2023-04-21 13:25:09 +00:00
|
|
|
{
|
|
|
|
"Event": {
|
|
|
|
"analysis": "0",
|
|
|
|
"date": "2022-06-03",
|
|
|
|
"extends_uuid": "",
|
|
|
|
"info": "CISA - MAR-10382254.r1.v1: XMRIG Cryptominer",
|
|
|
|
"publish_timestamp": "1657285160",
|
|
|
|
"published": true,
|
|
|
|
"threat_level_id": "3",
|
|
|
|
"timestamp": "1657285147",
|
|
|
|
"uuid": "65475a3f-5488-4cf8-b9da-29714522e9ae",
|
|
|
|
"Orgc": {
|
|
|
|
"name": "CIRCL",
|
|
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
|
|
},
|
|
|
|
"Tag": [
|
|
|
|
{
|
|
|
|
"colour": "#ffffff",
|
2023-05-19 09:05:37 +00:00
|
|
|
"local": "0",
|
|
|
|
"name": "tlp:white",
|
|
|
|
"relationship_type": ""
|
2023-04-21 13:25:09 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#004646",
|
2023-05-19 09:05:37 +00:00
|
|
|
"local": "0",
|
|
|
|
"name": "type:OSINT",
|
|
|
|
"relationship_type": ""
|
2023-04-21 13:25:09 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0071c3",
|
2023-05-19 09:05:37 +00:00
|
|
|
"local": "0",
|
|
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
|
|
"relationship_type": ""
|
2023-04-21 13:25:09 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0087e8",
|
2023-05-19 09:05:37 +00:00
|
|
|
"local": "0",
|
|
|
|
"name": "osint:certainty=\"50\"",
|
|
|
|
"relationship_type": ""
|
2023-04-21 13:25:09 +00:00
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload installation",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "641fa3ef-2015-4b92-b3b3-0313a0991173",
|
|
|
|
"value": "rule CISA_10382580_03 : loader\n{\n\tmeta:\n\t\tAuthor = \"CISA Code & Media Analysis\"\n\t\tIncident = \"10382580\"\n\t\tDate = \"2022-05-02\"\n\t\tLast_Modified = \"20220602_1200\"\n\t\tActor = \"n/a\"\n\t\tCategory = \"Loader\"\n\t\tFamily = \"n/a\"\n\t\tDescription = \"Detects loader samples\"\n\t\tMD5_1 = \"3764a0f1762a294f662f3bf86bac776f\"\n\t\tSHA256_1 = \"f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab\"\n\t\tMD5_2 = \"21fa1a043460c14709ef425ce24da4fd\"\n\t\tSHA256_2 = \"66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16\"\n\t\tMD5_3 = \"e9c2b8bd1583baf3493824bf7b3ec51e\"\n\t\tSHA256_3 = \"7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751\"\n\t\tMD5_4 = \"de0d57bdc10fee1e1e16e225788bb8de\"\n\t\tSHA256_4 = \"33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b\"\n\t\tMD5_5 = \"9b071311ecd1a72bfd715e34dbd1bd77\"\n\t\tSHA256_5 = \"3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0\"\n\t\tMD5_6 = \"05d38bc82d362dd57190e3cb397f807d\"\n\t\tSHA256_6 = \"4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f\"\n\tstrings:\n\t\t$s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }\n\t\t$s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }\n\t\t$s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }\n\t\t$s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }\n\tcondition:\n\t\tall of them\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload installation",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "a74a5821-adea-4928-888c-446a8f6139f3",
|
|
|
|
"value": "rule CISA_10382580_01 : rat\n{\n\tmeta:\n\t\tAuthor = \"CISA Code & Media Analysis\"\n\t\tIncident = \"10382580\"\n\t\tDate = \"2022-05-25\"\n\t\tLast_Modified = \"20220602_1200\"\n\t\tActor = \"n/a\"\n\t\tCategory = \"Remote Access Tool\"\n\t\tFamily = \"n/a\"\n\t\tDescription = \"Detects Remote Access Tool samples\"\n\t\tMD5_1 = \"199a32712998c6d736a05b2dbd24a761\"\n\t\tSHA256_1 = \"88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8\"\n\tstrings:\n\t\t$s0 = { 0F B6 40 0F 6B C8 47 41 0F B6 40 0B 02 D1 6B C8 }\n\t\t$s1 = { 35 41 0F B6 00 41 88 58 01 41 88 78 02 41 88 70 }\n\t\t$s2 = { 66 83 F8 1E }\n\t\t$s3 = { 66 83 F8 52 }\n\tcondition:\n\t\tall of them\n}"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Object": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "552050cf-9862-4a84-abe7-be19b0fcb40c",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "5572ea86-f3c7-4a77-8364-66c05f1e68ba",
|
|
|
|
"value": "2.888609"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "1f5530da-6cdf-48d6-bd2f-3f65cdc7476f",
|
|
|
|
"value": "e16f93c6b1a062a1dc2156fc770594a6"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "da928245-c200-41e9-b44b-1a10e1f77bf3",
|
|
|
|
"value": "1024"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "38d3f402-7138-4d9e-a066-c90809f4fd3d",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "404a5362-df0b-4d92-8902-89b53d1cbb06",
|
|
|
|
"value": "c4466c75f41681629fc2ead156f8de84"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "e76db6eb-e73a-4ef1-8e07-8c589a8373a7",
|
|
|
|
"value": "6.36696"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "e91cebbf-7307-481f-ad13-e820c39b3642",
|
|
|
|
"value": ".text"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5ec66341-b1fe-45ae-aec3-23f38bdb092d",
|
|
|
|
"value": "89088"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "37451b48-fd01-4426-81d8-d16f5d58378a",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "694b9a3c-6e19-48f7-a865-1428dfd235de",
|
|
|
|
"value": "4d9a0bcd9467b5aaee5d4d762219821b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "2f53c04f-20d0-4710-954d-fb68345ead90",
|
|
|
|
"value": "4.425938"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "53e8a07a-3727-4260-9abb-3aa204be3528",
|
|
|
|
"value": ".rdata"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "7d33a13d-6383-46be-985d-d4c4eb64d749",
|
|
|
|
"value": "65536"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "f0df9767-1e75-411d-aa29-e8d51e3a77c8",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "73d3da59-0f1a-4653-a977-8e988c6c7f33",
|
|
|
|
"value": "f80417eeab656641c6a5206454b398d3"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "c6357bab-e251-45d4-91ab-fae03942a2bb",
|
|
|
|
"value": "3.054858"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "8fb7f595-8954-4c9f-825d-7e6488f49a2d",
|
|
|
|
"value": ".data"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "3e688ed3-a9a8-47e2-a761-9e172ab710e8",
|
|
|
|
"value": "6656"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "59f7ed84-9e24-4ea9-9760-128dac98151e",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "721bb295-8f44-4b12-84b6-4fd8fd56c830",
|
|
|
|
"value": "e0d2510e666231c532ff97edf51abd10"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "98b0ef2b-6c2f-4dfc-8c46-0d8314292751",
|
|
|
|
"value": "4.855993"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "ff6cf6d9-6a24-460f-bdd3-9c1c4f40c150",
|
|
|
|
"value": ".pdata"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5ba1319b-46c7-46f3-b4d1-9f60328158cf",
|
|
|
|
"value": "5120"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "da2b0c70-0190-4317-9d7a-aa85152262b1",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "e656390d-7139-4964-8710-c26abeb1f2bd",
|
|
|
|
"value": "fff7f8f7be38486e0a6d01bc0472a6f2"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "ce84c090-d2b9-4260-b8c9-133ffd99e56b",
|
|
|
|
"value": "7.914631"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "9b370b63-006b-4961-80bb-0a60440bef53",
|
|
|
|
"value": ".rsrc"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "44236a67-a8a8-4bca-be5b-b2fae9d7b51f",
|
|
|
|
"value": "550912"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "f1e39514-9883-499d-ab28-495417d1bdf2",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "0331b0e0-a46f-43ce-8933-05db4babcd7a",
|
|
|
|
"value": "bca539afcd691a4a238b78fc830dc55a"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "379899d6-3638-4e14-8100-39c54db85487",
|
|
|
|
"value": "4.939573"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "42c42cd4-47c3-4db1-87b7-6bc5f3ff6862",
|
|
|
|
"value": ".reloc"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "21295eea-0785-4145-b250-5734e8d9a841",
|
|
|
|
"value": "2048"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe",
|
|
|
|
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
|
|
|
|
"template_version": "7",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "c85dfd77-f937-49dc-a669-9e736e11ff23",
|
|
|
|
"ObjectReference": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "c85dfd77-f937-49dc-a669-9e736e11ff23",
|
|
|
|
"referenced_uuid": "552050cf-9862-4a84-abe7-be19b0fcb40c",
|
|
|
|
"relationship_type": "header-of",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "fc767bbc-9b57-4c5d-aad5-921b010eea7a"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "c85dfd77-f937-49dc-a669-9e736e11ff23",
|
|
|
|
"referenced_uuid": "38d3f402-7138-4d9e-a066-c90809f4fd3d",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "9c24796a-a120-47d6-a134-a2d1708ce383"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "c85dfd77-f937-49dc-a669-9e736e11ff23",
|
|
|
|
"referenced_uuid": "37451b48-fd01-4426-81d8-d16f5d58378a",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "c483ccdf-d563-44f4-8550-d70e4d171014"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "c85dfd77-f937-49dc-a669-9e736e11ff23",
|
|
|
|
"referenced_uuid": "f0df9767-1e75-411d-aa29-e8d51e3a77c8",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "f3a6569e-148c-49b9-bbdb-0755f938ccb3"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "c85dfd77-f937-49dc-a669-9e736e11ff23",
|
|
|
|
"referenced_uuid": "59f7ed84-9e24-4ea9-9760-128dac98151e",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "21fe6a13-6d48-4eb0-b5bf-ea608d37643a"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "c85dfd77-f937-49dc-a669-9e736e11ff23",
|
|
|
|
"referenced_uuid": "da2b0c70-0190-4317-9d7a-aa85152262b1",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "6b13e189-40eb-43fb-8db8-9b662a4f53c9"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "c85dfd77-f937-49dc-a669-9e736e11ff23",
|
|
|
|
"referenced_uuid": "f1e39514-9883-499d-ab28-495417d1bdf2",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "afb923c6-3ef5-48d7-bd8e-1f49ab665fef"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "internal-filename",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "b3cff1d9-032c-425c-97ca-0f5cd19b0c36",
|
|
|
|
"value": "hmsvc.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "original-filename",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "7074b359-96fd-4b25-893d-6c2ddb8065cf",
|
|
|
|
"value": "hmsvc.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "number-sections",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "counter",
|
|
|
|
"uuid": "ac09e84b-10e0-48d6-9e85-68708caf08ee",
|
|
|
|
"value": "7"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "fdc564ff-f19c-4ae1-9dc9-c38592bb474f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "d4c92425-95e5-47f3-9aa9-67890979a55a",
|
|
|
|
"value": "0.893865"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "4c0a8e46-5432-4bf5-b53b-7d43b7a5a8b0",
|
|
|
|
"value": "60df3f67c31781bbec2444de6daf8a2b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "8b369916-3128-4939-b596-1bf1678b2ec5",
|
|
|
|
"value": "4096"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "aab40fbf-9f1e-4aed-ae37-5b30beecef34",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "618e6bd6-cce6-4202-b0f0-06faaea64ecc",
|
|
|
|
"value": "9ebe1be469e63ff47601b0c714285509"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "0e582204-8bf0-482f-a27d-bced4b6c39f2",
|
|
|
|
"value": "6.393378"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "63ad10a8-08d4-44b3-a09b-d47500ed5515",
|
|
|
|
"value": ".text"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "bf8ab005-68c1-4b0d-9d71-cbcfa092201a",
|
|
|
|
"value": "327680"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "d1b20988-10e4-4b66-a1f5-a8e5ff9cd971",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "50e1a5b0-af7a-4e28-9ded-36b0604ba7f2",
|
|
|
|
"value": "1cb5bcc8bcade2b3ddee4dc6c617824a"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "0adf2170-661c-4b3e-b981-65630af1d8c4",
|
|
|
|
"value": "4.552154"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "c5e58159-9778-4ee9-bc16-6b9c370754cb",
|
|
|
|
"value": ".rdata"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "797632eb-599f-4e8e-8e3c-59df131fc952",
|
|
|
|
"value": "110592"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "aaa8348a-7826-4ffc-aea8-f0b566a14be3",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "cfe06662-8dd9-4b92-b8ba-f45fdf499174",
|
|
|
|
"value": "e89305f8c6e571d82fb370f352192aa2"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "fbd038ba-eeea-4d28-bcba-d58bad0b5892",
|
|
|
|
"value": "3.781076"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "8a77563a-a603-4080-89a8-6e4e9f1a978f",
|
|
|
|
"value": ".data"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "f26193ec-4cae-408f-8bd0-106a9fc566fa",
|
|
|
|
"value": "20480"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "b9dd2f0b-8afc-48f6-9e7d-91e5903c769a",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "55dda9bd-fbf6-4b4b-98f1-77a72a29635b",
|
|
|
|
"value": "ca8c03d7af637fa213b44d065c073c75"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "fe8af98b-2bf6-4755-809a-fbcf941badf6",
|
|
|
|
"value": "5.309842"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "ddd0e9c4-8996-4b05-baf4-1d7c8bdc7d40",
|
|
|
|
"value": ".pdata"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "6ede7e9d-d429-4924-98bc-f8459c0728f7",
|
|
|
|
"value": "20480"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "5a1cabbb-8aea-4b82-8ee5-e9b12d77007f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "8f449681-c325-4774-8b80-79128c97cf9f",
|
|
|
|
"value": "bab9a0fee3d912c3b866d3ca88b47510"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "7140c032-5dcf-4b17-aa5e-77991c91b7f6",
|
|
|
|
"value": "0.256806"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "76ad4eb8-bc1e-4958-a8eb-b1c6da0e2d2f",
|
|
|
|
"value": "_RDATA"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5c2874f0-14ce-48b5-a5c9-9849763bd541",
|
|
|
|
"value": "4096"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "d1fbdd38-0eb0-4fff-87b6-b5a64e744245",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "c9198317-63ec-4e25-b93b-fb82abfb4a1c",
|
|
|
|
"value": "9a68c3f572ae2b201926c193eeed1cab"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "16bb3fbe-4de4-4bc1-baa5-2f0c2c6386de",
|
|
|
|
"value": "4.894447"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "af5e6899-33c3-4ee7-8b5f-b68f5075319d",
|
|
|
|
"value": ".reloc"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "e9c430a7-ddf5-4a1b-9a0f-a7750bd464d6",
|
|
|
|
"value": "4096"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe",
|
|
|
|
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
|
|
|
|
"template_version": "7",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"uuid": "e74bf036-36f8-45b7-bb24-45d0b463f8a5",
|
|
|
|
"ObjectReference": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "e74bf036-36f8-45b7-bb24-45d0b463f8a5",
|
|
|
|
"referenced_uuid": "fdc564ff-f19c-4ae1-9dc9-c38592bb474f",
|
|
|
|
"relationship_type": "header-of",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "32446404-062c-40e0-a377-4ad92e1ec42c"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "e74bf036-36f8-45b7-bb24-45d0b463f8a5",
|
|
|
|
"referenced_uuid": "aab40fbf-9f1e-4aed-ae37-5b30beecef34",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "783f999c-9089-4714-9f07-8d03151f6494"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "e74bf036-36f8-45b7-bb24-45d0b463f8a5",
|
|
|
|
"referenced_uuid": "d1b20988-10e4-4b66-a1f5-a8e5ff9cd971",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "bc11599d-c638-4447-aa80-03c50cb15cf9"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "e74bf036-36f8-45b7-bb24-45d0b463f8a5",
|
|
|
|
"referenced_uuid": "aaa8348a-7826-4ffc-aea8-f0b566a14be3",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "2a861b05-d7b0-4679-b64f-3465f9815a89"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "e74bf036-36f8-45b7-bb24-45d0b463f8a5",
|
|
|
|
"referenced_uuid": "b9dd2f0b-8afc-48f6-9e7d-91e5903c769a",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "98756e34-8591-4db0-ac37-440b2db5004c"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "e74bf036-36f8-45b7-bb24-45d0b463f8a5",
|
|
|
|
"referenced_uuid": "5a1cabbb-8aea-4b82-8ee5-e9b12d77007f",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "05601290-9bfd-4a67-acd9-b9492237dbc3"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "e74bf036-36f8-45b7-bb24-45d0b463f8a5",
|
|
|
|
"referenced_uuid": "d1fbdd38-0eb0-4fff-87b6-b5a64e744245",
|
|
|
|
"relationship_type": "includes",
|
|
|
|
"timestamp": "1657285120",
|
|
|
|
"uuid": "a63f8e48-3ae7-48b3-aab2-b07934b9184a"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "internal-filename",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "e57ad087-999d-401f-a896-0896bb9c69b2",
|
|
|
|
"value": "658_dump_64.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "original-filename",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "b82f6bcb-9e90-4724-b865-57b332479a96",
|
|
|
|
"value": "658_dump_64.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "number-sections",
|
|
|
|
"timestamp": "1657285119",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "counter",
|
|
|
|
"uuid": "3e1329d0-a6d0-40e5-a108-4fa620f9066e",
|
|
|
|
"value": "7"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing the original file used to import data in MISP.",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "original-imported-file",
|
|
|
|
"template_uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1657285121",
|
|
|
|
"uuid": "0fb740ae-44c9-4467-b143-82705bc768d2",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"data": "PHN0aXg6U1RJWF9QYWNrYWdlIHhtbG5zOmN5Ym94Q29tbW9uPSJodHRwOi8vY3lib3gubWl0cmUub3JnL2NvbW1vbi0yIiB4bWxuczpjeWJveD0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jeWJveC0yIiB4bWxuczpjeWJveFZvY2Ficz0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0yIiB4bWxuczpBZGRyZXNzT2JqPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjQWRkcmVzc09iamVjdC0yIiB4bWxuczpBcnRpZmFjdE9iaj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI0FydGlmYWN0T2JqZWN0LTIiIHhtbG5zOkZpbGVPYmo9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNGaWxlT2JqZWN0LTIiIHhtbG5zOlBvcnRPYmo9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNQb3J0T2JqZWN0LTIiIHhtbG5zOldob2lzT2JqPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjV2hvaXNPYmplY3QtMiIgeG1sbnM6V2luRXhlY3V0YWJsZUZpbGVPYmo9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNXaW5FeGVjdXRhYmxlRmlsZU9iamVjdC0yIiB4bWxuczpXaW5GaWxlT2JqPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjV2luRmlsZU9iamVjdC0yIiB4bWxuczptYXJraW5nPSJodHRwOi8vZGF0YS1tYXJraW5nLm1pdHJlLm9yZy9NYXJraW5nLTEiIHhtbG5zOnRscE1hcmtpbmc9Imh0dHA6Ly9kYXRhLW1hcmtpbmcubWl0cmUub3JnL2V4dGVuc2lvbnMvTWFya2luZ1N0cnVjdHVyZSNUTFAtMSIgeG1sbnM6VE9VTWFya2luZz0iaHR0cDovL2RhdGEtbWFya2luZy5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYXJraW5nU3RydWN0dXJlI1Rlcm1zX09mX1VzZS0xIiB4bWxuczptYWVjQnVuZGxlPSJodHRwOi8vbWFlYy5taXRyZS5vcmcvWE1MU2NoZW1hL21hZWMtYnVuZGxlLTQiIHhtbG5zOm1hZWNQYWNrYWdlPSJodHRwOi8vbWFlYy5taXRyZS5vcmcvWE1MU2NoZW1hL21hZWMtcGFja2FnZS0yIiB4bWxuczptYWVjVm9jYWJzPSJodHRwOi8vbWFlYy5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMSIgeG1sbnM6aW5jaWRlbnQ9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9JbmNpZGVudC0xIiB4bWxuczppbmRpY2F0b3I9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9JbmRpY2F0b3ItMiIgeG1sbnM6dHRwPSJodHRwOi8vc3RpeC5taXRyZS5vcmcvVFRQLTEiIHhtbG5zOnN0aXhDb21tb249Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9jb21tb24tMSIgeG1sbnM6c3RpeFZvY2Ficz0iaHR0cDovL3N0aXgubWl0cmUub3JnL2RlZmF1bHRfdm9jYWJ1bGFyaWVzLTEiIHhtbG5zOnN0aXgtbWFlYz0iaHR0cDovL3N0aXgubWl0cmUub3JnL2V4dGVuc2lvbnMvTWFsd2FyZSNNQUVDNC4xLTEiIHhtbG5zOnlhcmFUTT0iaHR0cDovL3N0aXgubWl0cmUub3JnL2V4dGVuc2lvbnMvVGVzdE1lY2hhbmlzbSNZQVJBLTEiIHhtbG5zOnN0aXg9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9zdGl4LTEiIHhtbG5zOk5DQ0lDPSJodHRwOi8vd3d3LmNpc2EuZ292LyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnNjaGVtYUxvY2F0aW9uPSIgIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvY29tbW9uLTIgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9YTUxTY2hlbWEvY29tbW9uLzIuMS9jeWJveF9jb21tb24ueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL2N5Ym94LTIgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9YTUxTY2hlbWEvY29yZS8yLjEvY3lib3hfY29yZS54c2QgIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9kZWZhdWx0X3ZvY2FidWxhcmllcy8yLjEvY3lib3hfZGVmYXVsdF92b2NhYnVsYXJpZXMueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjQWRkcmVzc09iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvQWRkcmVzcy8yLjEvQWRkcmVzc19PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjQXJ0aWZhY3RPYmplY3QtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9vYmplY3RzL0FydGlmYWN0LzIuMS9BcnRpZmFjdF9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjRmlsZU9iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvRmlsZS8yLjEvRmlsZV9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjUG9ydE9iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvUG9ydC8yLjEvUG9ydF9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjV2hvaXNPYmplY3QtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9vYmplY3RzL1dob2lzLzIuMS9XaG9pc19PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjV2luRXhlY3V0YWJsZUZpbGVPYmplY3QtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9vYmplY3RzL1dpbl9FeGVjdXRhYmxlX0ZpbGUvMi4xL1dpbl9FeGVjdXRhYmxlX0ZpbGVfT2JqZWN0LnhzZCAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI1dpbkZpbGVPYmplY3QtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9vYmplY3RzL1dpbl9GaWxlLzIuMS9XaW5fRmlsZV9PYmplY3QueHNkICBodHRwOi8vZGF0YS1tYXJraW5nLm1pdHJlLm9yZy9NYXJraW5nLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9kYXRhX21hcmtpbmcvMS4xLjEvZGF0YV9tYXJraW5nLnhzZCAgaHR0cDovL2RhdGEtbWFya2luZy5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYXJraW5nU3RydWN0dXJlI1RMUC0xIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9YTUxTY2hlbWEvZXh0ZW5zaW9ucy9tYXJraW5nL3RscC8xLjEuMS90bHBfbWFya2luZy54c2QgIGh0dHA6Ly
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "imported-sample",
|
|
|
|
"timestamp": "1657285121",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "attachment",
|
|
|
|
"uuid": "413d5781-869d-4628-95ce-1ac97aeec504",
|
|
|
|
"value": "MAR-10382254.r1.v1.WHITE_stix.xml"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "format",
|
|
|
|
"timestamp": "1657285121",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "c2394ab1-c81b-4039-ac5e-98cc4288f397",
|
|
|
|
"value": "STIX 1.1"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|