misp-circl-feed/feeds/circl/stix-2.1/124008c0-e519-4f1d-b1fd-bd42bfae2198.json

1172 lines
838 KiB
JSON
Raw Normal View History

2023-12-14 14:30:15 +00:00
{
"type": "bundle",
"id": "bundle--124008c0-e519-4f1d-b1fd-bd42bfae2198",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-06T07:58:07.000Z",
"modified": "2023-12-06T07:58:07.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--124008c0-e519-4f1d-b1fd-bd42bfae2198",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-06T07:58:07.000Z",
"modified": "2023-12-06T07:58:07.000Z",
"name": "MAR-10478915-1.v1 Citrix Bleed",
"published": "2023-12-06T07:58:30Z",
"object_refs": [
"indicator--5c12b30f-2ece-411a-a2b6-905006a34587",
"indicator--84aeb797-4299-4ef7-b7ae-57f916ee5721",
"indicator--f6384914-d773-4d7e-b9ed-e1838371c145",
"indicator--e9f069da-febc-449d-b923-22793ec3f067",
"x-misp-object--dd1e10de-b0f8-4bcf-861b-76fe980f055e",
"indicator--49552673-c8ea-50b9-a196-4663a33bfae8",
"x-misp-object--a78aa17d-3dd4-483f-ba12-ca977debbc3b",
"x-misp-object--9f5db9a7-9ef7-44f8-9189-553c2cc276f5",
"x-misp-object--c2abd168-d969-4160-b427-dacaf686f65e",
"x-misp-object--4b0f18bd-e09a-408d-9d36-415ca54ad600",
"x-misp-object--5e485e81-7e00-42d7-9fc3-5c08690e9206",
"x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d",
"indicator--d9f8b89d-305b-4e39-89cc-aad2f4a4a9a1",
"x-misp-object--a13bb548-ac3e-49d3-a5e2-a171d5bc2b43",
"indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a",
"x-misp-object--d5260841-3693-4b4e-b3f8-bffccc184799",
"x-misp-object--5f447be4-9408-4da0-be20-a0a8ef7a2d5b",
"x-misp-object--d7c20040-9114-4709-b609-d1f230198e1f",
"x-misp-object--ac013608-5fc8-4eb4-93db-82e071ee002b",
"x-misp-object--440260c8-b268-471d-af38-b90279d8cd13",
"x-misp-object--47c9fa88-b331-4b2e-86e2-64282aab3fe6",
"x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930",
"indicator--a2ed1e76-995c-4ac2-96f3-361a818d7bf8",
"indicator--272aca0e-f758-5014-b7e6-75a0305837d5",
"indicator--e5ef55cc-e9d8-585e-baf5-4bebebe966a3",
"x-misp-object--768b3de5-0693-4cf1-9ee9-14d49bb338dd",
"x-misp-object--335344d0-7470-4ab8-a1ba-6d5e7474bacb",
"relationship--d957eb90-a200-47f8-9f1c-09b57d452bf2",
"relationship--85c2ef81-868f-4224-8aa4-438e4ed4f316",
"relationship--7eecc57e-434a-4e23-a544-e5705a4188d0",
"relationship--dfa86255-9c56-4ed6-ae42-90faf9600ca4",
"relationship--26b2ed0c-dde6-4ade-b8be-00a27aee680f",
"relationship--dd57afed-913f-4c92-ad63-b9b8de70cc86",
"relationship--6564b2e6-7ce1-40e7-8c8c-91e83ad7a18e",
"relationship--edabadcb-ad46-4bc7-869c-dde4031b3ccb",
"relationship--06ca735f-5b50-4b88-9917-866c779aba34",
"relationship--43f08b82-fe01-43ad-bed9-6189b7fdd518",
"relationship--65e5b14b-231a-45d7-9a20-03191d27d102",
"relationship--cfa49d43-39fe-497d-a92c-6d26da51093a",
"relationship--c1856cdb-26d1-4b2b-909c-80f14669cd23",
"relationship--b2b9756a-5318-4720-84cc-b77fc887a7a7",
"relationship--6a471013-75a5-4371-90d1-e9e60e319e7f",
"relationship--aa60f9a5-d6d0-4d7c-b47f-90ca3a304be5",
"relationship--c44a6df0-8666-4727-8273-ce944e8166c1",
"relationship--69080a0c-028f-4679-8415-52c950c3d708",
"relationship--e0b9b009-094f-4e60-a9a5-42a1ddb56d55",
"relationship--dfaf65e8-8e86-4639-a3a3-d8099844b584",
"relationship--ce78134c-2db8-4672-afdb-07fd2f11db81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"tlp:clear",
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c12b30f-2ece-411a-a2b6-905006a34587",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"description": "This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:\\Windows\\Tasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times. \r\n\r\nThe next command it runs is reg save to save the HKLM\\SYSTEM registry hive into the C:\\Windows\\tasks\\em directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLM\\SAM registry hive into the C:\\Windows\\Task\\am directory. Next, a.bat runs three makecab commands to create three Cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:\\Users\\Public\\a.png. The names of the .cab files are as follows:\r\n\r\n--Start names and paths of .cab files created--\r\nc:\\windows\\tasks\\em.cab\r\nc:\\windows\\tasks\\am.cab\r\nc:\\windows\\tasks\\a.cab\r\n--End names and paths of .cab files created--",
"pattern": "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_01 rule_content=rule CISA_10478915_01 : trojan installs_other_components\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"installs-other-components\"\n\t\tmalware_Type = \"trojan\"\n\t\ttool_type = \"information-gathering\"\n\t\tdescription = \"Detects trojan .bat samples\"\n\t\tsha256 = \"98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9\"\n\tstrings:\n\t\t$s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 }\n\t\t$s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 65 6d }\n\t\t$s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 }\n\tcondition:\n\t\tall of them\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2023-11-16T14:40:15.681862Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--84aeb797-4299-4ef7-b7ae-57f916ee5721",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"description": "This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the Remote Procedure Call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message \"[*]success\" in the console.",
"pattern": "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_02 rule_content=rule CISA_10478915_02 : trojan installs_other_components\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"installs-other-components\"\n\t\tmalware_type = \"trojan\"\n\t\ttool_type = \"unknown\"\n\t\tdescription = \"Detects trojan PE32 samples\"\n\t\tsha256 = \"e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068\"\n\tstrings:\n\t\t$s1 = { 57 72 69 74 65 46 69 6c 65 }\n\t\t$s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 }\n\t\t$s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 }\n\t\t$s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 }\n\t\t$s5 = { 64 65 6c 65 74 65 5b 5d }\n\t\t$s6 = { 4e 41 4e 28 49 4e 44 29 }\n\tcondition:\n\t\tuint16(0) == 0x5a4d and pe.imphash() == \"6e8ca501c45a9b85fff2378cffaa24b2\" and pe.size_of_code == 84480 and all of them\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2023-11-16T14:40:15.71802Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f6384914-d773-4d7e-b9ed-e1838371c145",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"description": "This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:\\Users\\Public.\r\n\r\nNext, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:\\Windows\\Tasks.",
"pattern": "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_03 rule_content=rule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"steals-authentication-credentials\"\n\t\tmalware_type = \"trojan\"\n\t\ttool_type = \"credential-exploitation\"\n\t\tdescription = \"Detects trojan DLL samples\"\n\t\tsha256 = \"17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994\"\n\tstrings:\n\t\t$s1 = { 64 65 6c 65 74 65 }\n\t\t$s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e }\n\t\t$s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 }\n\t\t$s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 }\n\t\t$s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }\n\t\t$s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 }\n\tcondition:\n\t\tuint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of them\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2023-11-16T14:40:15.77768Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e9f069da-febc-449d-b923-22793ec3f067",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"description": "This file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword \"hashpasswd\" is present. If the keyword \"hashpasswd\" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of \u201cwhoami\u201d is run.",
"pattern": "['namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_04 rule_content=rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"communicates-with-c2\"\n\t\tmalware_type = \"backdoor\"\n\t\ttool_type = \"remote-access\"\n\t\tdescription = \"Detects trojan python samples\"\n\t\tsha256 = \"906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6\"\n\tstrings:\n\t\t$s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 } \n\t\t$s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a }\n\t\t$s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 }\n\t\t$s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 }\n\tcondition:\n\t\tall of them\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2023-11-16T14:40:15.805722Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--dd1e10de-b0f8-4bcf-861b-76fe980f055e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "antiy",
"category": "Other",
"uuid": "e56e4026-c332-4ac6-a9f1-c184a5224c56"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "1340405c-0885-4eda-8eab-39e03ad3790d"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan/Win64.Malgent",
"category": "Other",
"uuid": "af1bcb04-85d6-4f4e-9422-0599d9c7a43f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--49552673-c8ea-50b9-a196-4663a33bfae8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"pattern": "[file:hashes.MD5 = '37f7241963cf8279f7c1d322086a5194' AND file:hashes.SHA1 = 'ec401ae8ddebef4038cedb65cc0d5ba6c1fdef28' AND file:hashes.SHA256 = 'e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068' AND file:hashes.SHA512 = '02c2473b90ba787fea41a9840c7dc9a9869685ca8fdca3521278e0cc986e1797e36552f41f1ac206f5ec5bdc0ac40f13cd36217aea3aad13518e9764ea92c1f7' AND file:hashes.SSDEEP = '3072:u8txkT6wDLf/p3ufznQbCQVlvxxV5hmWIh:NgpDbZufLQpjxJ9U' AND file:name = 'a.exe' AND file:size = '145920']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-09-26T14:42:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a78aa17d-3dd4-483f-ba12-ca977debbc3b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "avira",
"category": "Other",
"uuid": "3719ef1f-9874-4eba-afff-cf4ec794bb84"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "27afc559-0f7f-45e2-b7ab-2287e46e7939"
},
{
"type": "text",
"object_relation": "result_name",
"value": "TR/Redcap.sbphc",
"category": "Other",
"uuid": "c32e41c8-f249-44b2-82dd-0f0c091cf8c3"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--9f5db9a7-9ef7-44f8-9189-553c2cc276f5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "bitdefender",
"category": "Other",
"uuid": "2b5e1307-de50-49ce-92d3-fb1ef2eed196"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "93d920e2-229a-49f9-b42c-e1aa84ac7d02"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan.GenericKD.70103917",
"category": "Other",
"uuid": "188ed091-b1be-4805-8bda-4b8fcdda14c3"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--c2abd168-d969-4160-b427-dacaf686f65e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "emsisoft",
"category": "Other",
"uuid": "6d74d82f-4588-41b8-9e70-e50413c5e559"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "73ea4713-bfb3-4502-8e2d-2647e5bed92f"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan.GenericKD.70103917 (B)",
"category": "Other",
"uuid": "136a18fc-ea48-465e-b960-9db4d00cb2e4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--4b0f18bd-e09a-408d-9d36-415ca54ad600",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "ikarus",
"category": "Other",
"uuid": "1386b0be-1993-4a66-86a5-09999b28b9ac"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "094a9625-2213-45d2-a517-13e4af80e0fd"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan.Win64.Malgent",
"category": "Other",
"uuid": "1a697bc2-84bd-456d-91ae-5a0d7fc7e66a"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5e485e81-7e00-42d7-9fc3-5c08690e9206",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "k7",
"category": "Other",
"uuid": "5c249117-0ae0-4e4b-9343-60046af8f7b3"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "ca34df49-20cb-4d20-aa7f-897240cff51d"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Riskware ( 00584baa1 )",
"category": "Other",
"uuid": "e9cc610a-d65e-46b3-9abf-462597ba1b15"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the Remote Procedure Call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message \"[*]success\" in the console.",
"category": "Other",
"uuid": "b8d927d5-bf1d-4875-935a-f27eceb11bc8"
},
{
"type": "boolean",
"object_relation": "is_family",
"value": "0",
"category": "Other",
"uuid": "c41d1151-7227-43e8-8582-0ecd9b86ef85"
},
{
"type": "text",
"object_relation": "malware_type",
"value": "trojan",
"category": "Other",
"uuid": "8899c605-306d-417c-970d-dfc5a3ec733c"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d9f8b89d-305b-4e39-89cc-aad2f4a4a9a1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"pattern": "[file:hashes.MD5 = '37f7241963cf8279f7c1d322086a5194' AND file:hashes.SHA1 = 'ec401ae8ddebef4038cedb65cc0d5ba6c1fdef28' AND file:hashes.SHA256 = 'e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068' AND file:hashes.SHA512 = '02c2473b90ba787fea41a9840c7dc9a9869685ca8fdca3521278e0cc986e1797e36552f41f1ac206f5ec5bdc0ac40f13cd36217aea3aad13518e9764ea92c1f7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-11-16T14:40:15.726853Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a13bb548-ac3e-49d3-a5e2-a171d5bc2b43",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "antiy",
"category": "Other",
"uuid": "de6ded26-c0d2-4867-87ef-3bf9858fb5a1"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "a4b10d9b-0820-4db6-b8cb-6ff557deafaf"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan/Win64.Agent",
"category": "Other",
"uuid": "6a08a2a6-8d6f-42a9-b3a6-04127c8d17f5"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"pattern": "[file:hashes.MD5 = '206b8b9624ee446cad18335702d6da19' AND file:hashes.SHA1 = '364ef2431a8614b4ef9240afa00cd12bfba3119b' AND file:hashes.SHA256 = '17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994' AND file:hashes.SHA512 = 'efa720237bd2773719d7f8e377f63f93d25a691a6f2b8f52ff9ecbd1495c215690d01400d8b7fd9bb79b47de09817d72c82676b67ed70ecf61b002c7d8e9e11d' AND file:hashes.SSDEEP = '3072:oCNLoO2N+p5Fm6nfZvD8sLVdN9dtFiokDFMYLcu:j1o/+34YRvDtFiwu' AND file:name = 'a.dll' AND file:size = '106496']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-09-26T14:42:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d5260841-3693-4b4e-b3f8-bffccc184799",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "bitdefender",
"category": "Other",
"uuid": "175ea164-a465-4ea5-9ebb-43d50975ab17"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "56987a54-4a92-461b-a1fa-7ac580f82386"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan.GenericKD.70057986",
"category": "Other",
"uuid": "ef81de8d-8237-4166-aa79-2d008cd5c687"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5f447be4-9408-4da0-be20-a0a8ef7a2d5b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "eset",
"category": "Other",
"uuid": "f2795ce7-a785-4b2f-9118-f2d061dd366c"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "94857e60-ef39-4849-ba72-27c5896ce23d"
},
{
"type": "text",
"object_relation": "result_name",
"value": "a variant of Win64/Agent.DAU trojan",
"category": "Other",
"uuid": "b864d2b9-1b43-43af-9d8d-1b7ec4602c5d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d7c20040-9114-4709-b609-d1f230198e1f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "emsisoft",
"category": "Other",
"uuid": "5e7db3af-a26c-4fb6-823a-33bf14ebea55"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "c0bedb4e-8f70-4ffa-a32e-ed12033e3586"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan.GenericKD.70057986 (B)",
"category": "Other",
"uuid": "4c29d389-c8f3-42b1-9bc3-63c9264dfef9"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ac013608-5fc8-4eb4-93db-82e071ee002b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "ikarus",
"category": "Other",
"uuid": "b2c7f3a1-a4c1-4e92-ad00-48911fc951bd"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "6bd79472-5c1a-4d8f-b32e-ea3cea81ad4b"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan.Win64.Agent",
"category": "Other",
"uuid": "510a5a69-3a9d-492c-bf30-76076efb9223"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--440260c8-b268-471d-af38-b90279d8cd13",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "k7",
"category": "Other",
"uuid": "423d5543-727a-436a-9e19-93fb8c4e9d16"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "74d83513-4a59-4a64-9ba3-2b23e87e8372"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan ( 005ad67a1 )",
"category": "Other",
"uuid": "f1a22b3d-065d-415c-9043-a471caeb9ac7"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--47c9fa88-b331-4b2e-86e2-64282aab3fe6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware-analysis\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "product",
"value": "zillya",
"category": "Other",
"uuid": "d6a5488c-de7b-401b-b173-5468b4cbc8c8"
},
{
"type": "text",
"object_relation": "result",
"value": "unknown",
"category": "Other",
"uuid": "faf62d2a-a099-46e6-a11e-e06dfe9bea98"
},
{
"type": "text",
"object_relation": "result_name",
"value": "Trojan.Agent.Win64.39686",
"category": "Other",
"uuid": "03b42e19-53cc-4129-8d59-b2030e4e7f3f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware-analysis"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"labels": [
"misp:name=\"malware\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path %PUBLIC%\\\r\n\r\nNext, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path %WINDIR%\\Tasks.",
"category": "Other",
"uuid": "c1efdcae-341a-4853-bfe8-8afd18768fab"
},
{
"type": "boolean",
"object_relation": "is_family",
"value": "0",
"category": "Other",
"uuid": "cfd418f1-654f-4bcd-abde-468a9a45f286"
},
{
"type": "text",
"object_relation": "malware_type",
"value": "trojan",
"category": "Other",
"uuid": "aefb1011-3950-4b71-baff-f2f8fd37f8fb"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "malware"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a2ed1e76-995c-4ac2-96f3-361a818d7bf8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-09-26T14:42:27.000Z",
"modified": "2023-09-26T14:42:27.000Z",
"pattern": "[file:hashes.MD5 = '206b8b9624ee446cad18335702d6da19' AND file:hashes.SHA1 = '364ef2431a8614b4ef9240afa00cd12bfba3119b' AND file:hashes.SHA256 = '17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994' AND file:hashes.SHA512 = 'efa720237bd2773719d7f8e377f63f93d25a691a6f2b8f52ff9ecbd1495c215690d01400d8b7fd9bb79b47de09817d72c82676b67ed70ecf61b002c7d8e9e11d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-11-16T14:40:15.784715Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--272aca0e-f758-5014-b7e6-75a0305837d5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"pattern": "[file:hashes.MD5 = '52d5e2a07cd93c14f1ba170e3a3d6747' AND file:hashes.SHA1 = '8acaf9908229871ab33033df7b6a328ec1db56d5' AND file:hashes.SHA256 = '98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9' AND file:hashes.SHA512 = '317414f28d34f8295aa76cf9f39d4fd42c9bad292458dbd2a19f08a6a8b451e271179b7ef78afd8a2fe92a2e1103d9ef5e220557febf42d91900c268b8d61b69' AND file:hashes.SSDEEP = '6:halw5fwmUDXSLp8k7KdXSLp8kukK7va2RK4HvEEIVpmYY:sMULS98QAS98kuZ7XPcK3' AND file:name = 'a.bat' AND file:size = '376']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-06T07:53:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e5ef55cc-e9d8-585e-baf5-4bebebe966a3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"pattern": "[file:hashes.MD5 = '9cff554fa65c1b207da66683b295d4ad' AND file:hashes.SHA1 = 'b8e74921d7923c808a0423e6e46807c4f0699b6e' AND file:hashes.SHA256 = '906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6' AND file:hashes.SHA512 = '131621770e1899d81e6ff312b3245fe4e4013c36f82818a82fdd319982e6b742a72d906b6fb86c422bb720cd648f927b905a8fc193299ad7d8b3947e766abbd3' AND file:hashes.SSDEEP = '48:BpsnUP6s3ceBg5YbFYNXEtUyzzYyUyh0+FVzYA6P+Fqbaug9trYhTHhIQG86w09:BuUP6sseBIOqXEvpcrb89Z2THCQ6P' AND file:name = 'a.py' AND file:size = '2645']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-06T07:53:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--768b3de5-0693-4cf1-9ee9-14d49bb338dd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-06T07:54:21.000Z",
"modified": "2023-12-06T07:54:21.000Z",
"labels": [
"misp:name=\"original-imported-file\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "attachment",
"object_relation": "imported-sample",
"value": "MAR-10478915.r1.v1.CLEAR_stix2.json",
"category": "External analysis",
"uuid": "611ece1d-d27b-4277-b483-9bbf62e8bcd8",
"data": "ewogICAgInR5cGUiOiAiYnVuZGxlIiwKICAgICJpZCI6ICJidW5kbGUtLTZiODVjMDc2LWUzNDItNDIyNy1iOGM3LTE1ZGVlYjkyZjI3NyIsCiAgICAib2JqZWN0cyI6IFsKICAgICAgICB7CiAgICAgICAgICAgICJ0eXBlIjogImlkZW50aXR5IiwKICAgICAgICAgICAgInNwZWNfdmVyc2lvbiI6ICIyLjEiLAogICAgICAgICAgICAiaWQiOiAiaWRlbnRpdHktLThlMTEyZTcyLWFhOGYtNDE5MC1hMzU5LTI4YTlhYmFlMjg5NiIsCiAgICAgICAgICAgICJjcmVhdGVkX2J5X3JlZiI6ICJpZGVudGl0eS0tNDJhYzNjOTItNjBkMi00MThmLWJhOGUtODM4OTQ0ZTYxMTBiIiwKICAgICAgICAgICAgImNyZWF0ZWQiOiAiMjAyMy0wNC0xMlQxNzo1MzowOS42NDZaIiwKICAgICAgICAgICAgIm1vZGlmaWVkIjogIjIwMjMtMDQtMTJUMTc6NTM6MDkuNjQ2WiIsCiAgICAgICAgICAgICJuYW1lIjogIkdlbWluaVByb2R1Y3Rpb25fQ01BIiwKICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogIkN5YmVyc2VjdXJpdHkgYW5kIEluZnJhc3RydWN0dXJlIFNlY3VyaXR5IEFnZW5jeSBQcm9kdWN0aW9uIElkZW50aXR5LiBDb2RlIGFuZCBNZWRpYSBBbmFseXNpcy4iLAogICAgICAgICAgICAiaWRlbnRpdHlfY2xhc3MiOiAic3lzdGVtIiwKICAgICAgICAgICAgImNvbmZpZGVuY2UiOiAxMDAsCiAgICAgICAgICAgICJsYW5nIjogImVuIiwKICAgICAgICAgICAgIm9iamVjdF9tYXJraW5nX3JlZnMiOiBbCiAgICAgICAgICAgICAgICAibWFya2luZy1kZWZpbml0aW9uLS1iYWI0YTYzYy1hZWQ5LTRjZjUtYTc2Ni1kZmNhNWFiYWMyYmIiCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgIHsKICAgICAgICAgICAgInR5cGUiOiAiZmlsZSIsCiAgICAgICAgICAgICJzcGVjX3ZlcnNpb24iOiAiMi4xIiwKICAgICAgICAgICAgImlkIjogImZpbGUtLTI3MmFjYTBlLWY3NTgtNTAxNC1iN2U2LTc1YTAzMDU4MzdkNSIsCiAgICAgICAgICAgICJoYXNoZXMiOiB7CiAgICAgICAgICAgICAgICAiTUQ1IjogIjUyZDVlMmEwN2NkOTNjMTRmMWJhMTcwZTNhM2Q2NzQ3IiwKICAgICAgICAgICAgICAgICJTSEEtMSI6ICI4YWNhZjk5MDgyMjk4NzFhYjMzMDMzZGY3YjZhMzI4ZWMxZGI1NmQ1IiwKICAgICAgICAgICAgICAgICJTSEEtMjU2IjogIjk4ZTc5Zjk1Y2Y4ZGU4YWNlODhiZjIyMzQyMWRiNWRjZTMwM2IxMTIxNTJkNjZmZmRmMjdlYmRmY2RmOTY3ZTkiLAogICAgICAgICAgICAgICAgIlNIQS01MTIiOiAiMzE3NDE0ZjI4ZDM0ZjgyOTVhYTc2Y2Y5ZjM5ZDRmZDQyYzliYWQyOTI0NThkYmQyYTE5ZjA4YTZhOGI0NTFlMjcxMTc5YjdlZjc4YWZkOGEyZmU5MmEyZTExMDNkOWVmNWUyMjA1NTdmZWJmNDJkOTE5MDBjMjY4YjhkNjFiNjkiLAogICAgICAgICAgICAgICAgIlNTREVFUCI6ICI2OmhhbHc1ZndtVURYU0xwOGs3S2RYU0xwOGt1a0s3dmEyUks0SHZFRUlWcG1ZWTpzTVVMUzk4UUFTOThrdVo3WFBjSzMiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJzaXplIjogMzc2LAogICAgICAgICAgICAibmFtZSI6ICJhLmJhdCIsCiAgICAgICAgICAgICJvYmplY3RfbWFya2luZ19yZWZzIjogWwogICAgICAgICAgICAgICAgIm1hcmtpbmctZGVmaW5pdGlvbi0tOTQ4NjhjODktODNjMi00NjRiLTkyOWItYTFhOGFhM2M4NDg3IgogICAgICAgICAgICBdCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAgICJ0eXBlIjogImluZGljYXRvciIsCiAgICAgICAgICAgICJzcGVjX3ZlcnNpb24iOiAiMi4xIiwKICAgICAgICAgICAgImlkIjogImluZGljYXRvci0tNWMxMmIzMGYtMmVjZS00MTFhLWEyYjYtOTA1MDA2YTM0NTg3IiwKICAgICAgICAgICAgImNyZWF0ZWRfYnlfcmVmIjogImlkZW50aXR5LS04ZTExMmU3Mi1hYThmLTQxOTAtYTM1OS0yOGE5YWJhZTI4OTYiLAogICAgICAgICAgICAiY3JlYXRlZCI6ICIyMDIzLTA5LTI2VDE0OjQyOjI3LjAwMFoiLAogICAgICAgICAgICAibW9kaWZpZWQiOiAiMjAyMy0wOS0yNlQxNDo0MjoyNy4wMDBaIiwKICAgICAgICAgICAgIm5hbWUiOiAiYS5iYXQiLAogICAgICAgICAgICAib2JqZWN0X21hcmtpbmdfcmVmcyI6IFsKICAgICAgICAgICAgICAgICJtYXJraW5nLWRlZmluaXRpb24tLTk0ODY4Yzg5LTgzYzItNDY0Yi05MjliLWExYThhYTNjODQ4NyIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgImRlc2NyaXB0aW9uIjogIlRoaXMgZmlsZSBpcyBhIFdpbmRvd3MgYmF0Y2ggZmlsZSBjYWxsZWQgYS5iYXQgdGhhdCBpcyB1c2VkIHRvIGV4ZWN1dGUgdGhlIGZpbGUgY2FsbGVkIGEuZXhlIHdpdGggdGhlIGZpbGUgY2FsbGVkIGEuZGxsIGFzIGFuIGFyZ3VtZW50LiAgVGhlIG91dHB1dCBpcyBwcmludGVkIHRvIGEgZmlsZSBuYW1lZCAnei50eHQnIGxvY2F0ZWQgaW4gdGhlIHBhdGggQzpcXFdpbmRvd3NcXFRhc2tzLiAgTmV4dCwgYS5iYXQgcGluZ3MgdGhlIGxvb3AgYmFjayBpbnRlcm5ldCBwcm90b2NvbCAoSVApIGFkZHJlc3MgMTI3LjAuMFsuXTEgdGhyZWUgdGltZXMuIFxyXG5cclxuVGhlIG5leHQgY29tbWFuZCBpdCBydW5zIGlzIHJlZyBzYXZlIHRvIHNhdmUgdGhlIEhLTE1cXFNZU1RFTSByZWdpc3RyeSBoaXZlIGludG8gdGhlIEM6XFxXaW5kb3dzXFx0YXNrc1xcZW0gZGlyZWN0b3J5LiAgQWdhaW4sIGEuYmF0IHBpbmdzIHRoZSBsb29wIGJhY2sgYWRkcmVzcyAxMjcuMC4wWy5dMSBvbmUgdGltZSBiZWZvcmUgZXhlY3V0aW5nIGFub3RoZXIgcmVnIHNhdmUgY29tbWFuZCBhbmQgc2F2ZXMgdGhlIEhLTE1cXFNBTSByZWdpc3RyeSBoaXZlIGludG8gdGhlIEM6XFxXaW5kb3dzXFxUYXNrXFxhbSBkaXJlY3RvcnkuICBOZXh0LCBhLmJhdCBydW5zIHRocmVlIG1ha2VjYWIgY29tbWFuZHMgdG8gY3JlYXRlIHRocmVlIENhYmluZXQgKC5jYWIpIGZpbGVzIGZyb20gdGhlIHByZXZpb3VzbHkgbWVudGlvbmVkIHNhdmVkIHJlZ2lzdHJ5IGhpdmVzIGFuZCBvbmUgZmlsZSBuYW1lZCBDOlxcVXNlcnNcXFB1YmxpY1xcYS5wbmcuICBUaGUgbmFtZXMgb2YgdGhlIC5jYWIgZmlsZXMgYXJlIGFzIGZvbGxvd3M6XHJcblxyXG4tLVN0YXJ0IG
},
{
"type": "text",
"object_relation": "format",
"value": "STIX 2.1",
"category": "Other",
"uuid": "43ab5514-2e2c-428f-8155-b301232a2e14"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "original-imported-file"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--335344d0-7470-4ab8-a1ba-6d5e7474bacb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-06T07:57:38.000Z",
"modified": "2023-12-06T07:57:38.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.cisa.gov/news-events/analysis-reports/ar23-325a",
"category": "External analysis",
"uuid": "70f27681-b669-4b90-bed0-79d7100828a8"
},
{
"type": "text",
"object_relation": "summary",
"value": "Responding to the recently disclosed CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances, CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempts to establish sessions via Windows Remote Management (WinRM). The files include:\r\n\r\n Windows Batch file (.bat)\r\n Windows Executable (.exe)\r\n Windows Dynamic Link Library (.dll)\r\n Python Script (.py)\r\n\r\nFor more information about this vulnerability, see Joint Cybersecurity Advisory #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability.",
"category": "Other",
"uuid": "d6e0cd97-4c9f-47d6-be1c-508fa062fca8"
},
{
"type": "attachment",
"object_relation": "report-file",
"value": "MAR-10478915.r1.v1.CLEAR_.pdf",
"category": "External analysis",
"uuid": "fc29a335-d2a8-402e-8a39-77e9c1995024",
"data": "JVBERi0xLjYNJeLjz9MNCjkwIDAgb2JqDTw8L0xpbmVhcml6ZWQgMS9MIDU2MDQ3MC9PIDkyL0UgMjk2MjUxL04gOC9UIDU2MDA5Mi9IIFsgNDg2IDI2MV0+Pg1lbmRvYmoNICAgICAgICAgICAgICAgIA0xMDggMCBvYmoNPDwvRGVjb2RlUGFybXM8PC9Db2x1bW5zIDUvUHJlZGljdG9yIDEyPj4vRmlsdGVyL0ZsYXRlRGVjb2RlL0lEWzxDNkE3NzE3RUE3NTBCREQ5MDk4Njg5MjlDNDY5RjIwMz48QzY4RDNGN0M2NDIzNENDREFEMTg4MzZFQjAyMkYyOTQ+XS9JbmRleFs5MCAyOF0vTGVuZ3RoIDk2L1ByZXYgNTYwMDkzL1Jvb3QgOTEgMCBSL1NpemUgMTE4L1R5cGUvWFJlZi9XWzEgMyAxXT4+c3RyZWFtDQpo3mJiZGAQYGBiYGC6DSIZ9UEkw3YQyeIOIpkrwaQOWMQfrPIlWIQLLLICzN4MJBlfHAfL8oPI/DAQqaQIIrkng8igPUDyP3cdAxPQRrAJQNuIIv8zMHb+BAgwAL0eDyENZW5kc3RyZWFtDWVuZG9iag1zdGFydHhyZWYNMA0lJUVPRg0gICAgICAgICANMTE3IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMTg1L1MgMTU3Pj5zdHJlYW0NCmjeYmBgYGZgYBJlYGFgEA9nEGZAAGGgGCsQc1wQEFDojXRgjpF7yWC48O42BgZB+wjWa5nTZs4EKmNSnCJ0dWdjj8q0tWe4IrabGPXAuTyJKlvzElIlVFcXM7B3dDAwVHQ0uLh3dMDYSuodHSwuQAZIFosNQNOlGDjafgNpAbCDQGA7gxCQ1GTg5mAqZVjGoKzA6cP0kaGer5CBNSFvPkdUw9yDHmJ9fQxOB9gdmAqASgECDAB1WDmgDWVuZHN0cmVhbQ1lbmRvYmoNOTEgMCBvYmoNPDwvUGFnZXMgODkgMCBSL1R5cGUvQ2F0YWxvZz4+DWVuZG9iag05MiAwIG9iag08PC9Db250ZW50c1s5NCAwIFIgOTUgMCBSIDk2IDAgUiA5NyAwIFIgOTggMCBSIDk5IDAgUiAxMDAgMCBSIDEwMiAwIFJdL0Nyb3BCb3hbMCAwIDYxMiA3OTJdL01lZGlhQm94WzAgMCA2MTIgNzkyXS9QYXJlbnQgODkgMCBSL1Jlc291cmNlcyAxMDkgMCBSL1JvdGF0ZSAwL1R5cGUvUGFnZT4+DWVuZG9iag05MyAwIG9iag08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvRmlyc3QgNjUvTGVuZ3RoIDc0NS9OIDgvVHlwZS9PYmpTdG0+PnN0cmVhbQ0KaN68VW1r2zAQ/iv6XoLeLL9ACSTuQgPtVhqzFUI+uI5IPew42O7o/v3uJL8WL2RlW8RFyt3p0Sl6HomzgDDCOZgS0HPCPTAuiAywl8R3XOgdwpmLDgUJEj1ggVLk+pqGRVaUm1OcaPxRcQPHyON8TlfFsQZnFFlMcMJYGDw7lgbJJj+URbLR9ZY+3KxopN9qus7jg17aLrTdekefvjx/1wnirnPAZdxgrXPAZZ7Fms+3dB2Gy7jSe/Aq9O5gwqJK9LEmAVN08ePwLd3XL8TxAhrGp1udHl5q4nGX3mibNhNc0FUWHyoihdnLclm8bWeu8MlMei4RjDEsgO9MdJVmGoswGzKez3Gu6QI/y6tFmcbZbFlk+/uIrus4S5PF8ZBpwuidjvfp8UCkpPfxmy0Lsemm1vlXSIh+nrQBxNLK9FQXJX1qKlY8mM9hb7hZTJlc79MxKXAJwE8eizw+do5VWlZ1+BKX7R77JQwfcCt3cZPChaCb1+cay4nKV23q6oqjpvJqKzwftiLhn8VjxuYJPHz0oVkfjjCTEaXci6yfy4hrSkPcobmuZyIe4OJvi28i4PVhvq0E89qcbo6JBI7TxO0KfcMK0DfssSIco/V7wZHvB13EIknwDOfg2Ov3z9jOHOMkRR3+pxR1FVBUqJaizB1TVE5QNLSU+R/s7Jf6KDHlmJiC8wuJCQehVPOn24PmcNO11DSH5DukpTD2aJdStM1nBgVpA9eDsnxCzp3hKTDA+BGmZSrGf8dVHCNbW+yWg4MSzBa78hgbldmNcX0wjGOPa08pz8TbecyqymA2JqVD2u+/2aRi5F+15thHyvMU65WngqHyXFcMlAd5E8oToK2ZAy8E91B5whNj5TkTyru5itJcVzMjgHfq6yTHPcGN5G6BpY32OBNn1ecoZ0J94+U+qkD17mng/iUKVOcPw8aHtDpn49Zf7WxwebePhnkA/KB/QBqpXUqT9752/T5mr/BfAgwAyExN0g1lbmRzdHJlYW0NZW5kb2JqDTk0IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggODIwPj5zdHJlYW0NCkiJrFVNb9NAEL37V4w4OQem+/3BDdpKIFWoBUscKIcoJCKoSdokReq/Z3aT3dpet2kJiRRP7Jn33rzdHd/BFdyBEqickg6UFyidsaCFR825BYFWw3oK32AJJ6cbDpMNMDTxY4eiajN5Cd6sSyy0Q+eV7iZWryGGNvHTeDtirUApD5o74AP9eaadEypEMnxipI0zwgUarVA4LnTAQMkU9cctWu4ITSFTwtsOlRT8aCrCQKm9OkDFPTuaijCQBc8OUNFKhosZYFJUbvRg1GGyGr0hAi1pGRlBDTMZHi9DPb2UyXD0tCsOMYW1PJJJWXTW+UNMUh7NJCU62hOHmLg/mol7tF4eImL6aCKmw4B4nsdF54T8dxonUWvXdk4I5J4r/kjEmQ1MnAL3qgkYmKgYtTL+kYmhpHkkuaBnBkP0SKVInqWpFShpsfpk8Rumm9HowgigXNTe2gjFJVHSQTVd+cpZsEqCUVAg8vglxNAlGi6diBz5DxXT3KapRQhomRPVZAEfGmqCMcahoQZ3BfG3WcBJ0wTIZgZ1c3H5Dk4vzt9/GUHzG84bktOZ9TJMnWCE1CjpoPAc5Hl/OV1Pprfb+/ENrOdUGxOo8cCW4ohnaBdEPOY9kMaTTwsOZyu4qpKvkr3Y1gBEA9IdslXqI12VBM+Y+S+u0h4OI9+BL96WqcGn9QQ5NiKgscJCS4+ontXzebWdz+aT8Xa+WnYVaZqg4Y3PTLaoGpBE72dF+8HHO/mPtiiEJXe18bQENFB2klpCqp0QsRPynawZwVuGHOpfMbBQz2MgoN7ACGKwjnck1NOUc7sLqnqV7uSc7b4oFZdwt0XNalTt7vzJ2T9TUubMdxLOm3A1UI/Tgz1D1eJMOalmtr+Wugu9y9Tj0zWLFGQJ2z5KLlqmHnPuTcopjLkvmPKjVVK1mfba7nD1KR5GNI1QQY295WmirPb6T/s+nyWQ/vK3etkLrbIB2ZppIaq/Q7LsWedBVX8sTCxRc4fjgqe1YaqY8jXgtosnpdF54ZLKhyTzuk49ZkOywIR8PepvpyxiVfi7SbqWRU7foqEjA90jUw0cmVReekP74QfAXwEGAIyPo/YNZW5kc3RyZWFtDWVuZG9iag05NSAwIG9iag08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDc0Mz4+c3RyZWFtDQpIiaRWQW/TUAy++1f4mEosa9KkSbjBmIQQBxiRdkAc2Fs7pi5tWRoQ/540jZ3OX5JuoErt67Of32f7s/3yD3yZ8+f685PjhON4zvE04WBKjwu+5jWfX5QBu5Knzad0tV7qp1GURlmzo3/ixA/DZB7VNlJ/HkYpu4Lf5hw0as035QWf53lY/8uX/JW93xM+m/ohe9+bRcLeY7OYHS1UtJbFbsL1IfLu5fRCJCU3IvY2srNsN0SA1v7whBrRSu2p7FYWclxR6ZV3smgtU6ejp9HwnTU8ggtPL62XemUBUYNgbeAmweBQtLPw7idkwCwGg/UDVGz4qMc532QsbwRBnzlReXcwQt57sfZlL5l1GoptA0aUM+tOh556LxoLiA/aVRdL9XE0xz
},
{
"type": "text",
"object_relation": "case-number",
"value": "AR23-325A",
"category": "Other",
"uuid": "9670f0e7-37af-4838-be8b-5f0eb23511ce"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d957eb90-a200-47f8-9f1c-09b57d452bf2",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--dd1e10de-b0f8-4bcf-861b-76fe980f055e",
"target_ref": "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--85c2ef81-868f-4224-8aa4-438e4ed4f316",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "sample-of",
"source_ref": "indicator--49552673-c8ea-50b9-a196-4663a33bfae8",
"target_ref": "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7eecc57e-434a-4e23-a544-e5705a4188d0",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--a78aa17d-3dd4-483f-ba12-ca977debbc3b",
"target_ref": "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dfa86255-9c56-4ed6-ae42-90faf9600ca4",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--9f5db9a7-9ef7-44f8-9189-553c2cc276f5",
"target_ref": "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--26b2ed0c-dde6-4ade-b8be-00a27aee680f",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--c2abd168-d969-4160-b427-dacaf686f65e",
"target_ref": "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dd57afed-913f-4c92-ad63-b9b8de70cc86",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--4b0f18bd-e09a-408d-9d36-415ca54ad600",
"target_ref": "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6564b2e6-7ce1-40e7-8c8c-91e83ad7a18e",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--5e485e81-7e00-42d7-9fc3-5c08690e9206",
"target_ref": "indicator--49552673-c8ea-50b9-a196-4663a33bfae8"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--edabadcb-ad46-4bc7-869c-dde4031b3ccb",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "related-to",
"source_ref": "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d",
"target_ref": "indicator--272aca0e-f758-5014-b7e6-75a0305837d5"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--06ca735f-5b50-4b88-9917-866c779aba34",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "related-to",
"source_ref": "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d",
"target_ref": "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--43f08b82-fe01-43ad-bed9-6189b7fdd518",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--a13bb548-ac3e-49d3-a5e2-a171d5bc2b43",
"target_ref": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--65e5b14b-231a-45d7-9a20-03191d27d102",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "sample-of",
"source_ref": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a",
"target_ref": "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cfa49d43-39fe-497d-a92c-6d26da51093a",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--d5260841-3693-4b4e-b3f8-bffccc184799",
"target_ref": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c1856cdb-26d1-4b2b-909c-80f14669cd23",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--5f447be4-9408-4da0-be20-a0a8ef7a2d5b",
"target_ref": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b2b9756a-5318-4720-84cc-b77fc887a7a7",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--d7c20040-9114-4709-b609-d1f230198e1f",
"target_ref": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6a471013-75a5-4371-90d1-e9e60e319e7f",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--ac013608-5fc8-4eb4-93db-82e071ee002b",
"target_ref": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--aa60f9a5-d6d0-4d7c-b47f-90ca3a304be5",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--440260c8-b268-471d-af38-b90279d8cd13",
"target_ref": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c44a6df0-8666-4727-8273-ce944e8166c1",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "analyses",
"source_ref": "x-misp-object--47c9fa88-b331-4b2e-86e2-64282aab3fe6",
"target_ref": "indicator--e2e1a9d3-1363-51a8-a780-23f78f8c917a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--69080a0c-028f-4679-8415-52c950c3d708",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "related-to",
"source_ref": "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930",
"target_ref": "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e0b9b009-094f-4e60-a9a5-42a1ddb56d55",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "related-to",
"source_ref": "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930",
"target_ref": "indicator--272aca0e-f758-5014-b7e6-75a0305837d5"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dfaf65e8-8e86-4639-a3a3-d8099844b584",
"created": "2023-12-06T07:53:41.000Z",
"modified": "2023-12-06T07:53:41.000Z",
"relationship_type": "related-to",
"source_ref": "indicator--272aca0e-f758-5014-b7e6-75a0305837d5",
"target_ref": "x-misp-object--eb408b5c-09b1-449c-9125-d451a8c4ae0d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ce78134c-2db8-4672-afdb-07fd2f11db81",
"created": "2023-12-06T07:53:42.000Z",
"modified": "2023-12-06T07:53:42.000Z",
"relationship_type": "related-to",
"source_ref": "indicator--272aca0e-f758-5014-b7e6-75a0305837d5",
"target_ref": "x-misp-object--a1e53fea-9148-4c25-b1c7-da233d87c930"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}