1386 lines
209 KiB
JSON
1386 lines
209 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2020-12-30",
|
||
|
"extends_uuid": "",
|
||
|
"info": "RegretLocker - VMRay Analyzer Report for Sample #1500977",
|
||
|
"publish_timestamp": "1609336612",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1609336602",
|
||
|
"uuid": "56864321-e4c0-4a50-b7cf-1102ee4c2808",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#d46aea",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_tcp_out_connection\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#c8b852",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_install_startup_script_by_registry\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#e31d46",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_request_dns_by_name\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#59b97f",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_check_external_ip\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#a380b5",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_change_folder_appearance\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#a3fd40",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_av_malicious_match\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#63eb02",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_use_encryption_api\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#4b44cc",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_enumerate_processes\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#9d9c90",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_establish_http_connection\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#c9b80b",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_delay_execution_by_sleep\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#22d63f",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_dynamic_api_usage_by_api\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#3ef66f",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_modify_windows_backup_settings\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#11a2d6",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_drop_pe_file\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#df8416",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_create_named_mutex\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#41f1e3",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_install_scheduled_task_by_schtasks\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#6d96f5",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_create_process_with_hidden_window\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00905d",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_known_suspicious_file\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#3932a1",
|
||
|
"name": "misp-galaxy:misp-attack-pattern=\"vmray_delay_by_scheduled_task_delayed\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:ransomware=\"RegretLocker\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "0d6149fa-7d99-43b7-9945-449c34054e55",
|
||
|
"value": "api.ipify.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "1196afab-f33f-4bfa-87b7-dacb0f19f1de",
|
||
|
"value": "nagano-19599.herokussl.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "b47f9402-8287-47c5-93ec-7cbba8b5081c",
|
||
|
"value": "elb097307-934924932.us-east-1.elb.amazonaws.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "mutex",
|
||
|
"uuid": "66a9b551-e555-43f2-9716-55ec617d4bb3",
|
||
|
"value": "svchost"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "c0a3e8aa-1a13-45cc-bcbd-045aa63240db",
|
||
|
"value": "elb097307-934924932.us-east-1.elb.amazonaws.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "eb5ed5b8-1635-4ec6-abae-4c80efd17880",
|
||
|
"value": "45.66.33.45"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "e3d57113-2296-4e3f-b871-0ac228405ede",
|
||
|
"value": "45.66.33.45"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "939b73b1-0ac1-47a1-9ac6-ea1b312bbd0d",
|
||
|
"value": "110.4.47.139"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "9c61d329-ad4b-4ce8-8813-2086a0434292",
|
||
|
"value": "110.4.47.139"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "1726a7d8-2589-4985-ab3d-b8d0933a9854",
|
||
|
"value": "203.218.5.141"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "54e046eb-3dbc-4001-8e52-bb78aa43096d",
|
||
|
"value": "203.218.5.141"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "b60efdd4-d26b-449a-a04a-454986ea4360",
|
||
|
"value": "45.11.18.120"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "015c0c28-8256-45bc-9588-e20cd7d75181",
|
||
|
"value": "45.11.18.120"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "25c853cf-edbc-4141-b4c5-9a34fb100368",
|
||
|
"value": "185.220.102.242"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "59c92eff-4581-4f5c-95c1-c37b0165ee20",
|
||
|
"value": "185.220.102.242"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "31f77d87-72eb-47eb-a1cf-169fe11b227e",
|
||
|
"value": "205.185.127.217"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "dd085402-6038-4b45-8bb9-ffe3d850ca4f",
|
||
|
"value": "205.185.127.217"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "43e9ee4c-61ce-46be-b5ad-5fb45bcc1c84",
|
||
|
"value": "23.129.64.211"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "fc26844c-a53e-4324-899a-f38a118f0430",
|
||
|
"value": "23.129.64.211"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "937c7b3f-272a-46ac-ac14-1dadd6a30900",
|
||
|
"value": "51.158.146.152"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "b3babd8f-89fa-45d3-82dd-89d87dc38af0",
|
||
|
"value": "51.158.146.152"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "627c70a6-6880-4755-ab62-ac32ab4c920a",
|
||
|
"value": "45.154.35.222"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "fcb3608f-a76c-4712-a42d-bc57002745ab",
|
||
|
"value": "45.154.35.222"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "d9be3c9d-1473-4e1a-a28a-e1deb0a490fe",
|
||
|
"value": "45.79.157.103"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "d19d272a-0fba-4a5a-81ea-438a9b0c22c2",
|
||
|
"value": "45.79.157.103"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "f7c244c9-61c0-498b-9ecd-5b45a9f828aa",
|
||
|
"value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "0c999112-dd3a-4660-9ce4-1da25f63369b",
|
||
|
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "2c6e44ad-af7f-4860-8515-c07e11f0d73d",
|
||
|
"value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "2a26ccb1-3bc4-4d4c-9267-50f3e7cbad84",
|
||
|
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "495ba099-2877-417c-a395-0b775e682254",
|
||
|
"value": "50.19.252.36"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "3a0b0357-d641-4bf2-ad0e-9d67e935058c",
|
||
|
"value": "54.204.14.42"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "c1ca2e16-9132-456b-813b-c9bddcc1ef96",
|
||
|
"value": "54.227.255.202"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "3d03ea7b-4b1a-4774-830b-bfeefcb2e767",
|
||
|
"value": "54.235.98.120"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "ddd9f951-eda5-421e-8408-1d8a21b790c5",
|
||
|
"value": "54.235.169.38"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "1ef6377b-4930-40fb-bbcd-082415d6548c",
|
||
|
"value": "23.21.252.4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "04612a82-d194-4360-8cf8-6a21b880534e",
|
||
|
"value": "54.225.66.103"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "d2eb2254-d24d-4b17-a10d-9d92cfd44980",
|
||
|
"value": "54.225.169.28"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a system process.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "process",
|
||
|
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1609336429",
|
||
|
"uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "14eff187-01c0-4492-980e-90baa5cd56a5",
|
||
|
"relationship_type": "child-of",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "4d2a9956-791a-49b6-8b13-f47def1e1e5b"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "e0a0c460-3940-4815-9a71-e4aa3a01a058",
|
||
|
"relationship_type": "child-of",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "761c6f78-f0e1-409f-907d-cd1ee277a737"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"relationship_type": "created",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "fef63163-283d-42d0-8539-cee127207fc3"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "66a9b551-e555-43f2-9716-55ec617d4bb3",
|
||
|
"relationship_type": "created",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "05e4eda6-eabd-4820-921b-a77235e9c8d9"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "b9bafe60-a9cc-43fa-a541-2dfb16d3aed5",
|
||
|
"relationship_type": "opened",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "200af52f-e639-4b95-b96a-44b5c0c718c6"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "c0a3e8aa-1a13-45cc-bcbd-045aa63240db",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "9555e701-e70a-477a-8722-96d73b326000"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "eb5ed5b8-1635-4ec6-abae-4c80efd17880",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "8f9c7269-5e5e-4eb1-b0e7-215a6a7fe762"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "939b73b1-0ac1-47a1-9ac6-ea1b312bbd0d",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "cd1911c7-dc3d-4f9e-9f93-909d96320ba9"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "1726a7d8-2589-4985-ab3d-b8d0933a9854",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "a0b290d3-d815-4d9a-8ec5-1e22acec0eca"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "b60efdd4-d26b-449a-a04a-454986ea4360",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "ab3a1949-538f-4794-8f67-240f7a86fd6e"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "25c853cf-edbc-4141-b4c5-9a34fb100368",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "dc0d4b90-c7a7-4538-b2f4-76d4472e6bb5"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "31f77d87-72eb-47eb-a1cf-169fe11b227e",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "1fbd8afb-229b-4287-bb0c-6e170d8279d0"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "43e9ee4c-61ce-46be-b5ad-5fb45bcc1c84",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "5827df94-7a04-4269-9bb8-a06bac1691be"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "937c7b3f-272a-46ac-ac14-1dadd6a30900",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "b6e46ff4-8f87-48fa-b5c9-13ace0331727"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "627c70a6-6880-4755-ab62-ac32ab4c920a",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "9d22c3c5-12c0-4255-9cd3-1636b4521fb6"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e09020d6-d77d-4080-a7a4-210312a7900c",
|
||
|
"referenced_uuid": "d9be3c9d-1473-4e1a-a28a-e1deb0a490fe",
|
||
|
"relationship_type": "read-from",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "b3c17d3b-0b54-4eae-abd5-4f03647a32ce"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "name",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5a726dcf-17a5-498c-9343-05baac5f5d52",
|
||
|
"value": "locker.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "920f4fe6-c4ed-41a5-b65f-71f0341f7db0",
|
||
|
"value": "4464"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "parent-pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "eea27000-ec7d-48b2-a023-cd76aba10615",
|
||
|
"value": "1376"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "image",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "37201be6-55a2-491f-9de9-aa03d421f3b1",
|
||
|
"value": "locker.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "command-line",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ab85d505-a1b2-4a0d-8123-5394943d3193",
|
||
|
"value": "\"%USERPROFILE%\\Desktop\\locker.exe\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a system process.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "process",
|
||
|
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1609336429",
|
||
|
"uuid": "14eff187-01c0-4492-980e-90baa5cd56a5",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "14eff187-01c0-4492-980e-90baa5cd56a5",
|
||
|
"referenced_uuid": "9d0fadd9-70bb-4d31-a86b-b6995879f855",
|
||
|
"relationship_type": "child-of",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "4e4cb88b-76ff-4eaf-8b47-43a35c1a11dd"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "14eff187-01c0-4492-980e-90baa5cd56a5",
|
||
|
"referenced_uuid": "14eff187-01c0-4492-980e-90baa5cd56a5",
|
||
|
"relationship_type": "created",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "6ef443c5-bb84-4eb3-b6d3-df48fc862ac9"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "14eff187-01c0-4492-980e-90baa5cd56a5",
|
||
|
"referenced_uuid": "f7c244c9-61c0-498b-9ecd-5b45a9f828aa",
|
||
|
"relationship_type": "opened",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "40f3297b-b75b-40ff-b32a-6028b9a4814a"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "14eff187-01c0-4492-980e-90baa5cd56a5",
|
||
|
"referenced_uuid": "0c999112-dd3a-4660-9ce4-1da25f63369b",
|
||
|
"relationship_type": "opened",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "41f79c48-334d-46f7-8fca-6a31a3bb905c"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "14eff187-01c0-4492-980e-90baa5cd56a5",
|
||
|
"referenced_uuid": "2c6e44ad-af7f-4860-8515-c07e11f0d73d",
|
||
|
"relationship_type": "opened",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "570b91e7-6a3c-4737-b8bf-9def1fb9074c"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "name",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "eb313b89-9ef2-4996-a869-02b14e646d98",
|
||
|
"value": "cmd.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "da629c71-5cbc-43f0-a4fb-fed12615bb6e",
|
||
|
"value": "1340"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "parent-pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "756b698f-761d-43d2-9667-de6d7e3b716c",
|
||
|
"value": "4464"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "image",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "4b91f92d-bb8d-4bf2-b2d9-8081de4772cd",
|
||
|
"value": "cmd.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "command-line",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "c714eadc-da43-444d-ab88-6c9031804936",
|
||
|
"value": "\"%WINDIR%\\System32\\cmd.exe\" /C schtasks /Create /SC MINUTE /TN \"Mouse Application\" /TR \"%USERPROFILE%\\Desktop\\locker.exe\" /f"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a system process.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "process",
|
||
|
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1609336429",
|
||
|
"uuid": "e0a0c460-3940-4815-9a71-e4aa3a01a058",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e0a0c460-3940-4815-9a71-e4aa3a01a058",
|
||
|
"referenced_uuid": "ad1f0004-c221-4a19-8edd-d9f836b88ee7",
|
||
|
"relationship_type": "child-of",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "9948ce0f-03cd-4732-874c-a6185d6b3830"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e0a0c460-3940-4815-9a71-e4aa3a01a058",
|
||
|
"referenced_uuid": "e0a0c460-3940-4815-9a71-e4aa3a01a058",
|
||
|
"relationship_type": "created",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "a1ff427d-6388-4b18-bec7-8ef8e1d516a1"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e0a0c460-3940-4815-9a71-e4aa3a01a058",
|
||
|
"referenced_uuid": "f7c244c9-61c0-498b-9ecd-5b45a9f828aa",
|
||
|
"relationship_type": "opened",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "0b9b30d1-b9d1-4df0-9462-cd9a9253ed06"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e0a0c460-3940-4815-9a71-e4aa3a01a058",
|
||
|
"referenced_uuid": "0c999112-dd3a-4660-9ce4-1da25f63369b",
|
||
|
"relationship_type": "opened",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "50ca7cbd-6586-4f0d-9cbe-8bc692baa411"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "e0a0c460-3940-4815-9a71-e4aa3a01a058",
|
||
|
"referenced_uuid": "2c6e44ad-af7f-4860-8515-c07e11f0d73d",
|
||
|
"relationship_type": "opened",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "dccf3d80-0806-4577-944b-78d9a6249bd4"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "name",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "308f2a19-bdc2-4116-bfa9-b1d9a4520985",
|
||
|
"value": "cmd.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "f505b275-8a65-4a6a-98f6-39a8e5822753",
|
||
|
"value": "3956"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "parent-pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d053a485-7406-40a4-be82-5939a32a96cb",
|
||
|
"value": "4464"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "image",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "420aa5ed-fd32-4f36-8b62-045b47035d6e",
|
||
|
"value": "cmd.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "command-line",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "28b3e75d-a29f-42d5-ba7f-5a73cf283499",
|
||
|
"value": "\"%WINDIR%\\System32\\cmd.exe\" /C wmic SHADOWCOPY DELETE & wbadmin DELETE SYSTEMSTATEBACKUP & bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures & bcdedit.exe / set{ default } recoveryenabled No"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a system process.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "process",
|
||
|
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1609336429",
|
||
|
"uuid": "9d0fadd9-70bb-4d31-a86b-b6995879f855",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "name",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e846dcf-92a9-4f03-8c09-e41e249894d2",
|
||
|
"value": "schtasks.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "32627631-e917-4f40-bb3d-deab49a1894d",
|
||
|
"value": "1664"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "parent-pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "e0c748b6-113a-4b37-83c4-1334e146eacc",
|
||
|
"value": "1340"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "image",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "a7dce264-f9b7-4d2d-804d-ad23561ac300",
|
||
|
"value": "schtasks.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "command-line",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "61472b4a-df7e-49c1-a52f-07ad40706bd9",
|
||
|
"value": "schtasks /Create /SC MINUTE /TN \"Mouse Application\" /TR \"%USERPROFILE%\\Desktop\\locker.exe\" /f"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a system process.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "process",
|
||
|
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1609336429",
|
||
|
"uuid": "ad1f0004-c221-4a19-8edd-d9f836b88ee7",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "ad1f0004-c221-4a19-8edd-d9f836b88ee7",
|
||
|
"referenced_uuid": "aeca75dd-8858-48c1-9773-a4f670e63210",
|
||
|
"relationship_type": "child-of",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "42815cfc-0344-454e-9487-3eefbeee0f8e"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "ad1f0004-c221-4a19-8edd-d9f836b88ee7",
|
||
|
"referenced_uuid": "2a26ccb1-3bc4-4d4c-9267-50f3e7cbad84",
|
||
|
"relationship_type": "opened",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "d5389676-13db-408a-aa9d-bf005af307ac"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "name",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b05fe8ae-e658-435e-b7b4-55d9b20a9928",
|
||
|
"value": "wmic.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ec2ba0fd-648f-40b7-a823-c95753af6b19",
|
||
|
"value": "1380"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "parent-pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5ac52658-6c39-4f61-a4fc-cf1ae023a0a5",
|
||
|
"value": "3956"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "image",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5bc3957e-af3d-4a00-8644-734dd61418a1",
|
||
|
"value": "wmic.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "command-line",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "1519345f-27b8-4ae6-924d-fba3ba3ee1d6",
|
||
|
"value": "wmic SHADOWCOPY DELETE"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a system process.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "process",
|
||
|
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1609336429",
|
||
|
"uuid": "aeca75dd-8858-48c1-9773-a4f670e63210",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "aeca75dd-8858-48c1-9773-a4f670e63210",
|
||
|
"referenced_uuid": "8c814729-25fa-4f3d-9e74-f587c2676eb1",
|
||
|
"relationship_type": "child-of",
|
||
|
"timestamp": "0",
|
||
|
"uuid": "f959e1d2-a676-4663-8b71-d87573c6876a"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "name",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5161db0a-1be4-4851-8ff4-e8a38c316bac",
|
||
|
"value": "svchost.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ee636834-2bef-483e-8de8-6d3925b7a061",
|
||
|
"value": "940"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "parent-pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "71b22502-3042-45f7-9bec-37ccc2015480",
|
||
|
"value": "572"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "image",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "3f91250f-7fba-44e3-8102-3226033871cb",
|
||
|
"value": "svchost.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "command-line",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "1cffab6d-676b-409f-82b5-ffbbde9c938b",
|
||
|
"value": "%WINDIR%\\system32\\svchost.exe -k netsvcs"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a system process.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "process",
|
||
|
"template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1609336429",
|
||
|
"uuid": "8c814729-25fa-4f3d-9e74-f587c2676eb1",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "name",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5805ca56-3a7f-4e37-80d0-26240f2eb9b4",
|
||
|
"value": "locker.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "231535e4-429c-4ac1-9d24-3dd66fdad4c7",
|
||
|
"value": "4472"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "parent-pid",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a42909eb-6283-4c04-95ae-914a404df550",
|
||
|
"value": "940"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "image",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "dc1d0063-99be-4cec-910c-aaa115c3adfe",
|
||
|
"value": "locker.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "command-line",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b6463c12-bd40-4cde-9ea6-eb6805ffba22",
|
||
|
"value": "%USERPROFILE%\\Desktop\\locker.exe"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
|
||
|
"meta-category": "file",
|
||
|
"name": "registry-key",
|
||
|
"template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
|
||
|
"template_version": "4",
|
||
|
"timestamp": "1609336429",
|
||
|
"uuid": "b9bafe60-a9cc-43fa-a541-2dfb16d3aed5",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "hive",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "992fe64a-bed5-416a-bcde-ec00b9ab6326",
|
||
|
"value": "HKEY_CURRENT_USER"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "key",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "36b90aca-cf29-4da4-9a36-0a4ea821ecbe",
|
||
|
"value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "data",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b38e272d-0200-4737-9154-a54cb3608cc6",
|
||
|
"value": "%USERPROFILE%\\Desktop\\locker.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "data-type",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d5f2c5f2-9706-4780-89e8-1ce6c90ed2ff",
|
||
|
"value": "REG_SZ"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "name",
|
||
|
"timestamp": "1609336429",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ee9c522b-86a5-4d4a-9b7e-2729c54baf3f",
|
||
|
"value": "Mouse Application"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing the original file used to import data in MISP.",
|
||
|
"meta-category": "file",
|
||
|
"name": "original-imported-file",
|
||
|
"template_uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1609336431",
|
||
|
"uuid": "ce8013e9-4d6d-48d5-82e5-190328228b00",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"data": "PHN0aXg6U1RJWF9QYWNrYWdlIHhtbG5zOkFkZHJlc3NPYmo9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNBZGRyZXNzT2JqZWN0LTIiIHhtbG5zOkN1c3RvbU9iaj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI0N1c3RvbU9iamVjdC0xIiB4bWxuczpGaWxlT2JqPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjRmlsZU9iamVjdC0yIiB4bWxuczpXaW5SZWdpc3RyeUtleU9iaj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI1dpblJlZ2lzdHJ5S2V5T2JqZWN0LTIiIHhtbG5zOkROU1JlY29yZE9iaj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI0ROU1JlY29yZE9iamVjdC0yIiB4bWxuczpNdXRleE9iaj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI011dGV4T2JqZWN0LTIiIHhtbG5zOnN0aXhWb2NhYnM9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0xIiB4bWxuczpVUklPYmo9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNVUklPYmplY3QtMiIgeG1sbnM6Y3lib3hWb2NhYnM9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMiIgeG1sbnM6UHJvY2Vzc09iaj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI1Byb2Nlc3NPYmplY3QtMiIgeG1sbnM6c3RpeD0iaHR0cDovL3N0aXgubWl0cmUub3JnL3N0aXgtMSIgeG1sbnM6dHRwPSJodHRwOi8vc3RpeC5taXRyZS5vcmcvVFRQLTEiIHhtbG5zOmN5Ym94Q29tbW9uPSJodHRwOi8vY3lib3gubWl0cmUub3JnL2NvbW1vbi0yIiB4bWxuczppbmRpY2F0b3I9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9JbmRpY2F0b3ItMiIgeG1sbnM6Y3lib3g9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvY3lib3gtMiIgeG1sbnM6c3RpeENvbW1vbj0iaHR0cDovL3N0aXgubWl0cmUub3JnL2NvbW1vbi0xIiB4bWxuczpWTVJheUFuYWx5emVyPSJodHRwOi8vdm1yYXkuY29tL2FuYWx5emVyIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnNjaGVtYUxvY2F0aW9uPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjQWRkcmVzc09iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvQWRkcmVzcy8yLjEvQWRkcmVzc19PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjQ3VzdG9tT2JqZWN0LTEgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9YTUxTY2hlbWEvb2JqZWN0cy9DdXN0b20vMS4xL0N1c3RvbV9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjRmlsZU9iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvRmlsZS8yLjEvRmlsZV9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjV2luUmVnaXN0cnlLZXlPYmplY3QtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9vYmplY3RzL1dpbl9SZWdpc3RyeV9LZXkvMi4xL1dpbl9SZWdpc3RyeV9LZXlfT2JqZWN0LnhzZCAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI0ROU1JlY29yZE9iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvRE5TX1JlY29yZC8yLjEvRE5TX1JlY29yZF9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjTXV0ZXhPYmplY3QtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9vYmplY3RzL011dGV4LzIuMS9NdXRleF9PYmplY3QueHNkICBodHRwOi8vc3RpeC5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMSBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL2RlZmF1bHRfdm9jYWJ1bGFyaWVzLzEuMi4wL3N0aXhfZGVmYXVsdF92b2NhYnVsYXJpZXMueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjVVJJT2JqZWN0LTIgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9YTUxTY2hlbWEvb2JqZWN0cy9VUkkvMi4xL1VSSV9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL2RlZmF1bHRfdm9jYWJ1bGFyaWVzLTIgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9YTUxTY2hlbWEvZGVmYXVsdF92b2NhYnVsYXJpZXMvMi4xL2N5Ym94X2RlZmF1bHRfdm9jYWJ1bGFyaWVzLnhzZCAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI1Byb2Nlc3NPYmplY3QtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9vYmplY3RzL1Byb2Nlc3MvMi4xL1Byb2Nlc3NfT2JqZWN0LnhzZCAgaHR0cDovL3N0aXgubWl0cmUub3JnL3N0aXgtMSBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL2NvcmUvMS4yL3N0aXhfY29yZS54c2QgIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9UVFAtMSBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL3R0cC8xLjIvdHRwLnhzZCAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jb21tb24tMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9jb21tb24vMi4xL2N5Ym94X2NvbW1vbi54c2QgIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9JbmRpY2F0b3ItMiBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL2luZGljYXRvci8yLjIvaW5kaWNhdG9yLnhzZCAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jeWJveC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL2NvcmUvMi4xL2N5Ym94X2NvcmUueHNkICBodHRwOi8vc3RpeC5taXRyZS5vcmcvY29tbW9uLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9jb21tb24vMS4yL3N0aXhfY29tbW9uLnhzZCIgaWQ9IlZNUmF5QW5hbHl6ZXI6UGFja2FnZS0zNzMyN2RmMy1kYTk1LTQ2NDAtODhjYi0wYTczZTFmMmQxM2IiIHZlcnNpb249IjEuMiI+Ci
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "imported-sample",
|
||
|
"timestamp": "1609336431",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "89759f96-feef-40b1-83f8-ed70f964aa62",
|
||
|
"value": "stix-report.xml"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "format",
|
||
|
"timestamp": "1609336431",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "1018cdf0-f8e7-4b8f-9d3b-efde6e7b7c78",
|
||
|
"value": "STIX 1.1"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|