2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-12-14 14:30:15 +00:00
|
|
|
"Event": {
|
|
|
|
"analysis": "0",
|
|
|
|
"date": "2020-06-12",
|
|
|
|
"extends_uuid": "",
|
|
|
|
"info": "Dharma Ransomware Event",
|
|
|
|
"publish_timestamp": "1592742388",
|
|
|
|
"published": true,
|
|
|
|
"threat_level_id": "3",
|
|
|
|
"timestamp": "1592742357",
|
|
|
|
"uuid": "5ee3822c-6828-418c-b619-62de950d210f",
|
|
|
|
"Orgc": {
|
|
|
|
"name": "The DFIR Report",
|
|
|
|
"uuid": "5e9e5d86-5b94-4ff6-b07e-4e3e950d210f"
|
|
|
|
},
|
|
|
|
"Tag": [
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:malpedia=\"Dharma\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:ransomware=\"Dharma Ransomware\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#000000",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "Ransomware",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#ffffff",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "tlp:white",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Network activity",
|
|
|
|
"comment": "rdp actor login source",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1591968666",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "ip-src",
|
|
|
|
"uuid": "5ee3839a-07e0-4533-8ed9-fe83950d210f",
|
|
|
|
"value": "217.138.202.116"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1591973283",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "5ee395a3-54c0-4f88-a035-433e950d210f",
|
|
|
|
"value": "/*\r\n YARA Rule Set\r\n Author: DFIR Report\r\n Date: 2020-06-12\r\n Identifier: dharma-06-12-20\r\n Reference: https://thedfirreport.com/\r\n*/\r\n\r\n/* Rule Set ----------------------------------------------------------------- */\r\n\r\nimport \"pe\"\r\n\r\nrule vssadmin_Shadow_bat {\r\n meta:\r\n description = \"dharma-06-12-20 - file Shadow.bat\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878\"\r\n strings:\r\n $s1 = \"vssadmin delete shadows /all\" fullword ascii\r\n condition:\r\n uint16(0) == 0x7376 and filesize < 1KB and\r\n all of them\r\n}\r\n\r\nrule Network_Scanner_post_exploit_enumeration {\r\n meta:\r\n description = \"dharma-06-12-20 - file NS.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446\"\r\n strings:\r\n $s1 = \"CreateMutex error: %d\" fullword ascii\r\n $s2 = \"--Error mount \\\\\\\\%s\\\\%s Code: %d\" fullword wide\r\n $s3 = \"-Found share \\\\\\\\%s\\\\%s\" fullword wide\r\n $s4 = \"--Share \\\\\\\\%s\\\\%s successfully mounted\" fullword wide\r\n $s5 = \"host %s is up\" fullword ascii\r\n $s6 = \"Get ip: %s and mask: %s\" fullword wide\r\n $s7 = \"GetAdaptersInfo failed with error: %d\" fullword wide\r\n $s8 = \"# Network scan and mount include chek for unmounted local volumes. #\" fullword wide\r\n $s9 = \"####################################################################\" fullword wide /* reversed goodware string '####################################################################' */\r\n $s10 = \"Share %s successfully mounted\" fullword wide\r\n $s11 = \"Error mount %s %d\" fullword wide\r\n $s12 = \"Failed to create thread.\" fullword ascii\r\n $s13 = \" start scan for shares. \" fullword wide\r\n $s14 = \"# '98' was add for standalone usage! #\" fullword wide\r\n $s15 = \"Error, wrong value.\" fullword wide\r\n $s16 = \"QueryDosDeviceW failed with error code %d\" fullword wide\r\n $s17 = \"FindFirstVolumeW failed with error code %d\" fullword wide\r\n $s18 = \"FindNextVolumeW failed with error code %d\" fullword wide\r\n $s19 = \"SetVolumeMountPointW failed with error code %d\" fullword wide\r\n $s20 = \"| + scan local volumes for unmounted drives. |\" fullword wide\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( pe.imphash() == \"0b0d8152ea7241cce613146b80a998fd\" or 8 of them )\r\n}\r\n\r\nrule Dharma_ransomware_1pgp {\r\n meta:\r\n description = \"dharma-06-12-20 - file 1pgp.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b\"\r\n strings:\r\n $x1 = \"C:\\\\crysis\\\\Release\\\\PDB\\\\payload.pdb\" fullword ascii\r\n $s2 = \"sssssbsss\" fullword ascii\r\n $s3 = \"sssssbs\" fullword ascii\r\n $s4 = \"9c%Q%f\" fullword ascii\r\n $s5 = \"jNYZO\\\\\" fullword ascii\r\n $s6 = \"RSDS%~m\" fullword ascii\r\n $s7 = \"xy ?*5\" fullword ascii\r\n $s8 = \"<a-g6J\" fullword ascii\r\n $s9 = \"]q)WtH?\" fullword ascii\r\n $s10 = \"s=9uo^\" fullword ascii\r\n $s11 = \"\\\"iMw\\\\e\" fullword ascii\r\n $s12 = \"{?nT*}2g\" fullword ascii\r\n $s13 = \"h*UqD*\" fullword ascii\r\n $s14 = \"b,_f n7\" fullword ascii\r\n $s15 = \"+mm7S%I\" fullword ascii\r\n $s16 = \"+L]DAb\" fullword ascii\r\n $s17 = \"nq0<3AD\" fullword ascii\r\n $s18 = \"U2cUbO\" fullword ascii\r\n $s19 = \";C!|E2z\" fullword ascii\r\n $s20 = \"P)8$X=\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesiz
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1592308993",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "5ee8b501-bf98-4bb7-85ff-487d950d210f",
|
|
|
|
"value": "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Object": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "20",
|
|
|
|
"timestamp": "1591968369",
|
|
|
|
"uuid": "5ee38271-b93c-40b2-83ac-4ade950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBBQACQAIAEVrzFDR5fgjsRIBAAByAQAgABwAMWViYjZiYjQ5YWMxMDc3YzVlN2ViYTRkNTZmNmEzYTFVVAkAA3GC415xguNedXgLAAEEIQAAAAQhAAAADavRF5olicuJEKJOsHD6fpSTw3NG7f5itcsjsbENpqtmmGpZotrpbklUbqKPwNd4EASCz8pRwqTwVRf6f4FTYWkzKERYYBmRvLmd75E4k0WKWiQcnoKk+DhokKF2IpfwJoqRjzHyHAlN3tlsLGB0tKeVK3Fo5Q3KUWEHYti/KCQPbMieOEcGf1/MyDXHC2Spg7pp6KN0pXr49oY5zkxJELhKECG/zUWnuHhlUbeP56gx/iwS9aEeHuFr4/9TYM1G0IW7OZX+MYmndCIAzZLRt5oWhkEOsTP8caNm53ndgYvljP7FhkItJzaOrqGs4AaV0hUXRF40+kg8NPYJcgyWhzkPGhKs8TJbJFNqirgHGi2b3hXbKErJbK8FpTEd/rzjuVWRxb93oMpoM8zKZg5B7+IvDYpFAJyFSMYAP/Iw3JlnnR6THCzxkF4Au7Oy5nREKdT/Xhlags0E5d/A6fK2+SEIICA7iPTtRy9q1Jsv+n6UXlegFlwDUP0H+JETFdB1YbRNdggxJb9ilk2q8xThw2XA4BRuLzl+ss1hojbzciMH3kU7DKgWyvjoGeIm8eSxR9FGR1SltRcKKf7MIC4LdqSeTj05Ov+vdCr/3Ta7FXgKIuH7galPWu28xS7NhI2ziShtuo40QR/F/PIKYQaaCfUpcA9Npo8o6DYmyIBnLBqIfqoejtLRnOOWi6wuA+tP6zUr7UGMdfZHW2yZFhK4z7c+GB74f/rAHHDy8l14lUwzN4adbZBbi0avvnF+uCMmHNqkQPCaCamkGjNvv/a+dGfJe/eGsuoyIT8jyIzCnOkUVl/Wlr6sw14tr6SCWTd3S8vlmr+gcZknX1XxMT8uNuuYi8CAhEl6RveiBrQ9zcvIrM7FHFfzePqpQCTBjrjayRzNojngaLeBS92jjJ0sDs5WD/Z1HAH4wqh8jhF2z8J4Cv5wcZh2aKFGFgkuXomwOQWCERz0SZ8ckJR/nEMTorStYjIFWFl1UPqsv5quSWPi0wtFTUjysKskErzyB800u/xJueU1hbN+XMPTFXLptgh20USb3OfXRyMyTFdfCqE+c+CyQoTlNNomNppzMJJFVcBMuzc7riySpc03hbgIfDYOcnLmZBs+eNZyEDm0uHkCDgnUfCsjYYszURawJur8miUs+pC9KmnRDanDv1K0lk9BJh269LtJWvgDOpktxeW5wxlePYtRjwEzLPbk2iFhsTxYyTuh7PqviOp2obBqGVddgxclTPS1fQGQJqh8OyaDw219OZQhim60vJ2VvfEEm5o2yIczMA/eKwHQlLJIzViAgym8y2D8yeGMxcgPpp3YEevirrsURhMe8Xz/06qy42lPUah0tzAR0ATCbcKOM2edf7IVJtj/TZEyRGM2fvCbSPfo8vxH5n9MSzB996MEqtCAaG7agrEoqTQZVQLnSsDfSENLEkJrkyGJs64+gdusaW6TbWYkKcpI/EYDWyrFVsBet9bP75NZSs6lmv4yThrJOlKqa2E+XoGaMlGwkAztjsZ3rFr4LMY59T59nEQ0M9cBrkg4jzuWAqq14IpLlCKLLtq6/WiTw+1pewK3voEmFxxVpBQohF7OHMau3bfWv6QCaQB6iiRX7zIDnoKOXrk3nX9AYUGaULtlo7hpWCEu/IqUy1Bd5zzZWfy4W549FjHis0wqet6wD+54zDeolQjCLoV7QsSugxvxIMkK5Z+X4OU9ODNAFFasdZlgrvOETNQdwjtpL+egBe8ARrSV/CoSfL3RawXN+alRXjfch+ik2961dfOnySnXbWZVaaqsnUdQ3C7HHHGB4kqtKnj5o1keM6PgT6P65hPJS7NcqhTIElQyJ8GXvxqnJnoypysg9uBwhsjKWYVcd5WKojNC090IKN9XL7CfhxG+pW5CT2i9ZvuB3oHgymIq9Zy2M4Km9rI1OukAGvR+3Mere7Icktmt5PstuClPEOqUnR9AASCLRQLxjlxDPrdBUXxtEYq2BJ99rX4iWtqGDSNZY3WdREBSWwqONBNsmyfiV4BakDG1CYqySfG67EUZiphr5Lytyk8CEX2S2a722anvhi+uNnfAsx1fjgfpx3Hh4jiVWyDHthUB1BxGL3ZaMTgkr6LvTndNwjPkGcjPiX1L2UekuApmbaA0OWPqEa8Rk6tUsGUpvysl/KxXbxFrL0LQMsHtoIRo1il3tHCo8qbGoSBjke9pkYLg9RYy+uOXNhrDPuSph8h3v0/FAtEIg2gTUYv8xNBbEGBz6KRUG8QC01EvRgxi3GkLrk0/PzSGCwQ62c+7Gz1eeSDcIeMPdumhPC9jRiNpKTAqYGTmcUAqNFVZgGY1yFzhb+WdpDdjp9QOyw+1T6WV5z0VabCeTr1XTDyCuOQAvwHY10wRrw8VsiXqYVYb0bucaxbMQ+8fLKw+12wEtQrhjiTFYSMG+k8/f+6sPNo4+863UHhLNQMCylrVbLOpmZHszJKbioCNCivHiR3kYQmE0ed1vXnD+6H/0Dk6isuSSa9NxsV5FaoWgn6VU8vX9kU7yYh1LH2E5FpAKdLa6sGDqq9cMxEDKHaX5hBuFjkOye7L7CH4o3OfcF87FZyuesPSx3AFVfPoUDNlGWJHIfDBQrAlrvlAWdeuAOers/WicSXrovMi5FSj0mOJ3KsP3cdAUsRkBfKFTGGQRX54X68O+w3vMYI1vRlDTdhim2LOAR6Fh4xhlMnmZ1sB1MIcaTJUwCl9Roxt6P2EQ9caffdPMhjD7FxIi8eWRehgjXm5jKNA5pPuVJ/kXV3Y1xk+4veJjljDG8Kn9Ev1saRz+bTZbWfsSu8Eg55QlJPSFDimZfvG8YzuZdpn2+axC21yArzbGO6nctHJV6MFzu6gi+Trg2IibLCaaPrDjIg8Ih+TXS2/nYqvunKb5qehAWzpgi7orLW2wHIlgFmzOCc2MzWSGRjk/LeONnaFI7vPnsJVlpHDQFMt2KNOPDVK4q3cW52gvczAWp5oG8N+T5lHwdozgnhfp5T/19JLjBPybi4Q7HosgBMiUP8F/c5wP12KGIkQ/1gHF2mxmRmCFESN3zEZYGv1blkPs3NExhk8WsON0hk8lH9sOhrKu1JgiRe5wR+ywdU/W0iQTpQcyqnmHeDILkDaigf/jBgJ9j8Uc70gjMZI/FQDsPjjfI08eWOa/7BYStMm4Ct5zk0ZWDn9iDbQThWKj9vk5uj7BC2N81VvNRtdeTTVmzQX3Pwnu8+NoMaUgWp9Q81RXyddN72h8jht7FVky5CdHVJM9tSKS/m2w4mO+qDV1Fc1GgksXrN6zQKeNf/7BMu244VZdP3OFqzt1lz+d7y8mc3EVs9Ln3+x/aDggem3pU2P8NaOZxXyo5lbuagRGPjgYk+HCh7LFT+TpPJYsNKXj0oHPOM/i8pnd6JZfW0I3ToLx3VSk4KK6yi5sElENcb6Se0xzIwuf1CAxIjzGNlJmKTD1NNGN+ABLqLgN6/ZJ8wW1a9/MVbAXHv04YFjn9CNIqUStAgPFPuVFzrgGLyEw6MkArScg7TOlz1dvA33jOsoDFU2Yv/XoW1qIIyBkjgDsU5mj8GZ461K+1oW6wSzD0uJdQMIxReryCXGJyXkR+Pf/C8M7ruuD1kEGrr6FgxTXUQN7hJAxbrd6caLOCAEEXzjmRSk5z9mIx1CEBoSrvSnk+Pf5wNeLcGZIY2h6AmWKskJX0wrL8LDxDN6SL9t2/Y09tsOdW4uAKKDH3OQQc6VV9GiDp//Nh33DLIthHI1rSsHJ6ANHZRqJXi4SJITNZQRmvqmQSjgAGrBkFuImhiyLqetLS2Eqk+6OUosaagJYQiT1u+Aup4w43YFWuT+YauWNhoabsba76S8pkAw0uP4Dgtjnc9KMkTPWBvcXfuCrsLZFNIO37OScMmoTYmYkVY16Dvro22xCSTgz3SW1O04kAqUf+HfGtr/A0B/v0RsGUHOTdsQoSnYl5
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1591968370",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5ee38272-0dfc-48e6-aa7e-4ade950d210f",
|
|
|
|
"value": "1pgp.exe|1ebb6bb49ac1077c5e7eba4d56f6a3a1"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1591968370",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5ee38272-8150-4125-a289-4ade950d210f",
|
|
|
|
"value": "1pgp.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1591968370",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5ee38272-4930-4e28-bd72-4ade950d210f",
|
|
|
|
"value": "1ebb6bb49ac1077c5e7eba4d56f6a3a1"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1591968370",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5ee38272-4a10-4864-a430-4ade950d210f",
|
|
|
|
"value": "1a37bb789c7bdda44330fd55aa292f5f76dada5d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1591968370",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5ee38272-2f7c-4d3a-a512-4ade950d210f",
|
|
|
|
"value": "2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1591968370",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5ee38272-ec50-40fe-a33f-4ade950d210f",
|
|
|
|
"value": "94720"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "20",
|
|
|
|
"timestamp": "1591968379",
|
|
|
|
"uuid": "5ee3827b-96ac-4da2-8d46-4ade950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBBQACQAIAEprzFA+CgJcPwMAABsOAAAgABwAOWIwZDZkZjQyZjg3OWJhOTY5ZjgyYzdhMGFiNDhiYzZVVAkAA3uC4157guNedXgLAAEEIQAAAAQhAAAAJGTC79urpRw78MMkXDoxs1DaeVy8tRk/4oYMpKdycWKBNJN8TUNryHLM7/8gwj1QoI5Tt2OIP3kWNi23M43QA8kU9VSMOeMSibp6MQR+a7E9sgvfo/i4lLDBbB3qeYCmPcWwJyMeGNqb/mZbgtIdN1f6OZ1VO23stimt0tAZ1los6ZXF6f+bB8v7qSLwou86fycGoNVyrVE2iHzPI2wGBz9qZpGxpocViMR5wyRiIpD+HGo5xoilm1fK6U0ulu+XbF3CRS+gr3n2//3rEea3IuOWsPu6k3bqlRbi0gjurvRR52+oPWk9aSw4pwFkF6VEoJZrv3PVm8ThtT6kjS4JJIOvEMIWpEKZ7iJq0CmUQ0bbkR0AlMbP2Z+jklgsISlJKPIZyzh02MmIJHyf4ZOaUmaBs8c0+WG7n+IgjHfEJx6IjIiYmdAh+XWsSV8irPoLwh3RTaxDlq3Hl4QDAXa7UKF02GdJBFWmiw11EwlsBciBBtrIBthn21jnqaI+ifXrUA6W8/K7eXdp7dZ9+Q6AiX93SMdAkkNvL01V1bIuYmGbWCOMLMUchWX6wkOuvuBilB7QxvqGeQ1LA/fRQdDV7942+SUFL909wpdQMgK1fjB8M7vcIOVcxRo/Rb+8JrFShbukz2ysfOZGbOBVgBI4vLIAayiL99DIJaq6PopCGlOUT+ndLhzFIKJEp8KueNrnfnwCk9EBgBw1S0QccUY1v2lBNLntfYa6Ux8s4hZuTi6/rGuxcFfTRYFmvR+T8B/kne3jwTqpw2oAOCtT0eair+1QeqLTrdrTFccfPvZdKAjlfUvAxG5Ys2vxLhmlW1L62ZwqxMBhPpbUPgM9kvFHe3T7t/lPkxV0ssbkPX88SsdRS2KA8NdsPDUegCduVhF50rOHtrwGKX/9tfJxAXorUovMgIBvmdfv7mU/RdYXPnxh+PoPnntdG/0bWNy87BZIStT7Lb6mkY1Zy4Q5koezywl9jdDBjH4fsNzRUlJ8RRIoVjK/bQB4TmwXnIzt3aMgpapsfEInFS9fZrn7DAM1gRmHEtlPF4fX1gadl0sa1lvaphsO187KgtNSxqMNuYQs1CH65hoquvfLUVbEX3abUEsHCD4KAlw/AwAAGw4AAFBLAwQKAAkAAABKa8xQRYb6PBkAAAANAAAALQAcADliMGQ2ZGY0MmY4NzliYTk2OWY4MmM3YTBhYjQ4YmM2LmZpbGVuYW1lLnR4dFVUCQADe4LjXnuC4151eAsAAQQhAAAABCEAAAD9KdpzjSYt6QvioyAnChI5W73UEcaTWAMHUEsHCEWG+jwZAAAADQAAAFBLAQIeAxQACQAIAEprzFA+CgJcPwMAABsOAAAgABgAAAAAAAEAAACkgQAAAAA5YjBkNmRmNDJmODc5YmE5NjlmODJjN2EwYWI0OGJjNlVUBQADe4LjXnV4CwABBCEAAAAEIQAAAFBLAQIeAwoACQAAAEprzFBFhvo8GQAAAA0AAAAtABgAAAAAAAEAAACkgakDAAA5YjBkNmRmNDJmODc5YmE5NjlmODJjN2EwYWI0OGJjNi5maWxlbmFtZS50eHRVVAUAA3uC4151eAsAAQQhAAAABCEAAABQSwUGAAAAAAIAAgDZAAAAOQQAAAAA",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1591968379",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5ee3827b-97a8-4dfd-849d-4ade950d210f",
|
|
|
|
"value": "closeapps.bat|9b0d6df42f879ba969f82c7a0ab48bc6"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1591968379",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5ee3827b-a6d0-4abc-8104-4ade950d210f",
|
|
|
|
"value": "closeapps.bat"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1591968379",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5ee3827b-4a94-4f1f-8ac3-4ade950d210f",
|
|
|
|
"value": "9b0d6df42f879ba969f82c7a0ab48bc6"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1591968379",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5ee3827b-cfc4-4646-82ca-4ade950d210f",
|
|
|
|
"value": "b5d6f94f270a02abedc7484dc7214d15d2cee99e"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1591968379",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5ee3827b-dcbc-49db-b205-4ade950d210f",
|
|
|
|
"value": "e25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1591968379",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5ee3827b-b2a4-462a-a4ea-4ade950d210f",
|
|
|
|
"value": "3611"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "20",
|
|
|
|
"timestamp": "1591968391",
|
|
|
|
"uuid": "5ee38287-bc8c-462b-863d-2f22950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBBQACQAIAFBrzFBplHUlq5IKAGh0GQAgABwAOGFkZDEyMWZhMzk4ZWJmODNlOGI1ZGI4ZjE3YjQ1ZTBVVAkAA4eC416HguNedXgLAAEEIQAAAAQhAAAAgLlZdtUm3KlH9fAxz/AuKuy8i+y7Wfg3FQ3tdIKSvBGbGWm4UIpR/IhCC57ISfV14PdBkq3t5wSzP44Az25s8Pxco0uH8enkGr+xXcIQPQqJZjqec6MgUW6a38ZRu4OUcOSJd3+r3jemIJ+xTDisNVcKTvS16r8UD/y2ZmflVxhSIBkow7L9MB4t6oA6jF78NdrZugfAgro8qQfr87hGR23kjYO7bf03ogoTS7xw0+OV2KL9nknBLZKv1/Lpz/J4BCtim+6BhenqPfcMJ9uSarP7maPfdPpTA0TL155O2fOY4sFZ79AKZURAUcg6X0fhT9GfmzqApWp89225hO6+8JK/39hEfXrOQi+riWju9i6BY4VkOOt4VHs9MRkulDXxKlCb1v9L0oiI/bZ2Uj1rDYshkyPdnVtZMVir1fKwwVJWLHo7Di6+MIRTSxmcszKIZkBojJP7Mwk2BqJy/HAwvPGudo6/rXA7y8L1+mjp80qbbV8XyNQkGLIvnwBGhTWWzV7j76b2r865yy5rScAZCZf7Xg8Aqa4aOC2VYIy2Ir8dHBKtmuYsaqQ50JMCWRjwcBjSSS7YLq++Mxqx6K/Bq6PkcG02phnPdY+Gf2p4Qk21g1pHlL7+BW13rkgJ9dymDGRgWBjV8R3CwS/qbM+WWFRMIIUlTVNArx7+jTwOpo3NRpogwFID5/l6ziunO0XXOyZHmM77Pm8H9we6xc796ujBE+jBrFCageOzghRt/tMHb7YOumhJWH0GWVAWZhAl7871bhEeTkD6PX+mD5wtqRo3ZOWl68RS14KGMI/aTDdr7pHz8vaGZhapOmB5XZHWx1haARzmSt8vpCTBT9tISv+oEg1pObV3v7pPqNkYdy5CeLBu2ak314p8MSakfh6uRoWirrIJVxG52vmFCNJkbhZ39qsQOX6SOJJBLoLjdCk83Cx1oRNyFf/AqQ5nJE95ZXHa+dpkJ5Wd0m9rFzdWlNNWHFkVyqmzlb+gyzVIPBzdNucrM7FWP8RWKYdqbA87cNZvDh/F9AzOy+PbmbNwFJymyuxcW08K7+DGXbKBnskKVZ0WRh77gkk4n3cBX+YF0XrXF6yZ/V5Yu6ceBS4ZFZ00dh/jiDLZPBhFLaMHNsC3dU1EIXjPpA/Z4uluqmj9wTZ3KonaIbeDCk3URDiJHtHEJpp9ojbjIsCm9qrWpyCFEzmcFl0CLnSq5kzu7xLw4LuRaSKLolzdnyQtd92DgY3MtmB7JU6yKtvyVN6mxWRYZeetRyAV115RDcuSocGd7Ke4PkP+Wd6SXI4tjHb09Y3McsynEF1JX11+68R2l2GYSYiK4gvdc0p0C3Pxzk815Cn3UomOLNZzS4vwOSMB33w91OzGEAPQ8+y+njH9YYZKg8MVbxmJ8nyQIJ8a6bQ7QzWMeAX26GlwT/lavrJLxzHKIXDrszT3A3E7sarn1Vm0zLGNU4eaSvd9fFI1QjrImA5sgSDRDdIDmVWggm6G/lTRuN3ZIvutAikQjV2OBtGt5mpT4DDqF33hUKZgmLP/wU5fw6B8J33uU3kyU5stiY8mxlxhDYjYiPqicDu+H9R0S/8XvxsiGWJKkzhWnOaVXSsYVeterX06hhDp8zHzUbJw2zRPWvH+cDDCFX/cLp5VZYDCXaecpMpCSbDFGwz3O21mvvYYKynGcfjPcj1Xxy98Aqu7e3xjLIgwdyi1VWeFhA3XjeExmM6JXnqJURjP/6csyvLjtV8mXlCcVmag2Up1kfOWjOjJg/q5bjriPM12zQe+ytYu6iJ15kDzy4pn1XMtrfiNPSv4StiVPTxlzsTzem/ji0GYn/z4MBEFXn63CUlKILL1+ejGjkkHJNGBggdVr6egjL+oDblV85izBMGRPPLsnxrFCGwt68rIG4uTK2k8cpTaLxa9WutrVH6lI/M8mn2DKnHIt9LgzEGSiTx7qWiPelMVWh7ngfwGoE0ITqlEpf9MLT43S+80s7GlTw2BIAPKnU6i4Rjn1cdPpuPvNeu/69hMB5W20/Gn7omJ+0kLhUn7PWAFpfVDDoWHRHo37yTpAmth3TEVc+guJdId6hxMzJsqLg8urs9yDk4nElbni5+l22I7p8uyEs+C2XKyIKA6Vo3Bdf1dWre+pWxszCeE0g2k3NE4TGBq+5YqmCcOm5N+kIyRLF/BTGS2hfrmBG8F0CpQdfscjO84M0AVDj56ObX8IedYPk832s+a0ub3G5D9fSbwUjSN/XWXjwTVoR5PDsLJc27ST2YAmNFaSsfoMVxQI01DP+Q+2l+veWldzrIR3dJpBu4N5XMZQA0B1D7WiMhkFmN8y+/vA/LRbLaqYPMJxfmN0mGnjpWXIM+HIwVZhuL4a5EUm3pxBSZoofdsLEEPCxciNFURI63zEKnVKz0E8BLRDDKOJo5lEN/yNcDzXIOBw23ubWYBIc8MqTcV3ug6boa6kmKXby1PfiAFLGLUv77c+hL1Io/YJyKvtFViuNoiJwgV6cEvD8wCHwnIHaWdwhQjzh531oR98S9G0N9uox3j5sGPXkBmLCYxYjeEC9Hfpnka1lTjb1SG6Lwkf7XbyokwD5eEjlmoZ6VowgkmKCW0m66ZpV9oj04wH4wKUsO1i0CDS5dwy363/40V5q/xySGVpK7IwODEvF0DXnzzMd0FXPYP24cT5jZNxnKXdKSYFVPxF5DNxDlfKjxdBhA4x4slLicjhUOkc7wRB7DWkWQ1YCzuDuk7Ec6+N1zeyMRoUKoksmWrow/FglqZg4x6LezkuHDB/FIIZx3rObBywKKK8kEEFoTvNDJiGFKEjKq6TUUylMizAOwzkRErQFI+AwKN0ArR2gGwjh7x/jgIbeAtVQvAN7SKoctDIR8dec4y6CgU59dYUPIVJ1YSO75T7klnBtwNgJofUospiv8qQmnWr/w1+/RRD+ejZRO/lfl3CHNnIAtsTVUPbA+xajOEChZFMbFTe1DtJM9RTV8weAWxvkFIQugvkyZjXFjBIOx6W2ypdL299KFZmHMsViChrcKB9XaEsd9K3LB3gv2lHNsE9QbHRTi36OXQKAkLDJ48bDi9R6ljLjBmo4DpcKnoSHbbBmqDnKH33JiNkS0p1I4P0fPl21EVqqXKQ7r0Pn7wC4Ht2sWz4Rr8+7brXFXFpd+oho+RgJJF+OSgOIXQra3Y4d28Gby4jdpJObHXPxZoiK81ljcEZM00EZwU56QlRt9NCkiqFhKteg4tw+wUqtrYbeseF+N0gTrY8LJUM3OoVFx47/fsqceBVundzjK0N7v1ELDReIW1TR1g4a+DT+oQNVYvGIGtU9woaKugu9RFlRnu05CkgxA1oM/bn4xyWzod+CE7e+jYO7bsUqFFFmLbK+cTOWQOUBUDlVwCbNzgehtjBsbasfevi3x5rxZ3gzPAjNjac2q7334Hu2zBFvA04S7MJGIIwXTaFNL9ql4/Xv6Fwnz4O9nRMWvAr5sL/bqcPQk4aAnx8rImTzSoMHrrFpATSf2VorWuEbFgNXJnTPjhHN6YQqWhyPGfvJPIjs9EgcoUtu1UGN++uw1I/M/Cg5jK4BRH+SqoVGq/j2ddoH07dNhZy7YMsAKcdFj+Vtz6dLBYhdMCICvEkUEq6g/Wo8k/nT8LTyGtddSUeslWT9pOJvEhptnM+eidFXTY7EcxwSs9uhiY/cTN5awnem1A1Xhpc/deiZ9g9/WUiQNBVZggH1hDbYWrXpVFgySPohrzZPssSWKNN69XAnIkuogSv9rH4aic7JMyGuy53XFbDIXeAalngN8Jx7il81mgl/OTdaA4qV1wOHbJajQ0VccZmh3LFmMCo1jWzgyF9lJZSp2Wo6NO5mfH/E0sbDxsjauUFybSpTo72GdiqwAs7/peLkhtGplAvOM7fKvAnGc/1BzbP5EfLokhJRVq/mHIZ+PijioxzuMEDrKenm/CD0QcbQpvxI64cYbAfr
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1591968391",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5ee38287-2070-45a6-bf19-2f22950d210f",
|
|
|
|
"value": "Everything.exe|8add121fa398ebf83e8b5db8f17b45e0"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1591968391",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5ee38287-548c-48a2-b751-2f22950d210f",
|
|
|
|
"value": "Everything.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1591968391",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5ee38287-69bc-4257-87ca-2f22950d210f",
|
|
|
|
"value": "8add121fa398ebf83e8b5db8f17b45e0"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1591968391",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5ee38287-993c-468c-9c95-2f22950d210f",
|
|
|
|
"value": "c8107e5c5e20349a39d32f424668139a36e6cfd0"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1591968428",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5ee382ad-c730-47d5-889f-2f22950d210f",
|
|
|
|
"value": "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1591968429",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5ee382ad-d3b8-4cf8-a5ef-2f22950d210f",
|
|
|
|
"value": "1668200"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "20",
|
|
|
|
"timestamp": "1591968458",
|
|
|
|
"uuid": "5ee382ca-87f8-4144-86b7-fe8b950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBBQACQAIAHNrzFAT3/k6RQAAAD8AAAAgABwAZmI5YzYxMGJhMTk1ZjliMThhOTZiODRjNWU3NTVkZjdVVAkAA8qC417KguNedXgLAAEEIQAAAAQhAAAAkJAWEDFbPYZ2o3WgIF6QJ8CFWZ5A8i3V8Wgfc5l9GFagLS9/8geHrmjx5zmDQoFwbvW3G0sOFzHgyvkX4q2yNZ1w7R4OUEsHCBPf+TpFAAAAPwAAAFBLAwQKAAkAAABza8xQ/TRUNRkAAAANAAAALQAcAGZiOWM2MTBiYTE5NWY5YjE4YTk2Yjg0YzVlNzU1ZGY3LmZpbGVuYW1lLnR4dFVUCQADyoLjXsqC4151eAsAAQQhAAAABCEAAAALb0KLMLoBXwW8baPXrym/BpzCqab++U/FUEsHCP00VDUZAAAADQAAAFBLAQIeAxQACQAIAHNrzFAT3/k6RQAAAD8AAAAgABgAAAAAAAEAAACkgQAAAABmYjljNjEwYmExOTVmOWIxOGE5NmI4NGM1ZTc1NWRmN1VUBQADyoLjXnV4CwABBCEAAAAEIQAAAFBLAQIeAwoACQAAAHNrzFD9NFQ1GQAAAA0AAAAtABgAAAAAAAEAAACkga8AAABmYjljNjEwYmExOTVmOWIxOGE5NmI4NGM1ZTc1NWRmNy5maWxlbmFtZS50eHRVVAUAA8qC4151eAsAAQQhAAAABCEAAABQSwUGAAAAAAIAAgDZAAAAPwEAAAAA",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1591968488",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5ee382e8-4a74-407e-b704-fe8b950d210f",
|
|
|
|
"value": "LogDelete.bat|fb9c610ba195f9b18a96b84c5e755df7"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1591968488",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5ee382e8-98bc-47d5-8967-fe8b950d210f",
|
|
|
|
"value": "LogDelete.bat"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1591968488",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5ee382e8-ab70-4fbb-bbcd-fe8b950d210f",
|
|
|
|
"value": "fb9c610ba195f9b18a96b84c5e755df7"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1591968488",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5ee382e8-f860-4a21-adc6-fe8b950d210f",
|
|
|
|
"value": "5e4f2074850cce0eab4d6165807e86c88b5b8c0b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1591968488",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5ee382e8-4ba0-4fbb-9188-fe8b950d210f",
|
|
|
|
"value": "e17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1591968488",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5ee382e8-2270-46dc-be3d-fe8b950d210f",
|
|
|
|
"value": "63"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "20",
|
|
|
|
"timestamp": "1592266867",
|
|
|
|
"uuid": "5ee38314-c71c-4493-ae54-40a6950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBBQACQAIAJprzFB8peOKDQQBAAD0AQAgABwANTk3ZGUzNzZiMWY4MGMwNmQ1MDE0MTVkZDk3M2RjZWNVVAkAAxSD414Ug+NedXgLAAEEIQAAAAQhAAAADr51GETUX5gG9yc4dxKaWgpRorkA0+YQCyCFBlVTtUs60TysWkqeV8q8bteYwUk9TDPlDomcMeFWpBbUqcN8GlAlDJQiB84pHFNM5olcXFJBiJUohtSPsXcnDGWbOu2/4fzM8kk6DoJ8oLZ1qp5wnyiATw2gkw42kYbKfpQUquk7Obx6mS+uV037GRo1NgJ+dHJlwQ0LVjTQgFErjebgRi7Vp4Zp/o+k3akYcA15FevykMMZ2kMWS+2mIyUlW5AxQseC0POvYSaGq16Mx7sTJ1v4MJbFblpBiufdDaDJCLcwHeQUEaRyxFtlwGcAXAjBSZ9Sybw0bt4ue6EeXRZLh9Dupn4mLgsIjulNALcX6iu90WhNLYEeL5BfoWxbq038GvmGdi8yuuCb+eLKpuh0/Ax1m4D0ifop+VCIBs71gZiDRZoYEaBZ+bDvHF6Ue7aj0PKO7dAzgdAJnS4QyJ+I4KrLz8o9Jf3fBjHXWyYPn9fuVnUpg8YWRsyJ0asfBfmqXmnJH4htbhGux3ysm06WSHeUXkePDxtXpOobjCPKAePSym3thlvrBwtrk5f7KVmOTJ7PqZ1pPdrhn+g4StIlEm+8X0wzW9+H1oGWx7ENgmLggvkz1ecdFxtM9zdFC7BayvyHHywGK/smFoO7swB5T2qFeJKViGonVu8d76jyuWFGuwN20lFnGtQrd/2XpKevd8Ov/2jQ5HPjq41NT4AJmPrjd0ITgQ77EnFgatO346YKuvoSrWywSWDeiwqmINO9kMlI9DeVd09AWQGK49AMM/3tsWH3XVv2Fu+IjeMcpGDN87F0VvbplG2ItKUL517fK5qqQ6RDfC3sPB5M1S8N01HHXe8bx/x0a8hgw6NRWMgZ9OxTQSzb9EZ3xsTINtgH3INqWmbRp5+8m8jMY5L/uI9wfXXKLkfdd9BkJ3+MiQye/HYIUC5UiVD3X5KxsbZRLblaNvnn2x9zbnwbIJzQ1Ou80lHu8czCJKj14Gf5ZL1Q2fi+jjMVwexf0M0iW+MQe5nSDsivxlBm0sgRRRQ/X7UUhYtD73MgVfyjw5xFvy4vtGmcB9tf+xAiHaCyw910sc6ymCe+zwUM6GPCRreFq2Ph352zKWn7xAn1NsePDoG6YZOGrejtkeXlhmiFuuwBx+FAkNlFaLn0MkyyLSK4hL7L6Gb5tZugipBRXMoz6tlRIoZVvATMogPxlYH1o6izahRmn0h8fXcz3Lffi+n8qFwqO6ZJY032gaoArfQYYzstrK2mP6L7ST15jSDKTW+mXMJoSu6T+rNHOYC0NE3IeraIjPSiWuWJ8pusIAJlGm8PLKkwLDDnvw7Bt9qYcyXvSI7346G4P43eaxaAN3+t1P1l5s9Q57BSlIXGWfeegWp8EQnGdObst2evrs0v1hXrY9kKqc3DwTtsIEykAKcdTWghRL9dRgYVwzd32YF5KsT1crCp1FStIbhW2hKPyFVSa0O+FRpaqY3V6jgaljnoc8vX9w5Zzwfu02C1Zc4vMthhg0KmUgQfEa0zD754BDGOTmxv+I7gIA33PERY8N7CgIDnmVD3SiJRsnxUrXyzwIVHv3yuotc+iLT8ZHMOcsOzzV4Sff3P4NwJQRu6SN5guDmmNT4O8XSDRG3saSiD2jOrz7I4Wp2/L1HcfhP26aEpAUV6AhtbQRmiwFrit6VOLip3OYAcwOhriZJcf2/WHKbxgQZ4+h/15xvJa94IyNSu9zsd5rVLOOuR3ijrJCSN47hpakOgrPmsXaTHnt+a/4QEn5R1kHWwIkXKgz/nEAEqpQ8lggV8adMiFO+721FOxqdRjWIV4W2wC56xs9AS9yfu5dcnJilNDNlDzNYkm/MRKRYJJ3q22R0fGMBIBa62K4vmYpoGdrs2zEUgB8Kflxxlm6Z4jxQIp5mMT8nrYZ/aBcsV8RIQHSNpogONSKBCqyQoFH+v51l8odTBmCrOHriYku/xwctZ+Se6npK4kCkBs7J8AhjOphu6XWPlczMZTbQmkWipSPmHIRrCJfTeAvjzDdo4XakwmOsuuf963i8xwqO8ISnAtLUJjclXdS/rz9PZHv1H9yLr3KFgkTPIGVZ4C5xh30GhnegBKRxZju/mlO1wLcqGKrsYbfgLt51gtjgfhb9dD6rq7hG39ToIDnAaYEMl6ewYLGriWRoUWJeLQEU5A/YVXlL8w4kb0niejK8X67bZi/BFYKvwFCfDqN9ZAYVAPO4x9rpi7XME0oN09VLTEfdou/hvobuTOdsqfsQdNG7eHT/yAtT1vMyQZFAKFlTSMY4gYtDjvCIyzp4OF4ntedfSycCQ722f1a+1P+WKaaR+726bR05FB+ELhnbTvG3rr37rjt9ob+gRX2sna4u7aszXDqPpSWllxtsydgcyvJz3gx4ByHVKx77GEJFCADlS6ViPHI8J/em/nnZY1nNW0YEWYz6kZtIl2LGJqhYHW/jSDVRJw53N5bD+UthACjmnNL3Ae15IN6y2/w0TMsguj7VEngZLCO+TlZ4i14RBNIs6fq7cQcdowM1TGsH5OpnbcSK5pFGcpuv3eR9NnnHmRWXpdLhzmZSldwcJuFV9/uyvuTUSs0ruOL2WTSyhPAdriRyADS7a73mW2DIGkyDl3XdIJUXk4BHVZskf7ct4TtoR3dY7cW3Fq3372qyr2AuSg0b3upG5qkcBy/23xHexeeXr57mwBC37cd8R/wdDYKeVs/1+K28g2EW/LzSHMgJ5U9exVGCME8Wnk4hoZNkk8FG6dkQp4cBGJXvJ92QyY6I4utVBeGmgD1Gp09qsswQIOrOyXbGynaH2VnLX0QwhXOZEgm1W6GCCPQiZCUBUT+K194bte2RkIwAT/5BiWj6JPFEiammvLJKDYGy659kxnIyvUg5r/ximOR4jpo3qLwuCyAlc9HojF8REfuLqJbbVCWpAJq1x3gvRbDUUgU7nYZKEEmGQOZrTFOzG51Ivge0tkKCvbnvaODws98UenR5ot1DsVU4ajss7e/6XfHxdhxNXrsuBPYS4Cd1XWc7Pr0K+ejMn7yZEOKD4GtzCrDOqrOLqVFhLLQg07W0dPXoaRsKTJm8JoIzDVokqEAXbCo05ezD7wy5YM1+N7btN+zW4fEz/wV539eIULJRLj/7LJRRfer8wMF8AjaIiI3LK1fW8na2tcgs63HB79dS5xDTpBEh8e9Lsma5xtbt6BPxTMHGUdMgI9HnxYVV9eI4ibxjDhqh1mKneToy+HT6IWBHEtTaLcdVWqKE1DrHRlYJyKKwd8jfX9nUAgoNJV2shvSJiD+C3U+QdD2iFseb7Ol9RmX4X1LzcAVVB2ms2qIUeP7+kBrje6DTEYWjqpoSkHJQ1sj7+4nyo0ZBjZPcbX61Ztw9T6ArVGrwbI7YMmSuUZ9fHDEGx6AfxCWnr8K3/L+gbfMpXrZgrS1QqHWdg+WYhibk8JZF9Ad5zwmgP5HmEqiSaXGPV/Yw3WX+/12fbOFCtXtJIaQzscsbNMXyUraOlvLDc/tTV4cENmDufd2sXgwuWuys+id9QQSAoXvWo6PdUK7YwB6DwXZB3Jnd+j18Y1C7+12eZMGWjwDr4GueSIsIRCxH4qZIa/zJZ+/lE6WwLH9tge/+4YlZI/MsbFDCd8Yr3wCHfnmEnNIIZGNyUa9hpNXhBczYz5PNGbLoK3gGUIBbr3eWLmw6pV0H/bg8JBR8WrjOcyQxYBBAPx9FnQLrYlmGFcwpILUSByQ+WRi8rbNequd/KGlytwPmkyW62/+WEVRTUuodghjBLWKUMCRdqpcppnHI31XkacvCnzwe/mPZD7iatZFufWHokCc6LKXgDBMWyM0ZjNcOjd/TqQjZZ/df8TbTE/TtA69bhJPfwf1KJ0v7SR7zSfxbu7u9bIsIal6qf/lDPT4jMFZEzDL6rXAA4TV5L6aSsruaaidUfcvH2Yjw2q50ORe5IZY3nV7
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1592266867",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5ee38325-ed10-49c2-83f4-4631950d210f",
|
|
|
|
"value": "NS.exe|597de376b1f80c06d501415dd973dcec"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1592266867",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5ee38327-b404-43a2-98ff-4ad1950d210f",
|
|
|
|
"value": "NS.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1592266867",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5ee38327-b230-409e-816f-4c66950d210f",
|
|
|
|
"value": "597de376b1f80c06d501415dd973dcec"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1592266867",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5ee38327-810c-4640-9509-408b950d210f",
|
|
|
|
"value": "629c9649ced38fd815124221b80c9d9c59a85e74"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1592266867",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5ee38327-32c8-4be9-b878-4982950d210f",
|
|
|
|
"value": "f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1592266867",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5ee38327-9aac-482b-a0d6-4285950d210f",
|
|
|
|
"value": "128000"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "path",
|
|
|
|
"timestamp": "1592266867",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "5ee81073-7ce8-486c-afc0-46cd950d210f",
|
|
|
|
"value": "%USERPROFILE%\\Desktop\\Oc\\NS.exe"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "20",
|
|
|
|
"timestamp": "1591968579",
|
|
|
|
"uuid": "5ee38343-f910-44d1-b837-fe5d950d210f",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"data": "UEsDBAoACQAAALRrzFCwl2wlKAAAABwAAAAgABwAZGY4Mzk0MDgyYTRlNWIzNjJiZGNiMTczOTBmNjY3NmRVVAkAA0OD415Dg+NedXgLAAEEIQAAAAQhAAAAxkuUBupOxYH1WPeLxc8qnjJZJAGL5FaJbdlEpu7iMW3IJ30qHl9suVBLBwiwl2wlKAAAABwAAABQSwMECgAJAAAAtGvMUIIXyqcWAAAACgAAAC0AHABkZjgzOTQwODJhNGU1YjM2MmJkY2IxNzM5MGY2Njc2ZC5maWxlbmFtZS50eHRVVAkAA0OD415Dg+NedXgLAAEEIQAAAAQhAAAA5snHYoa6G1Xvvc31fr846Fr/w0SoO1BLBwiCF8qnFgAAAAoAAABQSwECHgMKAAkAAAC0a8xQsJdsJSgAAAAcAAAAIAAYAAAAAAABAAAApIEAAAAAZGY4Mzk0MDgyYTRlNWIzNjJiZGNiMTczOTBmNjY3NmRVVAUAA0OD4151eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAAC0a8xQghfKpxYAAAAKAAAALQAYAAAAAAABAAAApIGSAAAAZGY4Mzk0MDgyYTRlNWIzNjJiZGNiMTczOTBmNjY3NmQuZmlsZW5hbWUudHh0VVQFAANDg+NedXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAB8BAAAAAA==",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "malware-sample",
|
|
|
|
"timestamp": "1591968611",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "malware-sample",
|
|
|
|
"uuid": "5ee38363-7220-494a-9716-fe5d950d210f",
|
|
|
|
"value": "Shadow.bat|df8394082a4e5b362bdcb17390f6676d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1591968613",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "5ee38365-e114-4f76-84c0-fe5d950d210f",
|
|
|
|
"value": "Shadow.bat"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1591968613",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "5ee38365-f75c-466a-b8f6-fe5d950d210f",
|
|
|
|
"value": "df8394082a4e5b362bdcb17390f6676d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1591968613",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "5ee38365-c004-41a3-a747-fe5d950d210f",
|
|
|
|
"value": "5750248ff490ceec03d17ee9811ac70176f46614"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1591968613",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "5ee38365-f640-459e-bf05-fe5d950d210f",
|
|
|
|
"value": "da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1591968613",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5ee38365-6474-4aa8-b51c-fe5d950d210f",
|
|
|
|
"value": "28"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
2023-12-14 14:30:15 +00:00
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
}
|