2023-06-14 17:31:25 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "0" ,
"date" : "2023-04-13" ,
"extends_uuid" : "" ,
"info" : "QUARTERRIG - Malware Analysis Report" ,
"publish_timestamp" : "1682166797" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1682166784" ,
"uuid" : "04e8bb1e-b445-40a6-a68a-1ce85e32d229" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"QUARTERRIG\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#004646" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:clear" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "phishing email containing a PDF with a link to ENVYSCOUT delivering QUARTERRIG" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A l A A A A F Q C A Y A A A B w C k D Y A A A A B H N C S V Q I C A g I f A h k i A A A I A B J R E F U e J z s 3 X e c F F W + 8 P / P q e o 0 e Q Y G m C G N 5 G A g C 6 I I s k o w I w Y U B W R 5 U A E D r F 6 z u O q u 6 y K C o o I S B E y 4 i m F A C S p J E E E Q l C B 5 y J N T T + p Q d c 7 z R 0 + 3 P T C 4 c q / z / L z 7 O + 99 z f Z M V 9 U 5 p 6 p L 6 t s n C i m l 4 n e m 1 C 9 J C i E i f 5 / 6 + x + L Q i k Q I v S K E g g B n E 0 5 p Q 1 C Y G M A Y N q A B A y F M h Q I E M K o P f f w d U G F 8 g 79 B q L 653 c i V f U p K R A K F A p h / L Y M b N s m a A W p C l Q S H x u P I U x Q Y J r m 71 d A T d M 0 T f t f Q N R V A C W l D G V w S g A S D q I M o / Z A 4 v 87 C q k s l B I I J E L Y I N w I f n s 5 r e p L a U g b J R S y O l o x D S N y z r U F U O H g y b Y l p j J B K Y R T h I I b A b 9 r B G U p Q K A U K K E Q 5 t k F s 0 o p h B R I p V B C V p / T H y 0 Y 1 j R N 0 7 S 65 a i r h H N z c 1 m / f j 0 + n 4 + Y m B g A g s E g D R s 25 L L L L g s 9 i O v w w a u i / l + o U / I J V b 1 U //7LAbnZFbz11kcMuPxiuvVoH9qmQhtVOJAJxR/Vm1RkF6FCQUmgymbHlgNs/mEvxUWVJHrcZLROpc+l51MvLZFQZY9CVOevqmuYpC3JPlnIV0u/5ebbBhOb5EKKIAbOM56dUAIlasa/QtU8p9CbkRPBDkq2bdmBJ9bNuZ06gARlhncWvxwfSfaX9JUAIQVFuV5O5mXT4dw22MioGigVdWh1WpFrV122cOFqfCTqlGOq86rOXv1ycOijq75vQr+fcu7Rx2qapmlaHamzaqCUlPpYlmTSpAdp2rQ57dq1o169esyZMwfLslDVsciv/fxPSAVBbJTyo6REKhtbKgKAUhLs6loY6UdioSSUCZu3v8vjaJEPIRVSAkqhpAwlKCWquqbKUgpb2SBtbFWJlDbZx3OZ9uoH/OT1culNvRn9yE1cf88gRHpDps/+nOM7c1FShSqBlCQobCxAKkkQReb3BTz17lYK/UEUEpQTvwCFjSKIX4BEoWyFkgGUVASxQUqElKAkKBuwQscoCwiCCoKUSGz25hby+Kyv+PDrHWBYIGR16qFcVCgHbFSo+dH+5bwVfsqtIC98+A13PvUvvFYQIQxsFcpRIUFaKKqqy1J9/VQQlAVKIuzTP1mlQKogtgJsO5Rv9ekQShWpVOg8lAztzy83ilX9eaNCzZ7yd7h/NE3TNO3X1FkNlNvtonnz5ng8Htq2bUO9eimcf/75xMfH/7LTr1UT/A+fgKYC03ZimQ4MZUOVwjQUhjuAwIE0LAJ+G4cNptuJNCVNG9YjNSUVw+VEGSAMi4ByYFRKDAcINxioUJAScBJ0CZSQOGQsRbllzFywkWuHD+DC5qkYwiZolWN6kmh2SSs6tEvn/Q82MKldGtIlcCiBYdmhfkRCgKm48uKmTJ9pIhQY0gAkpjRBGKBMPNW1OUoYGMqBbdqYmASFgUvaSGGBcGBKo/riSpSykMKBwsAMKto3SaVr5w6UKT9+w4FTSkwpcIT7XCmFIIAy3NW1WwopBKZtoIQHp0txw+CefLFsG0IZmBbgCKJwIIVB0FAI5YnULiplYiBASKRQYFgIZdZoGhXVVUamCmI5JA4ZxLBdobwdCoWJqQQoB5ZpYwMmBsoIBUuhykGFLezqv8x/c3NpmqZp2v9MnQRQ4YfnLw/RUN+ZzZs306tXL3Jzc1n6+ec0bNSQHTt20KtXL/r27cuKFSvYuXMnUkpuG3YrGRkZ7Nu3j2XLljFw4EBWrVqF1+vl7rvvZtu2bXz11VcMHTqUbt26IaUkMzOT5ORkLrvsMqQATAtTwYeL1vDzwSICgSq6XdCca4f246vPv2PjzqOUllTRt2Ua144egMOhQjVKUmIh8BcG+OzjDRw8mUtMVQV/vud6ktOT+WL5Tr7beoh4l0HvC5rQ68rOvJ25nj6DOnFhiwbYtmT9V7v46eAxUhPrcWzvfv488RbSMhI4lldIRlo8y1bs5uChQqyqMm4ZcjH1WjUChxOCAUzTpLQ8wLpvtpORnIy3pIwfv9/H9cP7Yztt1n68iYx29ehzxYUoh5P8rCK2bDmIr6SY8y9oQbse7cAU+Iuq+G7tTmTQR8s26TiTY0hr3hiFjRObrC1H2LFhOxcN6kZ6m1Qqiyx+/vEgTds2Yvf3h+jzp05IJflpQxbeonK69DuH+k0a4DYsnCpAWX4Ze37YRbM2zUjv0ASQ+Isq2f/zSfwBP207tiClUTwBn+L4oeOkNUjjyL6DtO7aDtNjRvrBWQIKj5WTl51HalwSDdo3wjRABATHjxdQmFtCi1ZpxNbzYEgDWVZBpdciITmB44eP06BRKrFJMeRn5WMri4at0sHpOLsBAJqmaZp2FuqsCS8cPAUCAT755GPeeOMNXnrpJZRSlJSU8Nb8t5gxYwa5ubns3buX+fPn8+2333L33XeTlpbG7bffTkFBAdu3b+ef//wnCxcuJCkpiQ8//JAHHniAPXv2IKVk3LhxVFRUoJRixYoVbNy4ESllqC+OsMgp8TP3w/UMv2cwfYddzm6/TX5hFc+9u5lrhw3iqlsG8Nf311JcWo4SEmWAZdkY0mD6619gJCQybMRgvj0hef7Vj8ktqeL1t5Zw+7grOOeiDqw5XoavDIoDNn/q1AKhAnzw3jdkbtjHjSMHcqjC5pNth3DEmrRo3pijJ4rZ/FMOr3+4houu681x4OmX38NlC5wBkEGFbSh2Hy9k8owV/P3t7/gqr4rPT1jc+fgC3lm5jx89cYz/x+fsOVRKlQUPvvAp5Wn1KM1oxp1Pz6a0wkJagkenLCA3xYPZsS03PzSbaW+vpbDciwObrTtyeeOrHSzcXsjdT8wiaDn5YNlWbpowh8mvrWXSm2vZ8HMO06Z9xr4AbCmuYNjIaeTmlmEZBrneAA/N+ISJC7Zw5cgXWbXyRyyfyZ/v/ydrcsv5dOsJ7n5oOr6AYsnyHVxzx195ePpKhj35Lzb9tD80mACFUoqda3fx+pwlbDzpZeRDs/h65RaginffX8krC9fzxZ6j3HnvLH7afJSyyiCTnvmU0Q/NZurCjdz7zHvcfs8UVm48wv3TVzJkwius+3YPugZK0zRNq0t1FkApJREC3G4nF17Ygx49etCmTRsMw6Bjx46c26EjVw4azCvTX2bkHSOYO2cONw69keTEJG69ZRh+v59PPvmE/v37k5yczKg7RzH89tu56pqrqZdan3vGjWP8+PF4vV68Xi8Oh4MZM2bw8MMPYxhGdc8ZG1wmhcTw7GNvkHgihxEDupOQYHDXmKuxsvPYtmYrBQVVlPsCGMJCBBROw6S4vJJPv/qe3Udy+Oyzb0ltmU5Rg4ZYpsE+r4+3p7xHp5Q4hl5zAYdzvWS0aYJw2hw97GXm4m8Yf++VNPQIcnJz6Xt5T+LckkpvBbZT4EhO5LohA4gt8RL02uw6XorfoQg4JbYIYBiKbh3SyDgnnQt7tuKh0b25b2xfDhV5GTPiUp4ZdwX1mqez61gePqVo1KM1FzdPp5ktOZlbRG5RKTneSpZ8s59Lu2ZwaftGZLRM5ZzWzamXnIx0uGnXsgF/+8tV/O3JIfx0KJ+yKotrr74QI8XJdVf24P25E3A5LDbtPIydn0+My8NefxyrtxzE9oPL6eCJe4fw8fv3ceHQQbw+dxV5/gDlSc2544pOXP+nrny/p5SSiiB9Lz8fO7khF/TJYNab93Puea2QQmEriT9oM/nVpVx9+wBuH9KVXkP7s7vU4kRWJbM/Wc9/PXA1E0ZdzmVDLuXBKW/jNl2079Keo+Vwww3dmf7qRLaeFOwr8DJ16giuuPpyFi/7sa5ua03TNE0D6jCAglALitPppGnTpnTp0oUHH3ywxrB3j8eDYRiUl5eTn5cfmvJICDweD+eccw6lpaWRaQ9M0xHqJ2OamKYZ2e+XvAQulwuHwxFKXxgI5SEtxs3Ml/9MsFlL/s8zi1jxwWqwYO/a1azfe4RuAy/ClWjgMJ1IHBj4cDgEhVUW/mCQUcO6M+Hegbz89ACm3z+QJoluZk+9hy3lsQwdO42D3+wmp7
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1681974807" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "be23fc18-9ba2-41ba-b517-52b492232869" ,
"value" : "phishing email containing a PDF with a link to ENVYSCOUT delivering QUARTERRIG.png"
} ,
{
"category" : "External analysis" ,
"comment" : "phishing email containing a PDF with a link to ENVYSCOUT delivering QUARTERRIG" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A 6 A A A A J J C A Y A A A C 0 + V p P A A A A B H N C S V Q I C A g I f A h k i A A A I A B J R E F U e J z s 3 X d 0 V N X a w O H f t P T e e w h J C B B K Q u + 9 K Y g o o G J D U B Q E Q R S x A F I E E U F Q F J D e O w r S Q X q x U E I I T W o K k E B 6 Q u q 0 8 / 0 R G A g J i l c F P n 2 f t e 66 z N n 77 L P P n p l 43 t l N p S i K g h B C C C G E E E I I 8 Q 9 T P + w K C C G E E E I I I Y T 4 b 5 A A V A g h h B B C C C H E A y E B q B B C C C G E E E K I B 0 I C U C G E E E I I I Y Q Q D 4 Q E o E I I I Y Q Q Q g g h H g g J Q I U Q Q g g h h B B C P B A S g A o h h B B C C C G E e C A k A B V C C C G E E E I I 8 U B I A C q E E E I I I Y Q Q 4 o H Q P u w K C P G w p a e n k 5 e X 97 C r I Y Q Q Q o h y O D o 64 u 7 u / r C r I Y T 4 m 6 g U R V E e d i W E e J h 69 e r F g g U L H n Y 1 h B B C C F G O v n 37 M m P G j I d d D S H E 30 R 6 Q I U A o q O j e f v t t 3 F 2 d n 7 Y V R H i g T p //jwjRozggw8+ICoq6mFXRwghLLKyspg8efLDroYQ4m8mAagQgKenJ+3bt8fb2/thV0WIB+rQoUNotVoaNWpE27ZtH3Z1hBDCIjk5mUWLFj3saggh/mayCJEQQgghhBBCiAdCAlAhhBBCCCGEEA+EBKBCCCGEEEIIIR4ICUCFEEIIIYQQQjwQEoAKIYQQQgghhHggJAAVQgghhBBCCPFASAAqhBBCCCGEEOKBkABUCCGEEEIIIcQDIQGoEEIIIYQQQogHQgJQIYQQQgghhBAPhASgQgghhBBCCCEeCAlAhfiXuZGby5BBb/FC96f5btWKh10dIYQQQgghLCQAFeJfZvPGDeTn5dJ/0ACmfTkFs9n8sKskhBBCCCEEIAGoEP86tra2XE5KIjMjA5MEn0IIIYQQ4hEiAagQ/zKR1auj1VmRm5tL0xYtHnZ1hBBCCCGEsJAAVIj/5xRFwWw2oygKJpOJrZs2kpJ8Fa1Wy8YffuD8ubMAmM1mGY4rhBBCCCEeKu3DroAQ4s9TFIW8vDwuXjjPxfPnycrKxNnZBTd3d3JzsnmiyxPcuHGDWrVrcfrECRIuXSIlORmT2UxgUBBhYWEEBgWjs7J62LcihBBCCCH+QyQAFeL/AUVRSv3754MH2PDDOs6eOc31a9fQqNXY2NpiMBgsc0ANBgMA2dm55ORkU1hQgJWVFQa9AV9/P9q070DHzk8SEBBY6loqleqB3psQQgghhPjvkABUiEeQoigUFhZy+tRJUq9dJzsrE4PBiJWVjoLCAhbMnkWxXk9RYSE+vr7Y2dmj1xeTmZlJbk4u9vb2FOuL0emsSLh0EVs7Ozw9vVAUhbS0NM6fPUvCpUsc3LeXrs88R15eHgX5+bi5u+Pj64efv19JD6lO97CbQgghhBBC/ItIACrEI0ZRFA798jNrVq4g5shhzGYzRcXFqFUqjEYjapWK3NxcKoaF8dob/YioUgU7Wzv0Bj3JV68yd9ZMDv/6C46ODhQUFPJ6v/40btYMd3d3FAXS0lLZt3sXSxYu4PixYyTEx2MwGsCsYGNji1anw9nFhcZNm/HKq6/h5u7+sJtECCGEEEL8S0gAKsQjJC0tlTUrVzJ/9reoUJFfUICnlxeBgUGAwpXLl8nMzKRqZDWmz5mHj49PqfNDw8JJTEjg2NEj5ObmYm1lzQs9X8HNzc2Sp0JICHXq1iMsvBLD3n+PjPR0gkNCcHR0wqDXc/36Na5evUJaWiq7tm/jzbff5rGOT8jQXCGEEEII8ZdJACrEI6K4uJj5s2bx3eqV5ObmElG5Ci+90pvwiAg8PDywtram36u9yczIoEHDhqWCT0VRyMrMJDEhgdMnT+Du4Y5iMqPVadmxbSt169cnKCgYjbbkK69Sqahdtx5BwcFcuXKFbs88yxNPdSXvxg3SUq+zb/du1qxawcXUVKZP/QoPD0/qNWj4sJpGCCGEEEL8S0gAKsQjIi72GMuWLKKooJBOTz7J0OEj8PT0KtXzaFbMqNVqsnOyuX7tGleSEjl+/BhnTp3CbDbh5e1NUlICKODg6IDBYGDf7p2cPhlLRnoGgUEVqFWnLhXDwijIL8BoMKK5Wb6XlxdeXl5UDA2lTr36PN65M31efolLFy8wc9o0QsPCcffweEitI4QQQggh/g0kABXiEbFh3VpMJhMqtYrX+r2Jl5c3BoOB+EuXOBkXS25OLjdyc0EF+/fsBgU8vNwJrxRO4yav4ebuRmFhIYd+/QWDQY+9ozeXExPx9vWm34A3KSwsJCkxidOnTnPk8C/EX0rgWkoyZrOZ47HHWLJwPhVCKlKteg1cXF2pGlmNrs8+y/SpX3Hp0nniYo/Rsk3bh91MQgghhBDi/zEJQIV4BGRmpHPh/HmsdDoURcHR0YntWzaz88ft2DnYElktEl9/L7o+241lC5eQnZ1NZmY6PXu/jLvH7UWCNGoNPt4+XDp/kYRL8Wg0anx9fQGwtbUlonIE4ZXCOXrkKN+vXo3JZKJ6zRq07dAGjUrNieNH+X71SipVrkKTZs3x8vZBAUwGEydOxNGsZSs0Gs1DaiUhhBBCCPH/nQSgQjwCzGYFrVaDg6Mjqvx8Jk/4lIqhIbzc6yW8vG8Pw42sFklOdg4rli4nMCgAW1vbUuXorKyoEVWT/IICIqtVZemiJdRvUL9UHrVaTWhoKH7+/lxPSaHnq69Qt149AOo1bIC+WM+Rw4f5ftUKTp44gaurK2bFjEatfiBtIYQQQggh/r3kiVKIR4C9vT2eXl44u7hga2vDhQvnadysKd4+3qXmgBbkF5CUkETN6Jps2biFkydOkJ2dDYDJZGLzhg0kJiTi4+NNaFgY4eHhbN+2nWMxMSiKAkB6WhpbN2+hqKiY4JAQjh+LtaQBWFlb0bBxI2pG1+TE8eN4eXthb2+Hf0AgaglChRBCCCHEXyA9oEI8Amzt7KhVpx47t29Hr9fTpl07vLy9yuQ7c/o0aWmp2NrZ4uzizPer1qDWanju+R6kJCdz+NfDOLk4E3PkKMlXk7G2seVyUhKJCQkoZoXi4mKWLV6K0WDA3d2NvLwbpKelc+niRSqGhlqCXZVKRXStaCpUDCEpPpHwiEpUrVZdtmIRQgghhBB/iXRnCPGIeLxTJ0LDK5WsZJuYxJyZszl37hy7duzkRm4uVy5fZtniJahVarKzsnB0cqRewwYUFRWxZdNmNvywnrS0NPz9/HB2dkGlVuPt44mDowOXzl9k7Xffs+67tYSFhxEUHISdnR0Gg4GU5BRWLV9JZmYmKckpbNm4mTNnzjBl4hfY2tri6ORIoyZNCQ0Le9hNJIQQQggh/p+THlAhHhFOzi70fPU1jvzyM95+Pvx0YD/XUlIoLiril59/wUqnA1S4e7hz+tQ1TEYzsceO4erqio+PD2dOn6F6zRpkZWXh5+/HqZOnCAoOpLiomHoN63Nw3wE6PfkEMUdjMBgMFBYUYDKa8A/w5+L5C6xctpzLiZfR6/WYzCYqVYrAx9eXrKwcOj35lCw+JIQQQggh/jLpARXiEaHRaGjX4TEGDH6Xa8nXOH3iFOGVKpGfn09+Xh4///QzlatUJjAokPoNG5KVlUXF0DCee+F5iouLyc7Kxmwy4efvz+XLSRQVFpJ8NZlq1auRkJCAWqPG1s6Wl17piZOzM1qdjiZNm2Jvb4+7pwd7d+3BZDKi02kJ8A9g29at+PgG8P6wEYRHRDzs5hFCCCGEEP8C0gMqxCPExsYGGxsbunR7hitXLjN/zlwiq0XSum0bTsadoKi4mIDAAHb8uAO9Xs/CefNZvngJhUVFAOzY9iO7d+xCUcy4uLoRd+w4J2LjMBqNFOuL+XLSFKysrQEFKysrrK2tadKsKefPn8dkMvP4E52YOf1bThw/Sb0GDXiqe3ecnJwfbqMIIYQQQoh/DQlAhXhATp88wbjRo5g6YybuHh6/mzcqOprR4z7jwyGDyUhPY+WyFRQVFbFh3XpQFHQ6Kzy9PbG3t6e4uBgnZydQqTAajJiMRoqKiki9nopGq8be3h5rrHGzccdg0GM0mrC3s0dv0BNz9ChHDx8BFTg5ObFy2QpUqOj67HP0eq3PfQ
"deleted" : false ,
"disable_correlation" : true ,
"timestamp" : "1681974916" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "62d53d4b-3875-4440-8ce0-9a51ba56547d" ,
"value" : "PDF containing a link to ENVYSCOUT.png"
} ,
{
"category" : "External analysis" ,
"comment" : "PDF containing a link to ENVYSCOUT" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A 2 k A A A J Z C A Y A A A A z h X 2 / A A A A B H N C S V Q I C A g I f A h k i A A A I A B J R E F U e J z s 3 X t Y F O X 7 P / D 3 L i C H R U B F E A H F M C Q J 9 Z M i i K h c C q G Z J 0 Q x z T O m f U w T 7 W u Z Z Z m W d v n 9 Z H k o T 1 C S K Y S H r 4 c 8 m 1 K Z Z 9E8 K y i o H A S 1 P K C o y P 37 g 9 / O h 2 U X m J k 9 M O j 9 u i 6 v S 5595 t l 7 n r n n m X l 2 d 2 Z U R E R g j D H G G G O M M a Y I 6 p o O g D H G G G O M M c b Y f / E k j T H G G G O M M c Y U h C d p j D H G G G O M M a Y g P E l j j D H G G G O M M Q X h S R p j j D H G G G O M K Q h P 0 h h j j D H G G G N M Q X i S x h h j j D H G G G M K w p M 0 x h h j j D H G G F M Q n q Q x x h h j j D H G m I L w J I 0 x x h h j j D H G F I Q n a Y w x x h h j j D G m I D x J Y 4 w x x h h j j D E F 4 U k a Y 4 w x x h h j j C k I T 9 I Y Y 4 w x x h h j T E F 4 k s Y Y Y 4 w x x h h j C s K T N M Y Y Y 4 w x x h h T E O u a D q A q p a W l K C 0 t h V q t h l q t N v i a l Z U V V C p V j c U m 9 v 2 J C E + f P o V K p Y K V l Z X B O v f v 38 f l y 5 d x 69 Y t e H p 6 w s / P r 9 L 2 p N Q 1 l p j Y K 9 L 2 j 7 W 1 f o p J j b 2 w s B D n z p 2 D o 6 M j W r d u X W U M U t q + f f s 2 r l y 5 g j t 37 q B x 48 Z o 0 a K F S X K p p K Q E A A z m x t O n T 0 F E Q l 9 q + 7 Y q F e s a 2 h 8 q t m + o 3 x l j j D H G W C 1 B C t a n T x 8 C Q I 0 b N 6 Y n T 57 o v P b u u + 8 S A N q 2 b Z v F 4 t m x Y w e 9 / f b b 9 M o r r 5 C 1 t T U B o B 9 //FHUshEREQSA2rZtq/fa8ePHqVevXkKb2n/+/v60d+9e2XVNparYDXny5Ak1bdqUmjRporPdpMb+5MkTGj9+vE59Ly8v+vXXX/XqSmn78OHD5Ofnp1MPAL3wwgu0detWSX1TUXp6utDe9OnTdV4rLi4mJycnAkBdunQhIqLU1FS9OCr+69ixIxERrV+/ngDQ0KFDDb737du3Sa1Wk6enp1HrwBhjjDHGalat+Lg9NzcXmzZtQnR0dI3G8e2332Ljxo1wc3ODp6cnsrOzRS23cuVK/Pbbb5W+vmfPHuzcuRN9+/ZFeHg46tatiz///BMrVqxA9+7dsX//frRt21ZyXVOoLnZDVq9ejezsbHzzzTc63+hIjf3jjz/G4sWLERERgcmTJ+PatWt4//330bt3b5w4cQK+vr6y2i4oKIBarUZ8fDx8fX3h5OSEEydOYMmSJejduzf27duHjh07GtVvderUQUpKCmbPni2Ubd26FcXFxTr1mjdvjvHjxxts488//0R6ejq8vb0BAJGRkahTpw727NljsP6vv/6K0tJS9OzZ06jYGWOMMcZYDavpWWJVtN+kOTs7U0REhM5rNfFN2v79++nSpUtERDR9+nRR36QVFBRQgwYN6MMPP6z026ijR49Sbm6uXvncuXMJAMXExMiqaywxsVdUWlpKAQEB5OrqSkVFRTqvSYm9sLCQ7OzsyNvbmx4+fCiUJycnEwAaPXq07LafPn1qMPYffviBANCAAQOqXc/KaL9J69WrFwGgY8eOCa8NHDhQKNd+k1aZgoICcnV1JWdnZ7p+/bpQrv1W8+zZs3rLjBs3jgDQxo0bZcfPGGOMMcZqXq24cciwYcOwZ88eXLx4UVT9I0eOYNy4cYiIiEDv3r0xb9483L9/3+g4QkND0bx5c0nLxMfHw9PTE//+978rrdO2bVt4eHjolffr1w8AcO7cOVl1jSUm9oq2bNmCM2fOYMKECXBwcNB5TUrs27ZtQ3FxMYYMGQI7OzuhvH///nB2dsaGDRtQWloqq+3Krufq0qULAODatWvVrmd1/Pz80KZNG6SkpAAAHjx4gC1btiA2NlbU8hMmTMDNmzcxf/58eHp6CuXab8l2796tt8zu3btha2uLbt26GR0/Y4wxxhirObVikjZ8+HDY29tjyZIl1dZNTExEcHAwVq1aBbVajWvXrmHq1Klo27YtCgoKLBDtf+3YsQOrV6/GokWLRN9wo7wHDx4AANzc3ExaVwy5sX/55ZfQaDR45513RC9jKPZjx44BANq1a6dT19raGv/6179w+/ZtZGVlyWq7Mn/++ScAICAgQFTc1YmNjcXPP/8MANi0aRNKS0vRu3fvapfbtGkTUlJS0KNHD4wcOVLntcomaVevXkVGRgbCw8Oh0WhMEj9jjDHGGKsZtWKS5uzsjDfeeAM//PADHj58WGm93NxcvPPOO3B3d8e5c+ewc+dOpKen46uvvsLFixfx3nvvWSzmBw8eYNy4cRgyZAg6deokq42VK1cCAAYOHGjSutWRG/vvv/+O/fv3Y8yYMahfv77o5QzFrr3eT3s91oEDB5Cfnw8AwjdLYq4JrKpfCgsLsX37dqxfvx4ffvghxo4dCx8fH8yYMUN07FWJjY1FVlYWDh06JEy66tatW+Uyd+7cwdtvvw1nZ2csW7ZM7/UXX3wRL774Ivbt26dzV8hdu3YBAF+PxhhjjDH2DKgVkzQAePvtt/H3338LPx8z5Oeff8bDhw8xfvx44eQeACZOnAgvLy/8/PPPwjcr5jZjxgzcvn0b8+bNk7X8gQMHsGjRIvzrX/9CXFycyeqKITf2uXPnwsbGBpMnTxa9TGWxa3+eqtFosHbtWoSGhqJdu3YgIjg6OgIA7t27J6ttrUOHDqFHjx7o378/5syZg5deegn79+9HkyZNRMdflWbNmiEoKAjLli3Dtm3bRE2g33vvPeTm5uKrr76Cl5eXwTo9e/bE3bt3ceTIEaFM+80aT9IYY4wxxmq/WjNJa9u2LYKCgvDdd99VWuf48eMAgM6dO+uUW1lZISwsDI8ePcLZs2fNGqc2jq+//hqffvopGjVqJHn5a9euYcCAAXBxccG6deuqfOaV2LpPnjxBcXGxzj8iMlnsp06dwtatWzFkyBCdCXJVxMauvSbNwcEBKpVKiLuqZ5qJaTs4OBjbtm3Dzz//jKlTp+Ls2bMIDg6uNEfE9mF5sbGx+P7772FlZYVevXpVWXfv3r1ISEhA9+7dMWrUqErrVfzJIxHh119/hb+/P1544YUq34MxxhhjjClfrZmkAWXfph0+fFiYjFX0999/AwDc3d31XtOW3bp1y3wBouwhzmPGjIG/vz8mTJggeflbt24hKioKd+7cwS+//IJmzZqZpO7QoUNhb2+v82///v0mi/3LL7+ESqXC1KlTRdWvLnbtt2VFRUV4/fXXcenSJeE6taKiIp06UtvWatiwIbp3744BAwbgyy+/xPbt25Gbm4sxY8YYrC+mDyvSfnv22muvVXmt2IMHDzBmzBg4OTlh+fLlVbbZuXNn1K1bV7gV/19//YWCggL+Fo0xxhhj7BlRK56TpjVo0CBMmTIF3333ncETXhsbGwD/PYkvT1tma2tr1hgfPHiA48ePo27duvDx8RHKtXci/Ouvv+Dl5YU+ffpg8eLFOsvev38fr732GjIzM/HLL7+gffv2lb6PlLoAEBMTA39/f52yij/rkxt7VlYWUlJS0Lt3b7z00ktVxiE29qZNmwIo+0asffv2OnfVzMnJ0akjte3KhIWFoUWLFvjzzz9x7949vevHxPRhRd7e3jp3oazMRx99hMzMTKxYsaLSnzlq1alTBxEREfjll1/w4MED/qkjY4wxxtgzplZN0uzt7TF8+HAsW7bM4PU92onFlStX8Morr+i8dvnyZQCGT+xNycbGxuBt1ouLi7Fx40Y4OjoKk4GKr/fu3RvHjh1DamoqIiIiKn0PKXW1YmJiEBMTY5bY//d//xclJSX44IMPqo1DbOzaB08fPXoU/fv3F8pLSkqQnp6O+vXr60wkpbRdlZKSEgCodJJWXR/KcfjwYXzzzTeIiorC6NGjRS3Ts2dPbNiwAX/88Qd2794NJycnhIWFmTw2xhhjjDFWA2r0KW3V0D7MWvsAaSKi8+fPEwBycnLSe5j11q1bCQD17t1bp50rV66QWq0mX19fg++zevVq8vX1pVatWomOTezDrLXy8vIqfSD048eP6fXXXyeVSkUrV66ssh0pdU2lqtgLCgrI3t6+2oczE0mLXerDrKW0nZWVZbB8z549pFKpyN3dvdIHXldH+z
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681975186" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "e20ecd02-442f-4d1c-b7dc-48bb74bebf09" ,
"value" : "PDF containing a link to ENVYSCOUT2.png"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG C2 URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681996406" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "768398f7-2ecd-4752-b4d4-e22de7a17c9f" ,
"value" : "pateke.com/auth/login.php"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG C2 URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681996406" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "4f3a3552-4374-4692-be62-2dac7a60ea12" ,
"value" : "pateke.com/index.php"
} ,
{
"category" : "Network activity" ,
"comment" : "COBALT STRIKE Handler URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681996406" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "1980ede0-18fe-4e78-a433-d85419354fdf" ,
"value" : "gatewan.com/c/msdownload/update/others/2021/10/se9fW4z8WJtmMyPQu"
} ,
{
"category" : "Network activity" ,
"comment" : "COBALT STRIKE Handler URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681996406" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "37294cb6-221f-4348-a3a6-ab46ed3adc83" ,
"value" : "gatewan.com/c/msdownload/update/others/2021/10/8PaDBDxLtokI3eH8"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG C2 URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681996406" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "f99cfe00-4d03-4ed2-8112-9a89d16d9251" ,
"value" : "sharpledge.com/login.php"
} ,
{
"category" : "Network activity" ,
"comment" : "URL to ENYVYSCOUT used to deliver QUARTERRIG" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681996407" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "3084badc-4ea2-4550-a683-0c6088c4b2ba" ,
"value" : "sylvio.com.br/form.php"
} ,
{
"category" : "Network activity" ,
"comment" : "Domain used to host ENVYSCOUT" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1681996407" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "df942350-ff5f-4008-ad1d-14cecf33fabd" ,
"value" : "sylvio.com.br"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1681910172" ,
"uuid" : "740c4b3b-f5d6-42dc-9264-c225348060f5" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1681910172" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "4d5a0f62-4b12-4a01-93c9-f7bfd2bcf2e7" ,
"value" : "https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1681910172" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "09ecf644-ca85-46d2-82c8-2c8071ec53dd" ,
"value" : "QUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1681910172" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "614630de-e0c1-47df-b8e3-bec6d33033f2" ,
"value" : "Report"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " J V B E R i 0 x L j c N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h l b i 1 V U y k g L 1 N 0 c n V j d F R y Z W V S b 290 I D E 1 O C A w I F I v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + L 0 1 l d G F k Y X R h I D E 1 N T I g M C B S L 1 Z p Z X d l c l B y Z W Z l c m V u Y 2 V z I D E 1 N T M g M C B S P j 4 N C m V u Z G 9 i a g 0 K M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l c y 9 D b 3 V u d C A z N i 9 L a W R z W y A z I D A g U i A x N S A w I F I g M j Q g M C B S I D I 2 I D A g U i A y N y A w I F I g M z E g M C B S I D M z I D A g U i A 0 M C A w I F I g N D E g M C B S I D Q y I D A g U i A 0 N C A w I F I g N D Y g M C B S I D Q 3 I D A g U i A 0 O C A w I F I g N T A g M C B S I D U x I D A g U i A 1 M i A w I F I g N T M g M C B S I D U 0 I D A g U i A 1 N S A w I F I g N T c g M C B S I D U 4 I D A g U i A 1 O S A w I F I g N j A g M C B S I D Y z I D A g U i A 2 N C A w I F I g N j Y g M C B S I D Y 3 I D A g U i A 2 O S A w I F I g N z A g M C B S I D c y I D A g U i A 3 N S A w I F I g N z Y g M C B S I D c 4 I D A g U i A x N T E g M C B S I D E 1 M y A w I F J d I D 4 + D Q p l b m R v Y m o N C j M g M C B v Y m o N C j w 8 L 1 R 5 c G U v U G F n Z S 9 Q Y X J l b n Q g M i A w I F I v U m V z b 3 V y Y 2 V z P D w v R m 9 u d D w 8 L 0 Y x I D U g M C B S L 0 Y y I D k g M C B S L 0 Y z I D E x I D A g U i 9 G N C A x M y A w I F I + P i 9 F e H R H U 3 R h d G U 8 P C 9 H U z c g N y A w I F I v R 1 M 4 I D g g M C B S P j 4 v U H J v Y 1 N l d F s v U E R G L 1 R l e H Q v S W 1 h Z 2 V C L 0 l t Y W d l Q y 9 J b W F n Z U l d I D 4 + L 0 1 l Z G l h Q m 94 W y A w I D A g N T k 1 L j M y I D g 0 M S 45 M l 0 g L 0 N v b n R l b n R z I D Q g M C B S L 0 d y b 3 V w P D w v V H l w Z S 9 H c m 91 c C 9 T L 1 R y Y W 5 z c G F y Z W 5 j e S 9 D U y 9 E Z X Z p Y 2 V S R 0 I + P i 9 U Y W J z L 1 M v U 3 R y d W N 0 U G F y Z W 50 c y A w P j 4 N C m V u Z G 9 i a g 0 K N C A w I G 9 i a g 0 K P D w v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l L 0 x l b m d 0 a C A x M D Y y P j 4 N C n N 0 c m V h b Q 0 K e J y 9 W E t v 2 z g Q v g v w f + B p I R U w z e G b R V H A d b P Z F h s g j b 3 o I e h B T R T X g N d J F T e F //3OyI/KlhQ/oq4PgkkONd98M5wZsdfP55O79GbO3rzp9efz9OZbdsuue6P7hy+90eIh612m48ksnU/uZ73hj69zmvorS2+z/O1b9u79gH3vRIIL+nnvgAlmguFKMq+BB8nyrBN9fsVmnejdqBP1/gQGwIVmo7tORNKCAZPBceuYC5Y2jv5FufOhY+NHfDUbFyO/Gp13ouuYJV2ND1v+84WNPnaiM9TxqRO1gEmB5ArKmAooGwSn6UNZdnYxYKx3SYRfDD68Z6I9Ip3gXmrmrKAde0BXgMBpQCQDw4OtBSIN9/ZoILJ9IMJyfTwjqj0gSlnuArPe8uCPBqJbZ8Rax40+Gog5DYh6BogOXB2Nw7aPQ3oejsbhTsWhakEYH2pAfEoA4n8S0HE/ARNfJSDjEQ3PElDLYfH4QMPzPYh9S4ilxiMFDYj30RZOA6EZ+FraMOGZFQpujCtW83F5dFXgukinP9M8Y/1ZOl08UvWYJC5+ZFfZw32eqHj+ojpSgSeN5tocDm9vhi7Viu4SGUjp/BoQKthGON1MFNLgFQBNbm3eXloaVDizQYXEwmNLGrbErBKkDqe/daK7V2safzdapO/lcIcNrEOVde0hHGyHlMKVNAthrN1ZWtnBPdCKF371pCiRWvGA2qznOhQWWV1MaMe1L16sPLUCRhfhRhMm4ASeTmu4to3e+L+soOhuzYwmL8mKl0RQ4eBoExaEMiUDtXfW766VToehrpV1g+cO1/D1yv8aTtfrgH2kd00e+I0IifITIDaxq6pnAKyFU6NHOS1dQ/SUMyQhNIZJDAtUYbXgGmu4Bb48/kph7LAubHTKoLmRaCMGzm4aqhq1bquA/Km04c5gP6K5ckxivxYwqLDIFXme3iFo/SeldyL3efnhSt93erHlQIKeK10IKrQBPIX0rxKyBazUZh22e1OA5HbXaRRHVztjuK02ex/vJ0lXxjMqfCy9fVrWQ5x5xGLYVfGCfaXR4nWlKr4IlEZvSdkEam8NtC1zIzW31W+UCyKgIGNKj+LfPM0XbHD/Y5boeJ5h45BPSKrgj4bTbfFxliwXb7LExGyY5U/FPA5b5dPIwDEPNBiyl0/XMp8i1H1q/dGuzQpbKvycalC212bfrs0Ws46oUj84I3df0WOEYcAxbC7/bpmHAOT0BgA7PNRSsW7FqZWm08AtggFHXT0eUMy96+wXPStRyncOs7OnWwi0QBeCimGNt7oh28lSV3vI3g0V1fsPpNDTgqr5JgFV3Bb18Sw+oCfyyXR5e7Trj5dBIN3YV9ZBYFT7qOyNbq5jKaRqW7UydLdQb/3eOxdo2Qlec1+T3p+AE+2iZdup1RCNShvOwX9tHwzpDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyNS9XaWR0aHMgMTUyNiAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkzMC9EZXNjZW50IC0zNDYvQ2FwSGVpZ2h0IDkzMC9BdmdXaWR0aCA0NzcvTWF4V2lkdGggMjQzNi9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ny9Gb250QkJveFsgLTQxNiAtMzQ2IDIwMjAgOTMwXSAvRm9udEZpbGUyIDE1MjQgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQkNERkVFK1ZlcmRhbmEtQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAzMi9XaWR0aHMgMTUyNyAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDEwMDUvRGVzY2VudCAtMjA3L0NhcEhlaWdodCA3NjUvQXZnV2lkdGggNTY4L01heFdpZHRoIDIyNTcvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTYvRm9udEJCb3hbIC01NTAgLTIwNyAxNzA3IDc2NV0gL0ZvbnRGaWxlMiAxNTI4IDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lkdGhzIDE1MzIgMCBSPj4NCmVuZG9iag0KMTIgMC
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "report-file" ,
"timestamp" : "1681910172" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "02357ebb-25a1-41d6-9d4d-13f9da6885e5" ,
"value" : "QUARTERRIG_.pdf"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1681991395" ,
"uuid" : "4a911505-85c5-4496-8eb6-75cea522ed00" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "comment" ,
"timestamp" : "1681991395" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "633cd9a2-ca79-4625-af22-b65c73d60e86" ,
"value" : "A rule that can be used to scan for QUARTERRIG"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1681991395" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "2b544d42-308e-47a7-8692-fb8b5f37b6ba" ,
"value" : "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1681991395" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "85308947-6c2f-4f91-ad0c-fa8c2657127d" ,
"value" : "rule apt29_QUARTERRIG {\r\nstrings:\r\n$str_dll_name = \"hijacker.dll\"\r\n$str_import_name = \"VCRUNTIME140.dll\"\r\n// 48 8B 15 39 6A 00 00\r\nmov\r\nrdx, cs:api_stuff.OpenThread\r\n// 48 8D 0D FA 68 00 00\r\nlea\r\nrcx, api_stuff\r\n// 8B D8\r\nmov\r\nebx, eax\r\n// E8 3F 25 00 00\r\ncall\r\nload_api_addr\r\n// 44 8B C3\r\nmov\r\nr8d, ebx\r\n// 33 D2\r\nxor\r\nedx, edx\r\n// B9 FF FF 1F 00\r\nmov\r\necx, 1FFFFFh\r\n// FF D0\r\ncall\r\nrax\r\n$op_resolve_and_call_openthread = { 48 [6] 48 [6] 8B D8 E8 [4] [3] 33 D2 B9 FF FF 1F 00 FF D0 }\r\n// E8 A0 25 00 00\r\ncall\r\nload_api_addr\r\n// 48 8B CB\r\nmov\r\nrcx, rbx\r\n// FF D0\r\ncall\r\nrax\r\n// 83 F8 FF\r\ncmp\r\neax, 0FFFFFFFFh\r\n$op_resolve_and_call_suspendthread = { E8 [4] 48 8B CB FF D0 83 F8 FF }\r\ncondition:\r\nall of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1681991395" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "785cb298-a86d-4427-82b6-a3eaf1b0342a" ,
"value" : "apt29_QUARTERRIG"
}
]
} ,
{
"comment" : "Virtual disc container\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1682059182" ,
"uuid" : "7d3d282a-c84f-48a1-9af5-8c0b43a0851e" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "7d3d282a-c84f-48a1-9af5-8c0b43a0851e" ,
"referenced_uuid" : "10cee96e-441a-48ea-8585-049029d4c157" ,
2023-06-14 17:31:25 +00:00
"relationship_type" : "contains" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1681992238" ,
"uuid" : "a672ee02-fc5a-49f1-b37d-9d14c097a648"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681991513" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "362efc29-7bca-45f1-b191-60d69b535dee" ,
"value" : "52932be0bd8e381127aab9c639e6699fd1ecf268"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681991513" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "0cece2d3-a8b7-4b74-adcb-b282afcbd152" ,
"value" : "22adbffd1dbf3e13d036f936049a2e98"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681991513" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "372b5e10-5c66-454b-b75c-608da87e23d8" ,
"value" : "c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681991513" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2ffe8eed-4a34-41e4-b87e-53027730c97a" ,
"value" : "Note.iso"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681991513" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5704e0b6-7390-4cd4-a7c5-ba08ba675eeb" ,
"value" : "2624000"
}
]
} ,
{
"comment" : "Legitimate executable used to load the malicious DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681992221" ,
"uuid" : "10cee96e-441a-48ea-8585-049029d4c157" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681992221" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "90e43385-693b-484e-8b5b-2e4ced41b6ea" ,
"value" : "b260d80fa81885d63565773480ca1e436ab657a0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681992221" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "dffb75fe-0dd0-4235-b0ba-65f0228f0b82" ,
"value" : "b1820abc3a1ce2d32af04c18f9d2bfc3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681992221" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "91c7344c-0978-41c6-8385-2cd767879d3a" ,
"value" : "6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681992221" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "1b5d194b-bbf5-4d6a-a49b-cb97750d62b4" ,
"value" : "Note.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681992221" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "d2071a01-366f-4356-8058-19882aa738d1" ,
"value" : "1600000"
}
]
} ,
{
"comment" : "QUARTERRIG - loader\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681993008" ,
"uuid" : "204c3d9f-6da0-426d-9609-db8c99dd8f8c" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681993008" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "d78e679b-15f2-4c3a-aad8-654af79ab880" ,
"value" : "ca1ef3aeed9c0c5cfa355b6255a5ab238229a051"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681993008" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "811d8f92-2ede-4b7d-b3fd-bc7c37b992b8" ,
"value" : "db2d9d2704d320ecbd606a8720c22559"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681993008" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "dcf6912a-38af-498e-9044-73f305e585d2" ,
"value" : "18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681993008" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "ad7ebdbe-b5ff-4eaa-93de-c0479b0821f6" ,
"value" : "AppvIsvSubsystems64.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681993008" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "8d1b385d-d638-493d-84a1-4711b2592e09" ,
"value" : "28000"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681994371" ,
"uuid" : "7546b1a9-3633-4f46-99e2-d27bb8db276a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681994371" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "9825b370-667f-4a13-b9b0-d4640f5b9635" ,
"value" : "02cd4148754c9337dfa2c3b0c31d9fdd064616a0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681994371" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "46517152-0a51-462d-abc3-393182355a4c" ,
"value" : "166f7269c2a69d8d1294a753f9e53214"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681994371" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "9b38ea28-f516-4ed8-9461-72c4ea85a158" ,
"value" : "3c4c2ade1d7a2c55d3df4c19de72a9a6f68d7a281f44a0336e55b6d0f54ec36a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681994371" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "6b2c7c54-7839-4e82-bf0f-499a5d976e44" ,
"value" : "bdcmetadataresource.xsd"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681994371" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "d73eec0c-fa3e-4c8a-a013-9f32c58f1b93" ,
"value" : "456000"
}
]
} ,
{
"comment" : "Virtual disc container" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681994539" ,
"uuid" : "20d5700b-21da-4c3e-9425-c5b87b5f83aa" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681994539" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "76fc036c-b16a-4472-90de-44a868a26a6e" ,
"value" : "86dcdf623d0951e2f804c9fb4ef816fa5e6a22c3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681994539" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "42daa2b6-666d-4ad8-a45b-82701fab7955" ,
"value" : "1609bcb75babd9a3e823811b4329b3b9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681994539" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "6d5f01e0-64b6-4bf4-ba4c-a1c31af51be4" ,
"value" : "91b42488d1b8e5b547b945714c76c2af16b9566b35757bf055cec1fee9dff1b0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681994539" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "f7aa82b6-250f-4fda-9419-a37c4e1addfe" ,
"value" : "Invite.iso"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681994539" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "3339b0d7-542a-426e-a19a-abfd5341f2e6" ,
"value" : "6464000"
}
]
} ,
{
"comment" : "Legitimate executable used to load the malicious DLL" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681994789" ,
"uuid" : "f80de271-05af-4413-8087-9d553c54805e" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681994789" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "6032acd2-c6ad-4cd7-b8b9-db3c6b5ed1ab" ,
"value" : "15511f1944d96b6b51291e3a68a2a1a560d95305"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681994789" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "b11fea69-a551-4265-a2c2-c93c11f46ac7" ,
"value" : "d2027751280330559d1b42867e063a0f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681994789" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "327ed2ab-8e5d-4e58-a797-d0e75cfac1c2" ,
"value" : "35271a5d3b8e046546417d174abd0839b9b5adfc6b89990fc67c852aafa9ebb0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681994789" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "86b6aca7-39da-4a9e-bf5a-c68792e41a88" ,
"value" : "Invite.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681994789" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "f0dc5614-f9ec-4d2f-902b-963d0e367f2f" ,
"value" : "5380000"
}
]
} ,
{
"comment" : "QUATERRIG loader" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681994834" ,
"uuid" : "0d5b228d-17ff-48e1-bb83-24e34292ea06" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681994834" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "4328a381-96c4-41d4-b1ec-ed981f712341" ,
"value" : "b91e71d8867ed8bf33ec39d07f4f7fa2c1eeb386"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681994834" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "8d0c94e4-4335-4e17-9dad-715f0f896022" ,
"value" : "bd4cbcd9161e365067d0279b63a784ac"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681994834" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "ee216de3-486a-4c0a-9fa2-9d6976f58884" ,
"value" : "673f91a2085358e3266f466845366f30cf741060edeb31e9a93e2c92033bba28"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681994835" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2b4b9249-c404-49e0-bde6-fd2e056e23e2" ,
"value" : "winhttp.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681994835" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "39a6c2c0-3b7d-4328-be1c-4730674b5855" ,
"value" : "32000"
}
]
} ,
{
"comment" : "Encrypted resource containing the second stage" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681994920" ,
"uuid" : "d940713b-8e68-4bbd-9164-ed43afc83c11" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681994920" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "ac923975-efa2-4a0d-8d1a-81b28aea7769" ,
"value" : "1f65d068d0fbaec88e6bcce5f83771ab42a7a8c5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681994920" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "91571441-ccf1-4427-a170-abb70c77efcc" ,
"value" : "8dcac7513d569ca41126987d876a9940"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681994920" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "75fa73b5-5d6b-447b-88f2-4079e3854535" ,
"value" : "9c6683fbb0bf44557472bcef94c213c25a56df539f46449a487a40eecb828a14"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681994920" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "414c3694-038b-4eef-aa2e-246138ae0d2e" ,
"value" : "Stamp.aapp"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681994920" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "7afeb201-5617-47c0-9760-e80be558d356" ,
"value" : "460000"
}
]
} ,
{
"comment" : "Virtual disc container" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681995198" ,
"uuid" : "21b857c6-1d55-4625-9b08-56c9fdc205da" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681995198" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "ef2f20b6-fc7b-422b-a717-b6ebdfb57eeb" ,
"value" : "bacb46d2ce5dfcaf8544125903f69f01091bc3d6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681995198" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "1ee4d70f-be1b-4779-befd-579cb32a9691" ,
"value" : "3aca0abdd7ec958a539705d5a4244196"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681995198" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "015c70dd-9d2f-4d84-826c-373f0780899e" ,
"value" : "10f1c5462eb006246cb7af5d696163db5facc452befbfd525f72507bb925131d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681995198" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2dfacdb0-36e4-4f12-b508-61620dc8e5e9" ,
"value" : "Note.iso"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681995198" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "f0602b0c-5da8-4556-8b45-434b312116fa" ,
"value" : "2688000"
}
]
} ,
{
"comment" : "QUATERRIG loader" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681995316" ,
"uuid" : "c75bccc6-e3ca-4a25-b0ff-5aea24f1c0b8" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681995316" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "18f43634-4d59-4a39-b76e-4998d5fe40b2" ,
"value" : "6382ae2061c865ddcb9337f155ae2d036e232dfe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681995316" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "67c70fc8-3e82-416a-bf91-cea62036025b" ,
"value" : "9159d3c58c5d970ed25c2db9c9487d7a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681995316" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "f3fb3353-f4b6-42df-80c3-13e07dab3413" ,
"value" : "a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681995316" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "7a798b5b-7c39-441f-963b-2f0c1a2fad8c" ,
"value" : "AppvIsvSubsystems64.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681995316" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "6eac8432-e78c-4c9d-a6ef-50d79dfddf8f" ,
"value" : "26000"
}
]
} ,
{
"comment" : "Encrypted resource containing the second stage" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1681996267" ,
"uuid" : "202f9cfd-1b59-4f2d-a113-27e6822b693d" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1681995527" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "0a97819f-0625-49a8-8c4b-01f3d6b20ad7" ,
"value" : "bc4b0bd5da76b683cc28849b1eed504d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1681995527" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "a805e824-66b8-4224-b048-91cd8f715325" ,
"value" : "15d6036b6b8283571f947d325ea77364c9d48bfa064a865cd24678a466aa5e38"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1681995527" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "0545b6b6-b8ee-4082-9154-d0aa41024bbb" ,
"value" : "bdcmetadataresource.xsd"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1681996267" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "9357b409-877c-4409-91ee-82217978d290" ,
"value" : "489757"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1681995527" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "bf5e04fe-25a2-415f-b086-50b8c1b7580f" ,
"value" : "b3ff6376baa180cff13ae76672c669cc8f45c130"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1681996431" ,
"uuid" : "553fd38b-e053-4632-867f-377e6746a81d" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG C2 Domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1681996431" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "4c6cd59b-dcef-4527-8835-fa521362cc1b" ,
"value" : "sharpledge.com"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG server IP" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1681996431" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "52f53f7a-dbd2-4dca-8194-e6170d7b3fba" ,
"value" : "51.75.210.218"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1681996454" ,
"uuid" : "b0de75d1-a729-49aa-a586-1fe80813422b" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG Domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1681996454" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "20911b2a-5d5e-4c9c-877e-1bd617c8e3f8" ,
"value" : "pateke.com"
} ,
{
"category" : "Network activity" ,
"comment" : "QUARTERRIG server IP" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1681996454" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "071d3d06-3974-41e5-b672-b8f0932e3426" ,
"value" : "85.195.89.91"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1681996465" ,
"uuid" : "e659ce38-dba5-438c-a7c7-900052726ad8" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "COBALT STRIKE C2 Domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1681996465" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "d53e8072-db06-4f54-ac08-20e73033cc80" ,
"value" : "gatewan.com"
} ,
{
"category" : "Network activity" ,
"comment" : "COBALT STRIKE C2 IP" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1681996465" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "18f047b9-e868-41ac-9c76-41b337cd5c43" ,
"value" : "91.218.183.90"
}
]
}
2023-06-14 17:31:25 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-06-14 17:31:25 +00:00
}
