2023-04-21 13:25:09 +00:00
|
|
|
{
|
|
|
|
"Event": {
|
|
|
|
"analysis": "2",
|
|
|
|
"date": "2020-02-14",
|
|
|
|
"extends_uuid": "",
|
|
|
|
"info": "Dever Ransomware",
|
|
|
|
"publish_timestamp": "1581894421",
|
|
|
|
"published": true,
|
|
|
|
"threat_level_id": "3",
|
|
|
|
"timestamp": "1581894349",
|
|
|
|
"uuid": "5e471206-3fb8-43d3-adfd-4806950d210f",
|
|
|
|
"Orgc": {
|
|
|
|
"name": "wilbursecurity.com",
|
|
|
|
"uuid": "5e16d2bc-5c68-4ef1-bc80-47f5950d210f"
|
|
|
|
},
|
|
|
|
"Tag": [
|
|
|
|
{
|
|
|
|
"colour": "#33FF00",
|
2023-05-19 09:05:37 +00:00
|
|
|
"local": "0",
|
|
|
|
"name": "tlp:green",
|
|
|
|
"relationship_type": ""
|
2023-04-21 13:25:09 +00:00
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Persistence mechanism",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1581812660",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5e4889bf-2f14-4bda-bc7e-40dc950d210f",
|
|
|
|
"value": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svhost.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Persistence mechanism",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1581812198",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "regkey",
|
|
|
|
"uuid": "5e4889e6-9754-4148-9116-410e950d210f",
|
|
|
|
"value": "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\\\svhost"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Network activity",
|
|
|
|
"comment": "RDP disconnect from this IP shortly after Dever was run",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1581865066",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "ip-src",
|
|
|
|
"uuid": "5e49586a-7460-4471-a9d4-4361950d210f",
|
|
|
|
"value": "5.45.71.178"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1581885892",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "5e49a9c4-d320-4eca-bca8-4b6a950d210f",
|
|
|
|
"value": "https://www.wilbursecurity.com/2020/02/the-dever-ransomware-experience/"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Object": [
|
|
|
|
{
|
|
|
|
"comment": "Process Hacker",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "19",
|
|
|
|
"timestamp": "1581716636",
|
|
|
|
"uuid": "5e47149c-31a8-4e72-87e3-4a55950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBBQACQAIAHytTlCNjfZg2nsMACA+GgAgABwAYjM2NWFmMzE3YWU3MzBhNjdjOTM2ZjIxNDMyYjljNzFVVAkAA5wUR16cFEdedXgLAAEEIQAAAAQhAAAAL6X58xlLcIP71ML+Xg+5yf1rRfFZxFaF4UHY/D65bAdbgZX6kcT6tlYgZd3G1yQr85mOXkMF2UvuezkmzRwdJPItXSf8anJFgfaaRMLzCG132ynsDWlIWgxjV6+toTL9xlKSXXvAwJVhArUsQd0/TbS7IRIl/Cd4TwJKMmcCASYFgFDwuxggr8DS5TS/PsOjqZlSimmx1x11JzCe3FqMfdIBeVFBjigXUyzOSLj8UJ6uqP4R+xl99qAc541htYrtPkdaq5UyCTvNe89Dc9YQ+p1gorPAh0K+a6gHAHbiXCJZ6Cd5fNXATj+jktqgjypmWF0/ZMbWcFSIKWj5PWUsVWHLRReQLVgOnwgRctNAybtGhv9NSjsAszKkZnBqcn71bmjwLurLwarl0oeU/8ksBs1BCyozNmkOy6dVMfL43oNyrwu3yJeGpB9vFZzW25rPtIzn4BazUorPD6E4rT0ZhRWssu72C5u6U1yTspbo/IjLpyy4EGq2AMtrxvw/IIak67Rf6MrtXIl910rVc91y5sfN/0i1CjA6jiavqh17tsCAp+D93rGJEnUnJmVq1f5pMU+PgR1pJvXJURC1Vtq1Mo/NKjtAcXGh/1K2SmtkVeSr36IsFt/JNts3YRD86pnzz5aTaTeVBI8oTlhzC//cf2iS3eaRUjc215sO5PO51D2zk5EzCIzOryfSx2NbB90kXyIyZRAOogA+ws5WbfXFU6PS3+IBhmJVSbWD+fsIVrfcu34jGygiJ0enzILLtYBZ7Po7V9xh6muSVoPC64XcP6WpU5iC0taTga4jR32whGFFyN7Vbmu/yniuGYprjhqngLRovg42vwxE+sB5thXXlZ462BvWXmfCRwIMfYlaOm6acGsXIIz7gPMEuRLh9yGmmU5OW//fjUheFaDyHmuUSrWgJYRUvXWxkA2btrzGW+NMPckfXXlw1pqjfLqfKGHeuJKdkX92n5HHDsiL6FLXkC7YuIJl+a62/LDDUXF/9vaUrqbcMwAngucwKBYxZpoyG1/QuGi56FeHc2vJu/CkbQ3hi1wAuROiGWe2Wl+9Bk+raabLmuBlJfjBXjfpvAmmGYGTxsxpM8WgGbNZZA0khmnLoOMwSAsWHveHYrg2fYdzyINiyjC/mNJSl/Z/PWl46iImgiAwmFcMT7lCOmUKzKzuXEHKmifTBU8Q366VGCS1ZcfSSoNFzvFVP/rkUMrxzJJhjrJ7rB7HTrYhsKdMg79sJa06I0XqzFRNlgJK8OMKwZ09u3Nbq78j5WsMHBAmpLZnusz5EGVExN0O3xWem/uhO6KBNtxLXc5zi9Om+bvTn2sWEY1NCVOQlikVB8pF0t8NlWrmMkZJ2MYp9sNYd/UMU/pRP7KIETaFxYnP6E6Vk6tIWTaLyt72cSFr9N+m7fQWCCFnNK8+jrvBq33FroJry3OmoYixNfVbc2lXIZsac4iAfT0m+B5U8DSli5H9uNYhOc6XxPRQo5Y7vzJW9MWRDjCSIXfVOTITPDtJOOQ8pz8uV+TlzOHTt7WoodulTWKoA3YmVrBc1uvjeAetUGHa9LYKAt+YD81JYmcSnXf0EBDRJxPmfQzoUeU0s4Y/idg4iuTgDdrlfVdwM8pVKKI1t8oBCcXLj6ILd2o5JhsX4s1QvKF4bxd4A05RV2Tbx9VIBMDAO46LRvyVK0zrhnO2kGGFCBajUXimo5j9bEGYH2zXdD4xOu8sBJniYlFIFRqB/aHpB5jU2RwIl7rh4njqFdYqYJuvX6sN8cpvW95jT7m+wqQDAPvwQ9w8miLOt6RDvlGyxnkepGqKSMZuiYjoPHtDkP4aw0ht6/9pcs0EQ/VfUltDO9KKpcs5feeaHciypxtm3IHrIXL8ayuha6OvSycmXsQAlkqVjmnwdOJFNC5tLRD8gIztLfmv9FcQXo4r5IP5AdR5mJHwwYDDLaVQbNKxR87V3wL6R2vslUSs7lvegVXs5hlA8DvM38bFVwQsB+GUAIF/TFSKZs7/UJ/w69uZIDuJR3JCat8d7pZG928j+jcR5+OZSC+5IlfeJYlFrcoZcATdVi6jQ/7lcqrmiFI34RLbfAW+HLamYyv/kjCvLE/qIKjQctqov1j/tBIeRo3ifPGfsfSCZdsnipB+/ePD8vEDTeHy8kbYCf8YokghZdxcwg7mOTRQ830bA/l9S4g7zRDwllm+Bv+FHgMox2KZh+PIL6RuYfZqZdlwnK6lys5kieLG/d5hA1fasPg2tWrAxajYdfaOW65YoWrCef6Gg64RyfezCW0DAVHm6P4PNUdEKyT1OlTq35/pMpy8Ko1Gh06tXPugY+3XPT7FfSz9CE/oNDDBIZo6+jOjB2OBN46ErrJLUEEx/EAeM4ELOzekmLMh7VtsgcpGKZn3j4Bo+WRNJ32sq2hvyWeMhf95BS7s6KQREE0EbrsRe+XvyX0DkNVCd8xVkTldXWNfSb+4/4g3ArCiKe1HdcI8qoqhf+J/j3/kGGyzwLWTOC/0H5E/JvEdYpZciTMs/mp+vsc8HNCBJ3r604nb+WkEW8AXTEep/4bsEzB+2mFAQIycYM68INYOrIldrh9bLcMiCDobeF54I2I9wWp/vLSkdvSHseOL+7hx4OkC5FS855y1RxrezGI+xhYdZixEokNakFr9MlMOcjg8PTmLRrXTw2XD6r1fwu8YKo+3BgK3Qucyd+OHpq/JYrYgJRGMU1WAEJL8cifoet5hW9BUFvlei237BYMzV4P7rpoLdq50lyei8PYnjx3Ey3kIL31p/ETVYPJ6eLh2TMI6N17rFYXqeFAeRr0p17FVWNHzyAHhT721EK2Ql28MPFeh9YDMzt/ejIwJrDIFau1Qs9ZWsAxa6w2oNNg9kJC2OmSlAIhUqbiZhqNxQDNs5oHjpTPfPo05qHvAIPCLDsO9CNZ5Oe9nAcJvKmipnRF/wpMAWppJUnlM+/nB2d3yn9dT5bTrBxtn7Fs8wZDDaclr+FBJx5nct1hbAxu8HZRsJ+b5gv7RIhMF6u1gbiXwpMmCMaaDFE33YTqXNOp3VufY2xmD5/epUgb1CV7p1KzS9SmdYS7AuEoT4GIyJ3csJD1m1OpNjtr2IgGSVtvTY1NcU1k/6wD4u0GY2xiAjYtVRhgXwoBLAyHBOS+qdrAaOcHLWfL5lRgxbOja+JVqkC5hvbzTm0q0hZ07DPi0K7UV+j4yCYesBsX8noQXEwu/l8VkeU2GRQ1ZY7Bc2f44xLWgFQ0nwEQH9/xTMhaTmuHmapb4ahwFiq11F6edYXpSdZ3eMP4DQrt+Y8zMi/bxgh0uiuHwbG4ihw8KWr3RWl9xvFyZbxU07D1wRDJPop8MjcQzg62KV7tBBv4TWhtBT9QzMKEXuJ71PAI2gVQ6e6EBTpDdsD6LNuHdFZBhhlf8EW4FGa9D1hx2XJx9rMA8rxOxWLKCEYRJz/C/vlzr7L7dkbD9gLKPZlrX/DAclJQHz2uUbeRegy+++KmF61yGPHO/XDXDYPD7gmmYlUAhc5u9TO6Y/94iKJJKMavJy2wEpiM2nJGepKdfI0xFjjhGMrinHDCi0JRdY+pqBvWKikZJBx2CoXqz9BRKb2RblhtVWP0/SjJTwPoNam2WtDzYK9/FCEvTc/eV+LPFO5oLxc7Gd/C9qVlLbXm7qLwmof69NIjdOICDlEkty8oBhGSl3pTimHmUlkm2QGpDs/O6sCTU2H98XX1L+priBtZO8rrv7Y/AKiBdnq8I05EelFpq1wZ8Mm9qpKYFv4mrDXqIrmYizRlJUqReiirhMEBwDUBtCMIeZ+3k64A8QXb+7p3PuRyi8ZZPCdrArmtqqPe2SxFrUFs5tyu2eTjio4jnj6xXfCCF7OC2Ann5kcJpYnFkOINkCeNFUzZqKk/HDXAu9Eh7U+efZdB5t7/NPUhSE3523T4TRLwUa8ErN9hLWb/CLLF8eMWUNBp9hJ3U5s
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1581716636",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5e47149c-0078-433b-aaa5-4381950d210f",
|
|
|
|
"value": "ProcessHacker.exe|b365af317ae730a67c936f21432b9c71"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1581716636",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5e47149c-f918-428e-bcd9-4689950d210f",
|
|
|
|
"value": "ProcessHacker.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1581716637",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5e47149d-2f38-4ade-8f59-476f950d210f",
|
|
|
|
"value": "b365af317ae730a67c936f21432b9c71"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1581716637",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5e47149d-7f5c-4b4f-a3aa-471f950d210f",
|
|
|
|
"value": "a0bdfac3ce1880b32ff9b696458327ce352e3b1d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1581716637",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5e47149d-b584-4505-ba96-49d1950d210f",
|
|
|
|
"value": "bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1581716637",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5e47149d-f7b8-4668-b98c-4098950d210f",
|
|
|
|
"value": "1719840"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "Process Hacker",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "19",
|
|
|
|
"timestamp": "1581716637",
|
|
|
|
"uuid": "5e47149d-1064-464e-83d3-4973950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBBQACQAIAH2tTlCf6FIlJVkAAJiwAAAgABwAMWI1YzNjNDU4ZTMxYmVkZTU1MTQ1ZDA2NDRlODhkNzVVVAkAA50UR16dFEdedXgLAAEEIQAAAAQhAAAApmGuOsOGDALnrZd7r1ZU32QFDnhm3guKBpYEOmazlH5aIUYjJgeLoBg7F4I13yWSRAH+wEcbDrxZ3Lf8T59X4LNVhhiLcyQyJV12XZQINpiykyKyX3er8UMXNbTsn0rc2FolWaQoH56b3db7NrT3FmipAmj/C1//JkJNNZFRzf7fwHXSoVQsjZ7pwr5vHEdFfF1pGM6a9Olbao5smirsCzwQ/oCyom5X+PUBArmc/JznQcK95fJkHeiAG2vRzbuApwtNKG2r0alvHkUhTElenFN5qLAAoyMGQ3FRuGxvOxj6O9PN0JavWSiBEOuz7IixT0M78348lvAHEawFAYOgd+/rBbFyEqVXoaW7OAwM2zg71goz1MVQSvamd5UpQYPHCDIT+MtMKLIzvcF6VIFDuxMbBKyVxVmHoSumDebPVcx9BJAnM1SPbbG9DYkEQQS9TLapPB7RJqxE3/6fsDBbFneLuUiunC1ckpqRYPzgtYgieiZn4Mm6wwJkCI6o+CQJovrNYsYDZZ5iUHg4tu927P/KYq9330mtoECyMjMVOci/+k+JqCVXt9u4msvAe1liiT7zOy/8KB3xs5FgP12sWav0VGh+CYUtQaRI0PP2SzesYkqTfTa0Sj7sHXnfiS3gmdveEmTwyDD0YgmEUQaS4/nUt5B3pXCHv6ErEvI9befTEJDI07lxaJy8FCRf3TdImuTs6doRx2bJyG6+2674oxxfdpOIluv8p0DhkBOYuWxFuLrMW7iU6GPg9VzxYTo21f7nu2vO/EczpJO3+HlD1ReqsPVsfCHu8UuvelDCL9Pd/nqbX5VXnMJ1OvIDRFOV2QRkaVb9dxFK9CGIlN/NzylVCX5NSGezkJ99ECGyPCS2QNg7pculv2oxCYv4pzGwk+dkm6q5nQvj+akKyGBUOKhl3LGfi0pajFBfg0Vdq/capYD32yOq7V2Gdp6L2ZQhIzAJUkjgPbzotmjKL9yQDwm5u8v0b88MvO+sxFwpEo00lAvMrXrd5IqIi9WkKH4/qFJHUWYX/+D2QR6UjorczgGmYrnwqq8krysGHo+Q5C97qfqkz/NuC6uxRCdL8n8pt+nR/MIvXiECA/c7SvZ6rfN1aAFCC+NwXL1Gfh2pokBTr34PW0BTNmWYp2DCqN+CZ/1UnvaONFHUd+epo3CD/uh5e9AhL+smDOxb09PzPQ7K2TsfZL6Z0/ixRkSCKc7g+jSkRQF8t1hQkpgZTVOKfMSbM3QiYM6Jtgk/HJJiR/qm63LHid3XnRm0apfo4qCxdCnSGVwX6/7+e1aULvJKOhQebJhosASsQOfbEE1xRd5B/IA4aF4FPNAiLAKKRbXSsbl1uqKJMe2/Hr8gbl8omzSTMzfnhIpIUeuBR6sHt7f9D15pToUbIrPF5+xViMetAfCxv+mTIqvrPkE4IAWLN/aJsExG3bp0J77MfiIQGLJo8aJzi9OSwuswkL5xuXeqr+9lm5XRU+ThQrYWaMnhVBCrSBgVJ4gLQEmljv2mhmlW4gVvti3T/1Ee+LrQBN9UVGHXzL0DOEV+VTNqbmCbML1Tf5kvb0HUf1A79yDWZTVh1JjrcDliHiwJ49n5F3Wfh4OLTiPgvfWeCI2AbJzO5DUiBhRGgz7oV5p5nmLU9Vyh4xAJYpN6Jy7WBpEfGQqGij3K459yZ/RYs4VlwfNzena1LYRd+kWZp0j4/FLOYRtTyJUUiK6YLtOE/W4AgaKK4k5tTlvY1zZpneJjxqHeNUM5osoN9z7E7LQVPsLXzBF0yRz74snoK8K3Q6ligHOKKG44dXX+hXPVPFL2vrcM5PEU0O5VUfIlaUFiYNX2ri00i/Hjyxr1FgiDqllc8HRzXgNiL63Ki0grnpZ3cfWjwdjMVuqEb0tFl5Z6Vxy4QYGqGnlmh1VWkLpGwR3Sb64EfSsAtMFuF8I2YyeaS1aPGRZ9DAyKuV2YnWAWTIeXiQDkWVJFFm0a/EIoEUPjQYbEbOxXOVcK5btCcR2lCKCkaqMlStz5Zce1U5RwGlp6c3peYFyzDFKUmE1RTNF4Lw0Mmf1VcrhOKpqaljuACWXSW6+EalNQurlwRomtTCuC6NFherTH6Il0q/FYWVxfm5yWCgUu16JKbseY4JXis6CcAHM7MIlzi+zE2z7WaL2xt6d9UOSWtyqyCnrRYE3lt9rZ53KyZlkClUnTjmPqIjVA8/2vqX9apJqYMxDWl4wI5cZ5xgwC8d7ZGYC7bqGVgOe6ulDzlc1A5lXfHfp5V50rog2I7tvlkkqzFuYveG74gF75VxQ6YHBApVe8I8MP8RyLwob+J1YW7Vtc42/BVJxmmHaW3681io4M/pDfX1E5yQ0pSmrixYRrY7FQOfAbLG4BJe3O6jz0veKD8AKvv2tW+sU3152LRISjX+bdqW1Y5L6bfgD1v3OhiT2/9jAhcHZt8w9/hcFB/7ajohhGRLhJfs0QBwd67iIUQzpDpkp/tixk0shV/iY8ayJs2IpuNUJHFnfTKVEii75naJkwEHyErSWgTG+HeT0F0RILm9+SF6eDTvOXjTBVrv+H7N/q+rphcUTdpMXJkxb8LztCaztWTuO8A7NZUlu4UHvc0O1bEqHuoQWzuzfXKpvOrKYnLIRA3COIh8t8LgQOGZeMitWZVygMvpODuq/kpSHXbFO1nM79hDmTkSdw6BRJjDzMleaNkAJy6CzIV0ApMf0KJD1aGF5ptxC5YHpWt8LV1WVxzKwLyEOXvPKJLKoPszXo1s79blVSe+fhdoacx+VN3mGTOQPbd9UYWF/NQJ3BCNUFEVKHV1AZ/jV9b2CJg/ybpxfXGjkv3c1gvfUxaK5DKRuArQEAVQMBRNgR7akZbETOmcGl/HddS7H3+47BNng81u8kiG/Z4/DTJv4QOtMg7kV90/h5LxTQV5JOmq/NxTbauGgA4TA81DblneF1dsZENm7nXKLp0qSBC0TuVTlJEQjKa3IZo/iPpzAv4YtC0SfEobe2b5Agd1kCpGPD9aqptQibudr+HSc/YPDVvlwLfIYxqVY5Hfv6DCGaqRIxb0e3t8UMbzo9qfhRsZF5tPZE7ZXb69AGtmol6lUkzPNzI944mKTN9Ttm8QVJ6bNXJ+8Stnb1TFp0FKFH9s5vocs10aZJAB+PaJZnTGkSjFT4MXPcFUdLLurslaXeySk2Edg0Pk5g8ZMZWbIvNZWhvVdhZLddCf7uAHWkWrWXDgEsS58gu9KhS4UHSqTntA8I/oF+kB2G5ZRk0tmM63peXB8cMxCOfM2xHRz1NIVuLkOCpc8nW1Ob+Pqh5GstBN9sGhQH0l+2Kr3TNJ89XNicDkptFsADnb0uAJObyCAcbOlAz+CeGsSH3MO9ivbpPspTEVEfM5Eg4B6YslN4MBBjKsz3n741wgCUIzLcduTz2eEtCwecwjCuYGR535e+ZgAMzKq0vLjq1Q61KEShMunsbbzhkvsEjyaxWnmQ5olNijbsN1DcoomOFIRz/UBTQqq2kpEQ3FCn3RblFmF9NiaOrB66Bnsa5pT8gRhGiIi4TKcg1hApWP+WCAmyvzENvSTV2+kGjTHehvHr3GdTJfTLzOcgZqb5v8fyGEqrCLoWttSYfKYRYX+gc0DVW06nCsMnObh8elZvtC8HwkvogFNVVPk5cyN/W9Eb2tRf0c4WBbukIJhgYS1Cge39pPkwKBjQjO3Nbm27wPrKknAvzRLUK7Aa4LPs6MZR3FHGcmx6Y5r1Qo0mPoETqIReQHdOP+UhH8KUfyeiOOG1vpNwvhpVjf4c0ZAP8nDTP3yKz509WI8zlzJO4d8ik8nYtmlHxi2RU/GcbA/i0R0OFZMn76Px/LdArIBYUo4KMWjhEQsUBtiYecKqLk+8vmgHiVyyqAurm9Um2X/DVLrnoLv5+BofEFoUqDsmwDbbhEn2TA89ybK8b5d10WJ1d4T4rhxvCbodqdlhoYiGe950Qw
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1581716637",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5e47149d-6c8c-4ad8-a346-478c950d210f",
|
|
|
|
"value": "kprocesshacker.sys|1b5c3c458e31bede55145d0644e88d75"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1581716637",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5e47149d-9f9c-4113-9684-41d0950d210f",
|
|
|
|
"value": "kprocesshacker.sys"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1581716637",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5e47149d-7b84-4f03-ab28-41f6950d210f",
|
|
|
|
"value": "1b5c3c458e31bede55145d0644e88d75"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1581716638",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5e47149e-0dbc-43ec-b129-4dda950d210f",
|
|
|
|
"value": "a21c84c6bf2e21d69fa06daaf19b4cc34b589347"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1581716638",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5e47149e-e80c-4d8b-bf8a-4d90950d210f",
|
|
|
|
"value": "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1581716638",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5e47149e-cde4-41e7-8945-4ddc950d210f",
|
|
|
|
"value": "45208"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "Dever Ransomware",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "19",
|
|
|
|
"timestamp": "1581716959",
|
|
|
|
"uuid": "5e4715df-5698-48f6-a4a8-4620950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBBQACQAIACquTlCakudRuI4AAADKAAAgABwAMjczMDQ1YWM5ZTU3NTMyYmE1MjRhMmVjZWRjYmZhZDJVVAkAA98VR17fFUdedXgLAAEEIQAAAAQhAAAAZ2tS7w/mZmJbwQVIj2jGtIjYgRmSnEZxZf331cqX8MYhUBQ9EyViLo/SStk6iPoq554M5z0pQ2KoR1tmryKsbR2+abi9XhBQ0Wag944uU+7/t0CDU/EMX3lmsxk0i+iEr634t+U9wIwDZJajguD5fAn3bq6nLRR7krIdqQUsjHRMoTz8aaqEIcds/B0bhoCz3zkmWZ4VJX2/0cyHk7NBzCz0s/IE6Y4MDqU1D8T4JYMa1UKNx+nhenaszOk0gfzGeefPtsfj0zv36yRlEP7emCat8VQP169LwevCn0tRzpVUl2qCrCAUXPAF89Rg1+Dk9o/eodAgQg/9+Bly+baEYQ86fVk32V9Ba6tU2WtuD9uVfHFXVTs3MUPQ5L/P/TgFGbCKoWdOnJS6D0oE+hcuFOprKKYzgMHkbGOz0Blog2YWGlj9ypxX15kvnlp63aXB7QO+fqF5iJwVXuX7GbbVjUGQB9Cq+P4BGnczmzfvEeuXIzpkxMLJ3GP9+u8cIoaZnow43tTTlf20D0BbkVn7xL6o+Pp+WhhEuQxqXZqE+URFgladpF+DCqKxZbbjfcl0P/XCHCZ12Anmx5bE+2jwdPHOc20zaOOZb29AADGd8LPuM+JYdJ3Utl/+V9VmCxjtDO5K+4QCfbsjOSgV04OXyHtZGeHgjB2L6OVNI4ADVzokr7P6ia2TF72iWqvQbbHL1Lz9SKPmlrgcBT28gJcCWdVtUycHyHQmAa4Hq1FSdyAaB1Esa9wFDY6P/UZHhf/OM3P2LBougcGlg2a/X+mNRSZIiI/cfu0LWq2GHjb0WmTGqljfEuk2s2EXORTvMeZBMDzpk2O3wAWIyYTHLVPRi7QUNVH8QAUgcTrinEVMZmOgQD1qyYAfO52+8MVAxLr+xnB35DBUtF1866TF4N5QQD6JApUN8R043RtZ4VYh6GT2FUVa1xVnLCN5ibBqcZZIFqVp4vN00qfzKYBBS6/iiHDbZwghImWu3BxSL5KGrT1SOe+EqtwSHsOfkAPOQr9dSebXUgIfh3LjnbDOjFMHv731RI4CNTJk83Q6onVBGWj8smjAGypHgcs4ekeoNTJ0aZEqF6jgCGDAE6BY1hTf+AS6GPdHVXNKvCf2oOFfXuYGXRo7oTJpczmqSxtbmbTLwNtPBs2Kmy9giifYy/Eueyv8gQuboTVY2XMgzOk8rcxeLShC6oOxtVY4h734uNy0c9eq7MKXBU/FjcB3TrDs2OrKIhOaPOOsW74EPKb2BjaMUwjfHjAsUpr6EzDHYHaLyQ0leAHLEzFH9eW3NOKsBsjZs/Lcx+/HH7wQ05w0aXivdIRvRDx6TJvyzHdaIZ+73zfsY1XHJ+6GpmeiF9py97F0kWvr+W4L8zFVCsFMXCpNMhwJZbkSnboi7gVYwDVb9Q5v9p9fbueyi/tRoEr3k2wLpKxsKP/n/95dMUrQFge0RU0gG6/1ZtR/R510ICzB6x/H7OD1Zs5I+9YtUY3Ua5gvqNEpwTAzUIO1jEQ7g4ibBp79zst/WgljVQe1wESfwDDZ6JibqAMh6Ogjuy078Nw3bku12bqv93DmJ3xKbWlZxf+F/66jn7RPW/GJDqKV9udyXo4m32hzh84fdIJdI93Gux+9UVYIua0HsqNXNSPUsjHzQ+0MGdnD2CPP2gChHSFnOgTkuMK8+UGr2GO1MEbJSKYUGRaK0ImqphKkjhr7ls/MADInKyDexYcYlGT8uEwAhO55Xr6VbZ/+1cqzGrEn0l1LFXqD+P4jQXyZCylcx+zsESpjNadx7+t1l0y1C28kwZXJH4vJP0trv1rM/NYipjIrYjwcrSYmI55ozqLZ88C7zaDXNufhk5xeCwuJS0gtb68Yv65/b4DMoc5S3lirpQhQr8mHGrkn71LJL4BdLuLP8nlSlaNSpkweRQw+9vtbzT4E/NPPyIjre9rlScEtuJF0Wltwcwdm2enH21Gg0cwsLCZGW5imhSt1VtUjvWsNme+CHuSnalkeVBmgP8UC73JXSrTkGxgsYqqnTD1/MmkWBShX47qM3dF035p2xoBQ2o4eJDbYmHLwGqztLTlqkMjkgHLK3iacXQzoVGwYXXW8JG/JHl6SdVG3sf4KgD8XHlaBuEzHTDYcJ8Xt1m7QtqU4o6T8YIIDd+w2wyW3wn3IYysO0Ny2XAT3EZzdnf6GYvYNQCBObZNDaawAGnJCfYStCsLzboS+YaVdnLDmLX9+8eASYB9dumdtI95hFmvMqRTc9WEIF6pgZPQjxB3uTQpEhXC53JW9SdPYCiwHhT56N0HW7gPy2IPyeTG0YB+8qKFLvjenVxDJSGaeXgaSoVmqSuy98Zy2dxOQWeZGDhVfLB+gKLLfZsT5oVzrl5cmQiRZ/fPQJS+wFju/yXp8tbkQxLLKBME12E52BtHWTKU2S7njRZHV494nfo7CMQ4ecyfd3o0fsyBWjBcVCyTvRXYGCj437YRjJUL0/CTFLD0umqDPeINmvmnLrtEof6ovN6PuTXcxofc0igNlSigs1IIoD4whizJ4Wb3KTBJUYhknf+NC8+iD6AONFC21dBmkXTuNUmoUHmX3nci6GLhG/OTHCJUpWlta6Omo2n3vAB3vKKKPKG9sTfZwbrBKJthYjaCxgb6CaO5UeiOamuaJLGmJ5W6PUHPHhgxTn4aU6+jvObuiW3hErbxnk+OhwneF1ArGVB7xBqezeTq9lzaSFB+r5p0qyzqaAtm0f8GJnr3M+JMkA079fdoKnt1vKFBZiQg3AGgZeedyaGindt8ayU0YUez4HoDwD8lGKSx2haGmrPefyPo+cVL0JC/unQvrFagT5xyB7DQNJ+7OsIp4JdtYdd5K1q5bkhLgxfFonk1Zk5mCl41JbTtPOBHUvrNqpQ0/LcPbHMBgBK3AgAqqnzq+oWEBzOnU3ycNGw7pusHsB+iWp25znr9HMIAfexM3IvuFb6fvUXwANh/YRQdRj7HTc7Qq51Exjck2fjUERbzxwaIKtLqckzpkP9bs0okiJ9PhVg5ahYXALSQGBt4Ivv75+hcS6Nuw/uxXhiSVJtVzRH2FheLQO/GMWc3qS6YafbWhMkIjEbwr0VRzUquRv11qPwxuNPIvaZjTtd56NlSA+Z3hHxgbzKxSVsiCKPN6t7szhbMY0csmcHrSdSzaZn351UMr0xPTmNLwoAP4r+pLYAJaWL1Ug4ysj+DzNZQhtdxDvIFkFo2Sbn7BnVtZZbDyqrLDftZgTInN5cOg6IqYRmpXtS0rL5G0QIJkqzzXJz5dvpH/SsNuFQ/mDxhpt+AkNtnz1DPAjw0CJEiR92kOtqX38tHPNZyf/KDTXPfKAEDxAnYDqMqWRb/fmuximAuEWYc5LBatNt9eKcIVUOwSkaSyJhh4QnX0i30lturUKs14EdOq2Ka3ekaat2VUSpz3dN8Zi4eVbjiSnlkon90ds9Gg9O0rbojr57tfbtJd28CGKS61wxa0ovQAx+S4p6I7Klp3Oqvy61UQxFpaMMAg69evGZcZl7ACWuz9eN5u8uvbaeve1y6fIOgqLhe00ZgSz26DhCN+8iwqfS1ZSnyx5Rkqdr9ERr7JETI2nOE8GdevcLfCri66MpCv0nk9kOe5Bfrx7VjcAF+tTAICPISTlf3L7Q1KHhb9sXQTOTD9zU6yEQfkHRFc+tqyy4IiG+N5MLUe9qHtbSwL7CA+uSoHJENTUbIF00qz+heL7WEKJP7MauQkGNsYCDoUhorpxkOLgzKrhP6L/Jz/+stP3XLbEZz+ZfE3lL3T8jU/a1MnKfAQRO1wJCAEXBHNe0HwWWZSWUto7eN2nNVE5q3L4nhAK7BOqs9CjLwdmQ+mZUYXYxkmqNYnsGl3pGcBuBka1YhT3med/UtwDhPC6uvfsKXDNJZrAdANDei1Iz97097UmV5G+Vxj4cj/uLcuglDhE7abJ9r05o8xSNwfnxQxCCPMHL
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1581716959",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5e4715df-877c-4181-8377-4df5950d210f",
|
|
|
|
"value": "svhost.exe|273045ac9e57532ba524a2ecedcbfad2"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1581716959",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5e4715df-4998-4523-8c9e-4ce4950d210f",
|
|
|
|
"value": "svhost.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1581716959",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5e4715df-4850-473f-8c5a-4a77950d210f",
|
|
|
|
"value": "273045ac9e57532ba524a2ecedcbfad2"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1581716959",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5e4715df-b024-4298-b3e5-40bb950d210f",
|
|
|
|
"value": "ec134601a565676b3f4fbcaf1783b0673176fc5b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1581716959",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5e4715df-b5fc-4aaa-8b41-466e950d210f",
|
|
|
|
"value": "5597d2864836aad7d1c701805def0372c1e43d58372b1a4259e05152462e0755"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1581716959",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5e4715df-a308-49ab-af87-4fd0950d210f",
|
|
|
|
"value": "51712"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|