\tuint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of them\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-11-16T14:40:15.77768Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload installation"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Payload installation\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e9f069da-febc-449d-b923-22793ec3f067" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"description" : "This file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword \"hashpasswd\" is present. If the keyword \"hashpasswd\" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of \u201cwhoami\u201d is run." ,
"pattern" : "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_04 rule_content=rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"communicates-with-c2\"\n\t\tmalware_type = \"backdoor\"\n\t\ttool_type = \"remote-access\"\n\t\tdescription = \"Detects trojan python samples\"\n\t\tsha256 = \"906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6\"\n\tstrings:\n\t\t$s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 } \n\t\t$s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a }\n\t\t$s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 }\n\t\t$s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 }\n\tcondition:\n\t\tall of them\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-11-16T14:40:15.805722Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload installation"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Payload installation\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--dd1e10de-b0f8-4bcf-861b-76fe980f055e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "antiy" ,
"category" : "Other" ,
"uuid" : "e56e4026-c332-4ac6-a9f1-c184a5224c56"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "1340405c-0885-4eda-8eab-39e03ad3790d"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan/Win64.Malgent" ,
"category" : "Other" ,
"uuid" : "af1bcb04-85d6-4f4e-9422-0599d9c7a43f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--49552673-c8ea-50b9-a196-4663a33bfae8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"pattern" : "[file:hashes.MD5 = '37f7241963cf8279f7c1d322086a5194' AND file:hashes.SHA1 = 'ec401ae8ddebef4038cedb65cc0d5ba6c1fdef28' AND file:hashes.SHA256 = 'e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068' AND file:hashes.SHA512 = '02c2473b90ba787fea41a9840c7dc9a9869685ca8fdca3521278e0cc986e1797e36552f41f1ac206f5ec5bdc0ac40f13cd36217aea3aad13518e9764ea92c1f7' AND file:hashes.SSDEEP = '3072:u8txkT6wDLf/p3ufznQbCQVlvxxV5hmWIh:NgpDbZufLQpjxJ9U' AND file:name = 'a.exe' AND file:size = '145920']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-09-26T14:42:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--a78aa17d-3dd4-483f-ba12-ca977debbc3b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "avira" ,
"category" : "Other" ,
"uuid" : "3719ef1f-9874-4eba-afff-cf4ec794bb84"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "27afc559-0f7f-45e2-b7ab-2287e46e7939"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "TR/Redcap.sbphc" ,
"category" : "Other" ,
"uuid" : "c32e41c8-f249-44b2-82dd-0f0c091cf8c3"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--9f5db9a7-9ef7-44f8-9189-553c2cc276f5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "bitdefender" ,
"category" : "Other" ,
"uuid" : "2b5e1307-de50-49ce-92d3-fb1ef2eed196"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "93d920e2-229a-49f9-b42c-e1aa84ac7d02"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan.GenericKD.70103917" ,
"category" : "Other" ,
"uuid" : "188ed091-b1be-4805-8bda-4b8fcdda14c3"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--c2abd168-d969-4160-b427-dacaf686f65e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "emsisoft" ,
"category" : "Other" ,
"uuid" : "6d74d82f-4588-41b8-9e70-e50413c5e559"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "73ea4713-bfb3-4502-8e2d-2647e5bed92f"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan.GenericKD.70103917 (B)" ,
"category" : "Other" ,
"uuid" : "136a18fc-ea48-465e-b960-9db4d00cb2e4"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--4b0f18bd-e09a-408d-9d36-415ca54ad600" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "ikarus" ,
"category" : "Other" ,
"uuid" : "1386b0be-1993-4a66-86a5-09999b28b9ac"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "094a9625-2213-45d2-a517-13e4af80e0fd"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan.Win64.Malgent" ,
"category" : "Other" ,
"uuid" : "1a697bc2-84bd-456d-91ae-5a0d7fc7e66a"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5e485e81-7e00-42d7-9fc3-5c08690e9206" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "k7" ,
"category" : "Other" ,
"uuid" : "5c249117-0ae0-4e4b-9343-60046af8f7b3"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "ca34df49-20cb-4d20-aa7f-897240cff51d"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Riskware ( 00584baa1 )" ,
"category" : "Other" ,
"uuid" : "e9cc610a-d65e-46b3-9abf-462597ba1b15"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the Remote Procedure Call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message \"[*]success\" in the console." ,
"category" : "Other" ,
"uuid" : "b8d927d5-bf1d-4875-935a-f27eceb11bc8"
} ,
{
"type" : "boolean" ,
"object_relation" : "is_family" ,
"value" : "0" ,
"category" : "Other" ,
"uuid" : "c41d1151-7227-43e8-8582-0ecd9b86ef85"
} ,
{
"type" : "text" ,
"object_relation" : "malware_type" ,
"value" : "trojan" ,
"category" : "Other" ,
"uuid" : "8899c605-306d-417c-970d-dfc5a3ec733c"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d9f8b89d-305b-4e39-89cc-aad2f4a4a9a1" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"pattern" : "[file:hashes.MD5 = '37f7241963cf8279f7c1d322086a5194' AND file:hashes.SHA1 = 'ec401ae8ddebef4038cedb65cc0d5ba6c1fdef28' AND file:hashes.SHA256 = 'e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068' AND file:hashes.SHA512 = '02c2473b90ba787fea41a9840c7dc9a9869685ca8fdca3521278e0cc986e1797e36552f41f1ac206f5ec5bdc0ac40f13cd36217aea3aad13518e9764ea92c1f7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-11-16T14:40:15.726853Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--a13bb548-ac3e-49d3-a5e2-a171d5bc2b43" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "antiy" ,
"category" : "Other" ,
"uuid" : "de6ded26-c0d2-4867-87ef-3bf9858fb5a1"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "a4b10d9b-0820-4db6-b8cb-6ff557deafaf"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan/Win64.Agent" ,
"category" : "Other" ,
"uuid" : "6a08a2a6-8d6f-42a9-b3a6-04127c8d17f5"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"pattern" : "[file:hashes.MD5 = '206b8b9624ee446cad18335702d6da19' AND file:hashes.SHA1 = '364ef2431a8614b4ef9240afa00cd12bfba3119b' AND file:hashes.SHA256 = '17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994' AND file:hashes.SHA512 = 'efa720237bd2773719d7f8e377f63f93d25a691a6f2b8f52ff9ecbd1495c215690d01400d8b7fd9bb79b47de09817d72c82676b67ed70ecf61b002c7d8e9e11d' AND file:hashes.SSDEEP = '3072:oCNLoO2N+p5Fm6nfZvD8sLVdN9dtFiokDFMYLcu:j1o/+34YRvDtFiwu' AND file:name = 'a.dll' AND file:size = '106496']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-09-26T14:42:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d5260841-3693-4b4e-b3f8-bffccc184799" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "bitdefender" ,
"category" : "Other" ,
"uuid" : "175ea164-a465-4ea5-9ebb-43d50975ab17"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "56987a54-4a92-461b-a1fa-7ac580f82386"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan.GenericKD.70057986" ,
"category" : "Other" ,
"uuid" : "ef81de8d-8237-4166-aa79-2d008cd5c687"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5f447be4-9408-4da0-be20-a0a8ef7a2d5b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "eset" ,
"category" : "Other" ,
"uuid" : "f2795ce7-a785-4b2f-9118-f2d061dd366c"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "94857e60-ef39-4849-ba72-27c5896ce23d"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "a variant of Win64/Agent.DAU trojan" ,
"category" : "Other" ,
"uuid" : "b864d2b9-1b43-43af-9d8d-1b7ec4602c5d"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d7c20040-9114-4709-b609-d1f230198e1f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "emsisoft" ,
"category" : "Other" ,
"uuid" : "5e7db3af-a26c-4fb6-823a-33bf14ebea55"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "c0bedb4e-8f70-4ffa-a32e-ed12033e3586"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan.GenericKD.70057986 (B)" ,
"category" : "Other" ,
"uuid" : "4c29d389-c8f3-42b1-9bc3-63c9264dfef9"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--ac013608-5fc8-4eb4-93db-82e071ee002b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "ikarus" ,
"category" : "Other" ,
"uuid" : "b2c7f3a1-a4c1-4e92-ad00-48911fc951bd"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "6bd79472-5c1a-4d8f-b32e-ea3cea81ad4b"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan.Win64.Agent" ,
"category" : "Other" ,
"uuid" : "510a5a69-3a9d-492c-bf30-76076efb9223"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--440260c8-b268-471d-af38-b90279d8cd13" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "k7" ,
"category" : "Other" ,
"uuid" : "423d5543-727a-436a-9e19-93fb8c4e9d16"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "74d83513-4a59-4a64-9ba3-2b23e87e8372"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan ( 005ad67a1 )" ,
"category" : "Other" ,
"uuid" : "f1a22b3d-065d-415c-9043-a471caeb9ac7"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--47c9fa88-b331-4b2e-86e2-64282aab3fe6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware-analysis\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "product" ,
"value" : "zillya" ,
"category" : "Other" ,
"uuid" : "d6a5488c-de7b-401b-b173-5468b4cbc8c8"
} ,
{
"type" : "text" ,
"object_relation" : "result" ,
"value" : "unknown" ,
"category" : "Other" ,
"uuid" : "faf62d2a-a099-46e6-a11e-e06dfe9bea98"
} ,
{
"type" : "text" ,
"object_relation" : "result_name" ,
"value" : "Trojan.Agent.Win64.39686" ,
"category" : "Other" ,
"uuid" : "03b42e19-53cc-4129-8d59-b2030e4e7f3f"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware-analysis"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"labels" : [
"misp:name=\"malware\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "text" ,
"object_relation" : "description" ,
"value" : "This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path %PUBLIC%\\\r\n\r\nNext, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path %WINDIR%\\Tasks." ,
"category" : "Other" ,
"uuid" : "c1efdcae-341a-4853-bfe8-8afd18768fab"
} ,
{
"type" : "boolean" ,
"object_relation" : "is_family" ,
"value" : "0" ,
"category" : "Other" ,
"uuid" : "cfd418f1-654f-4bcd-abde-468a9a45f286"
} ,
{
"type" : "text" ,
"object_relation" : "malware_type" ,
"value" : "trojan" ,
"category" : "Other" ,
"uuid" : "aefb1011-3950-4b71-baff-f2f8fd37f8fb"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "malware"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a2ed1e76-995c-4ac2-96f3-361a818d7bf8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-09-26T14:42:27.000Z" ,
"modified" : "2023-09-26T14:42:27.000Z" ,
"pattern" : "[file:hashes.MD5 = '206b8b9624ee446cad18335702d6da19' AND file:hashes.SHA1 = '364ef2431a8614b4ef9240afa00cd12bfba3119b' AND file:hashes.SHA256 = '17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994' AND file:hashes.SHA512 = 'efa720237bd2773719d7f8e377f63f93d25a691a6f2b8f52ff9ecbd1495c215690d01400d8b7fd9bb79b47de09817d72c82676b67ed70ecf61b002c7d8e9e11d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-11-16T14:40:15.784715Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--272aca0e-f758-5014-b7e6-75a0305837d5" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"pattern" : "[file:hashes.MD5 = '52d5e2a07cd93c14f1ba170e3a3d6747' AND file:hashes.SHA1 = '8acaf9908229871ab33033df7b6a328ec1db56d5' AND file:hashes.SHA256 = '98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9' AND file:hashes.SHA512 = '317414f28d34f8295aa76cf9f39d4fd42c9bad292458dbd2a19f08a6a8b451e271179b7ef78afd8a2fe92a2e1103d9ef5e220557febf42d91900c268b8d61b69' AND file:hashes.SSDEEP = '6:halw5fwmUDXSLp8k7KdXSLp8kukK7va2RK4HvEEIVpmYY:sMULS98QAS98kuZ7XPcK3' AND file:name = 'a.bat' AND file:size = '376']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-12-06T07:53:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e5ef55cc-e9d8-585e-baf5-4bebebe966a3" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"pattern" : "[file:hashes.MD5 = '9cff554fa65c1b207da66683b295d4ad' AND file:hashes.SHA1 = 'b8e74921d7923c808a0423e6e46807c4f0699b6e' AND file:hashes.SHA256 = '906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6' AND file:hashes.SHA512 = '131621770e1899d81e6ff312b3245fe4e4013c36f82818a82fdd319982e6b742a72d906b6fb86c422bb720cd648f927b905a8fc193299ad7d8b3947e766abbd3' AND file:hashes.SSDEEP = '48:BpsnUP6s3ceBg5YbFYNXEtUyzzYyUyh0+FVzYA6P+Fqbaug9trYhTHhIQG86w09:BuUP6sseBIOqXEvpcrb89Z2THCQ6P' AND file:name = 'a.py' AND file:size = '2645']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2023-12-06T07:53:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--768b3de5-0693-4cf1-9ee9-14d49bb338dd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-06T07:54:21.000Z" ,
"modified" : "2023-12-06T07:54:21.000Z" ,
"labels" : [
"misp:name=\"original-imported-file\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_attributes" : [
{
"type" : "attachment" ,
"object_relation" : "imported-sample" ,
"value" : "MAR-10478915.r1.v1.CLEAR_stix2.json" ,
"category" : "External analysis" ,
"uuid" : "611ece1d-d27b-4277-b483-9bbf62e8bcd8" ,
"data" : " e w o g I C A g I n R 5 c G U i O i A i Y n V u Z G x l I i w K I C A g I C J p Z C I 6 I C J i d W 5 k b G U t L T Z i O D V j M D c 2 L W U z N D I t N D I y N y 1 i O G M 3 L T E 1 Z G V l Y j k y Z j I 3 N y I s C i A g I C A i b 2 J q Z W N 0 c y I 6 I F s K I C A g I C A g I C B 7 C i A g I C A g I C A g I C A g I C J 0 e X B l I j o g I m l k Z W 50 a X R 5 I i w K I C A g I C A g I C A g I C A g I n N w Z W N f d m V y c 2 l v b i I 6 I C I y L j E i L A o g I C A g I C A g I C A g I C A i a W Q i O i A i a W R l b n R p d H k t L T h l M T E y Z T c y L W F h O G Y t N D E 5 M C 1 h M z U 5 L T I 4 Y T l h Y m F l M j g 5 N i I s C i A g I C A g I C A g I C A g I C J j c m V h d G V k X 2 J 5 X 3 J l Z i I 6 I C J p Z G V u d G l 0 e S 0 t N D J h Y z N j O T I t N j B k M i 0 0 M T h m L W J h O G U t O D M 4 O T Q 0 Z T Y x M T B i I i w K I C A g I C A g I C A g I C A g I m N y Z W F 0 Z W Q i O i A i M j A y M y 0 w N C 0 x M l Q x N z o 1 M z o w O S 42 N D Z a I i w K I C A g I C A g I C A g I C A g I m 1 v Z G l m a W V k I j o g I j I w M j M t M D Q t M T J U M T c 6 N T M 6 M D k u N j Q 2 W i I s C i A g I C A g I C A g I C A g I C J u Y W 1 l I j o g I k d l b W l u a V B y b 2 R 1 Y 3 R p b 25 f Q 0 1 B I i w K I C A g I C A g I C A g I C A g I m R l c 2 N y a X B 0 a W 9 u I j o g I k N 5 Y m V y c 2 V j d X J p d H k g Y W 5 k I E l u Z n J h c 3 R y d W N 0 d X J l I F N l Y 3 V y a X R 5 I E F n Z W 5 j e S B Q c m 9 k d W N 0 a W 9 u I E l k Z W 50 a X R 5 L i B D b 2 R l I G F u Z C B N Z W R p Y S B B b m F s e X N p c y 4 i L A o g I C A g I C A g I C A g I C A i a W R l b n R p d H l f Y 2 x h c 3 M i O i A i c 3 l z d G V t I i w K I C A g I C A g I C A g I C A g I m N v b m Z p Z G V u Y 2 U i O i A x M D A s C i A g I C A g I C A g I C A g I C J s Y W 5 n I j o g I m V u I i w K I C A g I C A g I C A g I C A g I m 9 i a m V j d F 9 t Y X J r a W 5 n X 3 J l Z n M i O i B b C i A g I C A g I C A g I C A g I C A g I C A i b W F y a 2 l u Z y 1 k Z W Z p b m l 0 a W 9 u L S 1 i Y W I 0 Y T Y z Y y 1 h Z W Q 5 L T R j Z j U t Y T c 2 N i 1 k Z m N h N W F i Y W M y Y m I i C i A g I C A g I C A g I C A g I F 0 K I C A g I C A g I C B 9 L A o g I C A g I C A g I H s K I C A g I C A g I C A g I C A g I n R 5 c G U i O i A i Z m l s Z S I s C i A g I C A g I C A g I C A g I C J z c G V j X 3 Z l c n N p b 24 i O i A i M i 4 x I i w K I C A g I C A g I C A g I C A g I m l k I j o g I m Z p b G U t L T I 3 M m F j Y T B l L W Y 3 N T g t N T A x N C 1 i N 2 U 2 L T c 1 Y T A z M D U 4 M z d k N S I s C i A g I C A g I C A g I C A g I C J o Y X N o Z X M i O i B 7 C i A g I C A g I C A g I C A g I C A g I C A i T U Q 1 I j o g I j U y Z D V l M m E w N 2 N k O T N j M T R m M W J h M T c w Z T N h M 2 Q 2 N z Q 3 I i w K I C A g I C A g I C A g I C A g I C A g I C J T S E E t M S I 6 I C I 4 Y W N h Z j k 5 M D g y M j k 4 N z F h Y j M z M D M z Z G Y 3 Y j Z h M z I 4 Z W M x Z G I 1 N m Q 1 I i w K I C A g I C A g I C A g I C A g I C A g I C J T S E E t M j U 2 I j o g I j k 4 Z T c 5 Z j k 1 Y 2 Y 4 Z G U 4 Y W N l O D h i Z j I y M z Q y M W R i N W R j Z T M w M 2 I x M T I x N T J k N j Z m Z m R m M j d l Y m R m Y 2 R m O T Y 3 Z T k i L A o g I C A g I C A g I C A g I C A g I C A g I l N I Q S 0 1 M T I i O i A i M z E 3 N D E 0 Z j I 4 Z D M 0 Z j g y O T V h Y T c 2 Y 2 Y 5 Z j M 5 Z D R m Z D Q y Y z l i Y W Q y O T I 0 N T h k Y m Q y Y T E 5 Z j A 4 Y T Z h O G I 0 N T F l M j c x M T c 5 Y j d l Z j c 4 Y W Z k O G E y Z m U 5 M m E y Z T E x M D N k O W V m N W U y M j A 1 N T d m Z W J m N D J k O T E 5 M D B j M j Y 4 Y j h k N j F i N j k i L A o g I C A g I C A g I C A g I C A g I C A g I l N T R E V F U C I 6 I C I 2 O m h h b H c 1 Z n d t V U R Y U 0 x w O G s 3 S 2 R Y U 0 x w O G t 1 a 0 s 3 d m E y U k s 0 S H Z F R U l W c G 1 Z W T p z T V V M U z k 4 U U F T O T h r d V o 3 W F B j S z M i C i A g I C A g I C A g I C A g I H 0 s C i A g I C A g I C A g I C A g I C J z a X p l I j o g M z c 2 L A o g I C A g I C A g I C A g I C A i b m F t Z S I 6 I C J h L m J h d C I s C i A g I C A g I C A g I C A g I C J v Y m p l Y 3 R f b W F y a 2 l u Z 19 y Z W Z z I j o g W w o g I C A g I C A g I C A g I C A g I C A g I m 1 h c m t p b m c t Z G V m a W 5 p d G l v b i 0 t O T Q 4 N j h j O D k t O D N j M i 0 0 N j R i L T k y O W I t Y T F h O G F h M 2 M 4 N D g 3 I g o g I C A g I C A g I C A g I C B d C i A g I C A g I C A g f S w K I C A g I C A g I C B 7 C i A g I C A g I C A g I C A g I C J 0 e X B l I j o g I m l u Z G l j Y X R v c i I s C i A g I C A g I C A g I C A g I C J z c G V j X 3 Z l c n N p b 24 i O i A i M i 4 x I i w K I C A g I C A g I C A g I C A g I m l k I j o g I m l u Z G l j Y X R v c i 0 t N W M x M m I z M G Y t M m V j Z S 0 0 M T F h L W E y Y j Y t O T A 1 M D A 2 Y T M 0 N T g 3 I i w K I C A g I C A g I C A g I C A g I m N y Z W F 0 Z W R f Y n l f c m V m I j o g I m l k Z W 50 a X R 5 L S 0 4 Z T E x M m U 3 M i 1 h Y T h m L T Q x O T A t Y T M 1 O S 0 y O G E 5 Y W J h Z T I 4 O T Y i L A o g I C A g I C A g I C A g I C A i Y 3 J l Y X R l Z C I 6 I C I y M D I z L T A 5 L T I 2 V D E 0 O j Q y O j I 3 L j A w M F o i L A o g I C A g I C A g I C A g I C A i b W 9 k a W Z p Z W Q i O i A i M j A y M y 0 w O S 0 y N l Q x N D o 0 M j o y N y 4 w M D B a I i w K I C A g I C A g I C A g I C A g I m 5 h b W U i O i A i Y S 5 i Y X Q i L A o g I C A g I C A g I C A g I C A i b 2 J q Z W N 0 X 21 h c m t p b m d f c m V m c y I 6 I F s K I C A g I C A g I C A g I C A g I C A g I C J t Y X J r a W 5 n L W R l Z m l u a X R p b 24 t L T k 0 O D Y 4 Y z g 5 L T g z Y z I t N D Y 0 Y i 0 5 M j l i L W E x Y T h h Y T N j O D Q 4 N y I K I C A g I C A g I C A g I C A g X S w K I C A g I C A g I C A g I C A g I m R l c 2 N y a X B 0 a W 9 u I j o g I l R o a X M g Z m l s Z S B p c y B h I F d p b m R v d 3 M g Y m F 0 Y 2 g g Z m l s Z S B j Y W x s Z W Q g Y S 5 i Y X Q g d G h h d C B p c y B 1 c 2 V k I H R v I G V 4 Z W N 1 d G U g d G h l I G Z p b G U g Y 2 F s b G V k I G E u Z X h l I H d p d G g g d G h l I G Z p b G U g Y 2 F s b G V k I G E u Z G x s I G F z I G F u I G F y Z 3 V t Z W 50 L i A g V G h l I G 91 d H B 1 d C B p c y B w c m l u d G V k I H R v I G E g Z m l s Z S B u Y W 1 l Z C A n e i 50 e H Q n I G x v Y 2 F 0 Z W Q g a W 4 g d G h l I H B h d G g g Q z p c X F d p b m R v d 3 N c X F R h c 2 t z L i A g T m V 4 d C w g Y S 5 i Y X Q g c G l u Z 3 M g d G h l I G x v b 3 A g Y m F j a y B p b n R l c m 5 l d C B w c m 90 b 2 N v b C A o S V A p I G F k Z H J l c 3 M g M T I 3 L j A u M F s u X T E g d G h y Z W U g d G l t Z X M u I F x y X G 5 c c l x u V G h l I G 5 l e H Q g Y 29 t b W F u Z C B p d C B y d W 5 z I G l z I H J l Z y B z Y X Z l I H R v I H N h d m U g d G h l I E h L T E 1 c X F N Z U 1 R F T S B y Z W d p c 3 R y e S B o a X Z l I G l u d G 8 g d G h l I E M 6 X F x X a W 5 k b 3 d z X F x 0 Y X N r c 1 x c Z W 0 g Z G l y Z W N 0 b 3 J 5 L i A g Q W d h a W 4 s I G E u Y m F 0 I H B p b m d z I H R o Z S B s b 29 w I G J h Y 2 s g Y W R k c m V z c y A x M j c u M C 4 w W y 5 d M S B v b m U g d G l t Z S B i Z W Z v c m U g Z X h l Y 3 V 0 a W 5 n I G F u b 3 R o Z X I g c m V n I H N h d m U g Y 29 t b W F u Z C B h b m Q g c 2 F 2 Z X M g d G h l I E h L T E 1 c X F N B T S B y Z W d p c 3 R y e S B o a X Z l I G l u d G 8 g d G h l I E M 6 X F x X a W 5 k b 3 d z X F x U Y X N r X F x h b S B k a X J l Y 3 R v c n k u I C B O Z X h 0 L C B h L m J h d C B y d W 5 z I H R o c m V l I G 1 h a 2 V j Y W I g Y 29 t b W F u Z H M g d G 8 g Y 3 J l Y X R l I H R o c m V l I E N h Y m l u Z X Q g K C 5 j Y W I p I G Z p b G V z I G Z y b 20 g d G h l I H B y Z X Z p b 3 V z b H k g b W V u d G l v b m V k I H N h d m V k I H J l Z 2 l z d H J 5 I G h p d m V z I G F u Z C B v b m U g Z m l s Z S B u Y W 1 l Z C B D O l x c V X N l c n N c X F B 1 Y m x p Y 1 x c Y S 5 w b m c u I C B U a G U g b m F t Z X M g b 2 Y g d G h l I C 5 j Y W I g Z m l s Z X M g Y X J l I G F z I G Z v b G x v d 3 M 6 X H J c b l x y X G 4 t L V N 0 Y X J 0 I G
} ,
{
"type" : "text" ,
"object_relation" : "format" ,
"value" : "STIX 2.1" ,
"category" : "Other" ,
"uuid" : "43ab5514-2e2c-428f-8155-b301232a2e14"
}
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "original-imported-file"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--335344d0-7470-4ab8-a1ba-6d5e7474bacb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2023-12-06T07:57:38.000Z" ,
"modified" : "2023-12-06T07:57:38.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://www.cisa.gov/news-events/analysis-reports/ar23-325a" ,
"category" : "External analysis" ,
"uuid" : "70f27681-b669-4b90-bed0-79d7100828a8"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "Responding to the recently disclosed CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances, CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempts to establish sessions via Windows Remote Management (WinRM). The files include:\r\n\r\n Windows Batch file (.bat)\r\n Windows Executable (.exe)\r\n Windows Dynamic Link Library (.dll)\r\n Python Script (.py)\r\n\r\nFor more information about this vulnerability, see Joint Cybersecurity Advisory #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability." ,
"category" : "Other" ,
"uuid" : "d6e0cd97-4c9f-47d6-be1c-508fa062fca8"
} ,
{
"type" : "attachment" ,
"object_relation" : "report-file" ,
"value" : "MAR-10478915.r1.v1.CLEAR_.pdf" ,
"category" : "External analysis" ,
"uuid" : "fc29a335-d2a8-402e-8a39-77e9c1995024" ,
"data" : " J V B E R i 0 x L j Y N J e L j z 9 M N C j k w I D A g b 2 J q D T w 8 L 0 x p b m V h c m l 6 Z W Q g M S 9 M I D U 2 M D Q 3 M C 9 P I D k y L 0 U g M j k 2 M j U x L 0 4 g O C 9 U I D U 2 M D A 5 M i 9 I I F s g N D g 2 I D I 2 M V 0 + P g 1 l b m R v Y m o N I C A g I C A g I C A g I C A g I C A g I A 0 x M D g g M C B v Y m o N P D w v R G V j b 2 R l U G F y b X M 8 P C 9 D b 2 x 1 b W 5 z I D U v U H J l Z G l j d G 9 y I D E y P j 4 v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l L 0 l E W z x D N k E 3 N z E 3 R U E 3 N T B C R E Q 5 M D k 4 N j g 5 M j l D N D Y 5 R j I w M z 48 Q z Y 4 R D N G N 0 M 2 N D I z N E N D R E F E M T g 4 M z Z F Q j A y M k Y y O T Q + X S 9 J b m R l e F s 5 M C A y O F 0 v T G V u Z 3 R o I D k 2 L 1 B y Z X Y g N T Y w M D k z L 1 J v b 3 Q g O T E g M C B S L 1 N p e m U g M T E 4 L 1 R 5 c G U v W F J l Z i 9 X W z E g M y A x X T 4 + c 3 R y Z W F t D Q p o 3 m J i Z G A Q Y G B i Y G C 6 D S I Z 9 U E k w 3 Y Q y e I O I p k r w a Q O W M Q f r P I l W I Q L L L I C z N 4 M J B l f H A f L 8 o P I / D A Q q a Q I I r k n g 8 i g P U D y P 3 c d A x P Q R r A J Q N u I I v 8 z M H b + B A g w A L 0 e D y E N Z W 5 k c 3 R y Z W F t D W V u Z G 9 i a g 1 z d G F y d H h y Z W Y N M A 0 l J U V P R g 0 g I C A g I C A g I C A N M T E 3 I D A g b 2 J q D T w 8 L 0 Z p b H R l c i 9 G b G F 0 Z U R l Y 29 k Z S 9 M Z W 5 n d G g g M T g 1 L 1 M g M T U 3 P j 5 z d H J l Y W 0 N C m j e Y m B g Y G Z g Y B J l Y G F g E A 9 n E G Z A A G G g G C s Q c 1 w Q E F D o j X R g j p F 7 y W C 48 O 42 B g Z B + w j W a 5 n T Z s 4 E K m N S n C J 0 d W d j j 8 q 0 t W e 4 I r a b G P X A u T y J K l v z E l I l V F c X M 7 B 3 d D A w V H Q 0 u L h 3 d M D Y S u o d H S w u Q A Z I F o s N Q N O l G D j a f g N p A b C D Q G A 7 g x C Q 1 G T g 5 m A q Z V j G o K z A 6 c P 0 k a G e r 5 C B N S F v P k d U w 9 y D H m J 9 f Q x O B 9 g d m A q A S g E C D A B 1 W D m g D W V u Z H N 0 c m V h b Q 1 l b m R v Y m o N O T E g M C B v Y m o N P D w v U G F n Z X M g O D k g M C B S L 1 R 5 c G U v Q 2 F 0 Y W x v Z z 4 + D W V u Z G 9 i a g 0 5 M i A w I G 9 i a g 0 8 P C 9 D b 250 Z W 50 c 1 s 5 N C A w I F I g O T U g M C B S I D k 2 I D A g U i A 5 N y A w I F I g O T g g M C B S I D k 5 I D A g U i A x M D A g M C B S I D E w M i A w I F J d L 0 N y b 3 B C b 3 h b M C A w I D Y x M i A 3 O T J d L 0 1 l Z G l h Q m 94 W z A g M C A 2 M T I g N z k y X S 9 Q Y X J l b n Q g O D k g M C B S L 1 J l c 291 c m N l c y A x M D k g M C B S L 1 J v d G F 0 Z S A w L 1 R 5 c G U v U G F n Z T 4 + D W V u Z G 9 i a g 0 5 M y A w I G 9 i a g 0 8 P C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v R m l y c 3 Q g N j U v T G V u Z 3 R o I D c 0 N S 9 O I D g v V H l w Z S 9 P Y m p T d G 0 + P n N 0 c m V h b Q 0 K a N 68 V W 1 r 2 z A Q / i v 6 X o L e L L 9 A C S T u Q g P t V h q z F U I + u I 5 I P e w 42 O 7 o / v 3 u J L 8 W L 2 R l W 8 R F y t 3 p 0 S l 6 H o m z g D D C O Z g S 0 H P C P T A u i A y w l 8 R 3 X O g d w p m L D g U J E j 1 g g V L k + p q G R V a U m 1 O c a P x R c Q P H y O N 8 T l f F s Q Z n F F l M c M J Y G D w 7 l g b J J j + U R b L R 9 Z Y + 3 K x o p N 9 q u s 7 j g 17 a L r T d e k e f v j x / 1 w n i r n P A Z d x g r X P A Z Z 7 F m s + 3 d B 2 G y 7 j S e / A q 9 O 5 g w q J K 9 L E m A V N 0 8 e P w L d 3 X L 8 T x A h r G p 1 u d H l 5 q 4 n G X 3 m i b N h N c 0 F U W H y o i h d n L c l m 8 b W e u 8 M l M e i 4 R j D E s g O 9 M d J V m G o s w G z K e z 3 G u 6 Q I / y 6 t F m c b Z b F l k + / u I r u s 4 S 5 P F 8 Z B p w u i d j v f p 8 U C k p P f x m y 0 L s e m m 1 v l X S I h + n r Q B x N L K 9 F Q X J X 1 q K l Y 8 m M 9 h b 7 h Z T J l c 79 M x K X A J w E 8 e i z w + d o 5 V W l Z 1 + B K X 7 R 77 J Q w f c C t 3 c Z P C h a C b 1 + c a y 4 n K V 23 q 6 o q j p v J q K z w f t i L h n 8 V j x u Y J P H z 0 o V k f j j C T E a X c i 6 y f y 4 h r S k P c o b m u Z y I e 4 O J v i 28 i 4 P V h v q 0E89 q c b o 6 J B I 7 T x O 0 K f c M K 0 D f s s S I c o / V 7 w Z H v B 13 E I k n w D O f g 2 O v 3 z 9 j O H O M k R R 3 + p x R 1 F V B U q J a i z B 1 T V E 5 Q N L S U + R / s 7 J f 6 K D H l m J i C 8 w u J C Q e h V P O n 24 P m c N O 11 D S H 5 D u k p T D 2 a J d S t M 1 n B g V p A 9 e D s n x C z p 3 h K T D A + B G m Z S r G f 8 d V H C N b W + y W g 4 M S z B a 78 h g b l d m N c X 0 w j G O P a 0 8 p z 8 T b e c y q y m A 2 J q V D 2 u + / 2 a R i 5 F + 15 t h H y v M U 65 W n g q H y X F c M l A d 5E8 o T o K 2 Z A y 8E91 B 5 w h N j 5 T k T y r u 5 i t J c V z M j g H f q 6 y T H P c G N 5 G 6 B p Y 32 O B N n 1 e c o Z 0 J 94 + U + q k D 17 m n g / i U K V O c P w 8 a H t D p n 49 Z f 7 W x w e b e P h n k A / K B / Q B q p X U q T 9752 / T 5 m r / B f A g w A y E x N 0 g 1 l b m R z d H J l Y W 0 N Z W 5 k b 2 J q D T k 0 I D A g b 2 J q D T w 8 L 0 Z p b H R l c i 9 G b G F 0 Z U R l Y 29 k Z S 9 M Z W 5 n d G g g O D I w P j 5 z d H J l Y W 0 N C k i J r F V N b 9 N A E L 37 V 4 w 4 O Q e m + / 3 B D d p K I F W o B U s c K I c o J C K o S d o k R e q / Z 3 a T 3 d p e t 2 k J i R R P 7 J n 33 r z d H d / B F d y B E q i c k g 6 U F y i d s a C F R 825 B Y F W w 3 o K 32 A J J 6 c b D p M N M D T x Y 4 e i a j N 5 C d 6 s S y y 0 Q + e V 7 i Z W r y G G N v H T e D t i r U A p D 5 o 74 A P 9 e a a d E y p E M n x i p I 0 z w g U a r V A 4 L n T A Q M k U 9 c c t W u 4 I T S F T w t s O l R T 8 a C r C Q K m 9 O k D F P T u a i j C Q B c 8 O U N F K h o s Z Y F J U b v R g 1 G G y G r 0 h A i 1 p G R l B D T M Z H i 9 D P b 2 U y X D 0 t C s O M Y W 1 P J J J W X T W + U N M U h 7 N J C U 62 h O H m L g / m o l 7 t F 4 e I m L 6 a C K m w 4 B 4 n s d F 54 T 8 d x o n U W v X d k 4 I 5 J 4 r / k j E m Q 1 M n A L 3 q g k Y m K g Y t T L + k Y m h p H k k u a B n B k P 0 S K V I n q W p F S h p s f p k 8 R u m m 9 H o w g i g X N T e 2 g j F J V H S Q T V d + c p Z s E q C U V A g 8 v g l x N A l G i 6 d i B z 5 D x X T 3 K a p R Q h o m R P V Z A E f G m q C M c a h o Q Z 3 B f G 3 W c B J 0 w T I Z g Z 1 c 3 H 5 D k 4 v z t 9 / G U H z G 84 b k t O Z 9 T J M n W C E 1 C j p o P A c 5 H l / O V 1 P p r f b + / E N r O d U G x O o 8 c C W 4 o h n a B d E P O Y 9 k M a T T w s O Z y u 4 q p K v k r 3 Y 1 g B E A 9 I d s l X q I 12 V B M + Y + S + u 0 h 4 O I 9 + B L 96 W q c G n 9 Q Q 5 N i K g s c J C S 4 + o n t X z e b W d z + a T 8 X a + W n Y V a Z q g 4 Y 3 P T L a o G p B E 72 d F + 8 H H O / m P t i i E J X e 18 b Q E N F B 2 k l p C q p 0 Q s R P y n a w Z w V u G H O p f M b B Q z 2 M g o N 7 A C G K w j n c k 1 N O U c 7 s L q n q V 7 u S c 7 b 4 o F Z d w t 0 X N a l T t 7 v z J 2 T 9 T U u b M d x L O m 3 A 1 U I / T g z 1 D 1 e J M O a l m t r + W u g u 9 y 9 T j 0 z W L F G Q J 2 z 5 K L l q m H n P u T c o p j L k v m P K j V V K 1 m f b a 7 n D 1 K R 5 G N I 1 Q Q Y 295 W m i r P b 6 T / s + n y W Q / v K 3 e t k L r b I B 2 Z p p I a q / Q 7 L s W e d B V X 8 s T C x R c 4 f j g q e 1 Y a q Y 8 j X g t o s n p d F 54 Z L K h y T z u k 49 Z k O y w I R 8 P e p v p y x i V f i 7 S b q W R U 7 f o q E j A 90 j U w 0 c m V R e e k P 74 Q f A X w E G A I y P o / Y N Z W 5 k c 3 R y Z W F t D W V u Z G 9 i a g 0 5 N S A w I G 9 i a g 0 8 P C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v T G V u Z 3 R o I D c 0 M z 4 + c 3 R y Z W F t D Q p I i a R W Q W / T U A y + + 1 f 4 m E o s a 9 K k S b j B m I Q Q B x i R d k A c 2 F s 7 p i 5 t W R o Q / 540 j Z 3 O X 5 J u o E r t 67 O f 32 f 7 s / 3 y D 3 y Z 8 + f 685 P j h O N 4 z v E 0 4 W B K j w u + 5 j W f X 5 Q B u 5 K n z a d 0 t V 7 q p 1 G U R l m z o 3 / i x A / D Z B 7 V N l J / H k Y p u 4 L f 5 h w 0 a s 0 35 Q W f 53 l Y / 8 u X / J W 93 x M + m / o h e 9 + b R c L e Y 7 O Y H S 1 U t J b F b s L 1 I f L u 5 f R C J C U 3 I v Y 2 s r N s N 0 S A 1 v 7 w h B r R S u 2 p 7 F Y W c l x R 6 Z V 3 s m g t U 6 e j p 9 H w n T U 8 g g t P L 62 X e m U B U Y N g b e A m w e B Q t L P w 7 i d k w C w G g / U D V G z 4 q M c 532 Q s b w R B n z l R e X c w Q t 57 s f Z l L 5 l 1 G o p t A 0 a U M + t O h 556 L x o L i A / a V R d L 9 X E 0 x z
} ,
{
"type" : "text" ,
"object_relation" : "case-number" ,
"value" : "AR23-325A" ,
"category" : "Other" ,
"uuid" : "9670f0e7-37af-4838-be8b-5f0eb23511ce"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--a332942c-adbd-4e03-831d-17686b67db09" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--dd1e10de-b0f8-4bcf-861b-76fe980f055e" ,
"target_ref" : "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--1f46bbf7-d0df-4d5d-81fb-3ca11c77091a" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "sample-of" ,
"source_ref" : "indicator--49552673-c8ea-50b9-a196-4663a33bfae8" ,
"target_ref" : "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--d45711b3-6941-409f-a483-45e42a54c175" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--a78aa17d-3dd4-483f-ba12-ca977debbc3b" ,
"target_ref" : "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--28bcbae1-371e-4f0c-9454-8d71e99b6866" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--9f5db9a7-9ef7-44f8-9189-553c2cc276f5" ,
"target_ref" : "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--74827f91-ac7c-451e-a124-bda786cae41d" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--c2abd168-d969-4160-b427-dacaf686f65e" ,
"target_ref" : "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--aba49575-a6be-4586-93a9-c7bc2f3fbd1f" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--4b0f18bd-e09a-408d-9d36-415ca54ad600" ,
"target_ref" : "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--0c34fa91-203c-4d37-8e0e-6c826e213755" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--5e485e81-7e00-42d7-9fc3-5c08690e9206" ,
"target_ref" : "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--60e42e89-1228-48b9-973c-6d0a8a1dfe88" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
"target_ref" : "indicator--272aca0e-f758-5014-b7e6-75a0305837d5"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--9634ed7b-8489-4069-9b80-408f1adcd0df" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
"target_ref" : "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--1da534cc-f78f-4c35-a1bc-77ea0835758f" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--a13bb548-ac3e-49d3-a5e2-a171d5bc2b43" ,
"target_ref" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--329248b6-8624-45d1-8a95-8001c41ac645" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "sample-of" ,
"source_ref" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
"target_ref" : "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--6265ba6f-e649-4072-928a-9c390d0dd7f3" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--d5260841-3693-4b4e-b3f8-bffccc184799" ,
"target_ref" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--014d4e38-b1d1-44de-9c66-5c2f1150da55" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--5f447be4-9408-4da0-be20-a0a8ef7a2d5b" ,
"target_ref" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--a5ac1f16-43dd-4492-a265-99c0f7503ed7" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--d7c20040-9114-4709-b609-d1f230198e1f" ,
"target_ref" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--9a9b4a6e-b294-4d05-a043-f960e385b06f" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--ac013608-5fc8-4eb4-93db-82e071ee002b" ,
"target_ref" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--1d5ee2ce-69a6-456e-aa87-91639c4b3444" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--440260c8-b268-471d-af38-b90279d8cd13" ,
"target_ref" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--7dde07a4-eb91-462d-b4c5-4fc1ebec9507" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "analyses" ,
"source_ref" : "x-misp-object--47c9fa88-b331-4b2e-86e2-64282aab3fe6" ,
"target_ref" : "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--72b26a67-0da8-45ae-96eb-597df62dfda0" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930" ,
"target_ref" : "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--f4805af6-ce01-4536-a815-085cb796de33" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930" ,
"target_ref" : "indicator--272aca0e-f758-5014-b7e6-75a0305837d5"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--4b96e96d-4d89-403f-a337-73cda0dfa8ad" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:41.000Z" ,
"modified" : "2023-12-06T07:53:41.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "indicator--272aca0e-f758-5014-b7e6-75a0305837d5" ,
"target_ref" : "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--e109b6af-88c7-4380-8040-0de861b2e16d" ,
2023-12-14 14:30:15 +00:00
"created" : "2023-12-06T07:53:42.000Z" ,
"modified" : "2023-12-06T07:53:42.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "indicator--272aca0e-f758-5014-b7e6-75a0305837d5" ,
"target_ref" : "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
