misp-circl-feed/feeds/circl/stix-2.1/5ee3822c-6828-418c-b619-62de950d210f.json

272 lines
1.1 MiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5ee3822c-6828-418c-b619-62de950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-21T12:25:57.000Z",
"modified": "2020-06-21T12:25:57.000Z",
"name": "The DFIR Report",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5ee3822c-6828-418c-b619-62de950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-21T12:25:57.000Z",
"modified": "2020-06-21T12:25:57.000Z",
"name": "Dharma Ransomware Event",
"published": "2020-06-21T12:26:28Z",
"object_refs": [
"indicator--5ee3839a-07e0-4533-8ed9-fe83950d210f",
"indicator--5ee395a3-54c0-4f88-a035-433e950d210f",
"observed-data--5ee8b501-bf98-4bb7-85ff-487d950d210f",
"url--5ee8b501-bf98-4bb7-85ff-487d950d210f",
"indicator--5ee38271-b93c-40b2-83ac-4ade950d210f",
"indicator--5ee3827b-96ac-4da2-8d46-4ade950d210f",
"indicator--5ee38287-bc8c-462b-863d-2f22950d210f",
"indicator--5ee382ca-87f8-4144-86b7-fe8b950d210f",
"indicator--5ee38314-c71c-4493-ae54-40a6950d210f",
"indicator--5ee38343-f910-44d1-b837-fe5d950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:malpedia=\"Dharma\"",
"misp-galaxy:ransomware=\"Dharma Ransomware\"",
"Ransomware",
"misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
"misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"",
"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"",
"misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"",
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
"misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ee3839a-07e0-4533-8ed9-fe83950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-12T13:31:06.000Z",
"modified": "2020-06-12T13:31:06.000Z",
"description": "rdp actor login source",
"pattern": "[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '217.138.202.116']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-12T13:31:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ee395a3-54c0-4f88-a035-433e950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-12T14:48:03.000Z",
"modified": "2020-06-12T14:48:03.000Z",
"pattern": "[/*\r\n YARA Rule Set\r\n Author: DFIR Report\r\n Date: 2020-06-12\r\n Identifier: dharma-06-12-20\r\n Reference: https://thedfirreport.com/\r\n*/\r\n\r\n/* Rule Set ----------------------------------------------------------------- */\r\n\r\nimport \"pe\"\r\n\r\nrule vssadmin_Shadow_bat {\r\n meta:\r\n description = \"dharma-06-12-20 - file Shadow.bat\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878\"\r\n strings:\r\n $s1 = \"vssadmin delete shadows /all\" fullword ascii\r\n condition:\r\n uint16(0) == 0x7376 and filesize < 1KB and\r\n all of them\r\n}\r\n\r\nrule Network_Scanner_post_exploit_enumeration {\r\n meta:\r\n description = \"dharma-06-12-20 - file NS.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446\"\r\n strings:\r\n $s1 = \"CreateMutex error: %d\" fullword ascii\r\n $s2 = \"--Error mount \\\\\\\\%s\\\\%s Code: %d\" fullword wide\r\n $s3 = \"-Found share \\\\\\\\%s\\\\%s\" fullword wide\r\n $s4 = \"--Share \\\\\\\\%s\\\\%s successfully mounted\" fullword wide\r\n $s5 = \"host %s is up\" fullword ascii\r\n $s6 = \"Get ip: %s and mask: %s\" fullword wide\r\n $s7 = \"GetAdaptersInfo failed with error: %d\" fullword wide\r\n $s8 = \"# Network scan and mount include chek for unmounted local volumes. #\" fullword wide\r\n $s9 = \"####################################################################\" fullword wide /* reversed goodware string '####################################################################' */\r\n $s10 = \"Share %s successfully mounted\" fullword wide\r\n $s11 = \"Error mount %s %d\" fullword wide\r\n $s12 = \"Failed to create thread.\" fullword ascii\r\n $s13 = \" start scan for shares. \" fullword wide\r\n $s14 = \"# '98' was add for standalone usage! #\" fullword wide\r\n $s15 = \"Error, wrong value.\" fullword wide\r\n $s16 = \"QueryDosDeviceW failed with error code %d\" fullword wide\r\n $s17 = \"FindFirstVolumeW failed with error code %d\" fullword wide\r\n $s18 = \"FindNextVolumeW failed with error code %d\" fullword wide\r\n $s19 = \"SetVolumeMountPointW failed with error code %d\" fullword wide\r\n $s20 = \"| + scan local volumes for unmounted drives. |\" fullword wide\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 400KB and\r\n ( pe.imphash() == \"0b0d8152ea7241cce613146b80a998fd\" or 8 of them )\r\n}\r\n\r\nrule Dharma_ransomware_1pgp {\r\n meta:\r\n description = \"dharma-06-12-20 - file 1pgp.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b\"\r\n strings:\r\n $x1 = \"C:\\\\crysis\\\\Release\\\\PDB\\\\payload.pdb\" fullword ascii\r\n $s2 = \"sssssbsss\" fullword ascii\r\n $s3 = \"sssssbs\" fullword ascii\r\n $s4 = \"9c%Q%f\" fullword ascii\r\n $s5 = \"jNYZO\\\\\" fullword ascii\r\n $s6 = \"RSDS%~m\" fullword ascii\r\n $s7 = \"xy ?*5\" fullword ascii\r\n $s8 = \"<a-g6J\" fullword ascii\r\n $s9 = \"]q)WtH?\" fullword ascii\r\n $s10 = \"s=9uo^\" fullword ascii\r\n $s11 = \"\\\"iMw\\\\e\" fullword ascii\r\n $s12 = \"{?nT*}2g\" fullword ascii\r\n $s13 = \"h*UqD*\" fullword ascii\r\n $s14 = \"b,_f n7\" fullword ascii\r\n $s15 = \"+mm7S%I\" fullword ascii\r\n $s16 = \"+L]DAb\" fullword ascii\r\n $s17 = \"nq0<3AD\" fullword ascii\r\n $s18 = \"U2cUbO\" fullword ascii\r\n $s19 = \";C!|E2z\" fullword ascii\r\n $s20 = \"P)8$X=\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and
"pattern_type": "yara",
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
2023-04-21 14:44:17 +00:00
"valid_from": "2020-06-12T14:48:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ee8b501-bf98-4bb7-85ff-487d950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-16T12:03:13.000Z",
"modified": "2020-06-16T12:03:13.000Z",
"first_observed": "2020-06-16T12:03:13Z",
"last_observed": "2020-06-16T12:03:13Z",
"number_observed": 1,
"object_refs": [
"url--5ee8b501-bf98-4bb7-85ff-487d950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ee8b501-bf98-4bb7-85ff-487d950d210f",
"value": "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ee38271-b93c-40b2-83ac-4ade950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-12T13:26:09.000Z",
"modified": "2020-06-12T13:26:09.000Z",
"pattern": "[file:hashes.MD5 = '1ebb6bb49ac1077c5e7eba4d56f6a3a1' AND file:hashes.SHA1 = '1a37bb789c7bdda44330fd55aa292f5f76dada5d' AND file:hashes.SHA256 = '2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b' AND file:name = '1pgp.exe' AND file:size = '94720' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAEVrzFDR5fgjsRIBAAByAQAgABwAMWViYjZiYjQ5YWMxMDc3YzVlN2ViYTRkNTZmNmEzYTFVVAkAA3GC415xguNedXgLAAEEIQAAAAQhAAAADavRF5olicuJEKJOsHD6fpSTw3NG7f5itcsjsbENpqtmmGpZotrpbklUbqKPwNd4EASCz8pRwqTwVRf6f4FTYWkzKERYYBmRvLmd75E4k0WKWiQcnoKk+DhokKF2IpfwJoqRjzHyHAlN3tlsLGB0tKeVK3Fo5Q3KUWEHYti/KCQPbMieOEcGf1/MyDXHC2Spg7pp6KN0pXr49oY5zkxJELhKECG/zUWnuHhlUbeP56gx/iwS9aEeHuFr4/9TYM1G0IW7OZX+MYmndCIAzZLRt5oWhkEOsTP8caNm53ndgYvljP7FhkItJzaOrqGs4AaV0hUXRF40+kg8NPYJcgyWhzkPGhKs8TJbJFNqirgHGi2b3hXbKErJbK8FpTEd/rzjuVWRxb93oMpoM8zKZg5B7+IvDYpFAJyFSMYAP/Iw3JlnnR6THCzxkF4Au7Oy5nREKdT/Xhlags0E5d/A6fK2+SEIICA7iPTtRy9q1Jsv+n6UXlegFlwDUP0H+JETFdB1YbRNdggxJb9ilk2q8xThw2XA4BRuLzl+ss1hojbzciMH3kU7DKgWyvjoGeIm8eSxR9FGR1SltRcKKf7MIC4LdqSeTj05Ov+vdCr/3Ta7FXgKIuH7galPWu28xS7NhI2ziShtuo40QR/F/PIKYQaaCfUpcA9Npo8o6DYmyIBnLBqIfqoejtLRnOOWi6wuA+tP6zUr7UGMdfZHW2yZFhK4z7c+GB74f/rAHHDy8l14lUwzN4adbZBbi0avvnF+uCMmHNqkQPCaCamkGjNvv/a+dGfJe/eGsuoyIT8jyIzCnOkUVl/Wlr6sw14tr6SCWTd3S8vlmr+gcZknX1XxMT8uNuuYi8CAhEl6RveiBrQ9zcvIrM7FHFfzePqpQCTBjrjayRzNojngaLeBS92jjJ0sDs5WD/Z1HAH4wqh8jhF2z8J4Cv5wcZh2aKFGFgkuXomwOQWCERz0SZ8ckJR/nEMTorStYjIFWFl1UPqsv5quSWPi0wtFTUjysKskErzyB800u/xJueU1hbN+XMPTFXLptgh20USb3OfXRyMyTFdfCqE+c+CyQoTlNNomNppzMJJFVcBMuzc7riySpc03hbgIfDYOcnLmZBs+eNZyEDm0uHkCDgnUfCsjYYszURawJur8miUs+pC9KmnRDanDv1K0lk9BJh269LtJWvgDOpktxeW5wxlePYtRjwEzLPbk2iFhsTxYyTuh7PqviOp2obBqGVddgxclTPS1fQGQJqh8OyaDw219OZQhim60vJ2VvfEEm5o2yIczMA/eKwHQlLJIzViAgym8y2D8yeGMxcgPpp3YEevirrsURhMe8Xz/06qy42lPUah0tzAR0ATCbcKOM2edf7IVJtj/TZEyRGM2fvCbSPfo8vxH5n9MSzB996MEqtCAaG7agrEoqTQZVQLnSsDfSENLEkJrkyGJs64+gdusaW6TbWYkKcpI/EYDWyrFVsBet9bP75NZSs6lmv4yThrJOlKqa2E+XoGaMlGwkAztjsZ3rFr4LMY59T59nEQ0M9cBrkg4jzuWAqq14IpLlCKLLtq6/WiTw+1pewK3voEmFxxVpBQohF7OHMau3bfWv6QCaQB6iiRX7zIDnoKOXrk3nX9AYUGaULtlo7hpWCEu/IqUy1Bd5zzZWfy4W549FjHis0wqet6wD+54zDeolQjCLoV7QsSugxvxIMkK5Z+X4OU9ODNAFFasdZlgrvOETNQdwjtpL+egBe8ARrSV/CoSfL3RawXN+alRXjfch+ik2961dfOnySnXbWZVaaqsnUdQ3C7HHHGB4kqtKnj5o1keM6PgT6P65hPJS7NcqhTIElQyJ8GXvxqnJnoypysg9uBwhsjKWYVcd5WKojNC090IKN9XL7CfhxG+pW5CT2i9ZvuB3oHgymIq9Zy2M4Km9rI1OukAGvR+3Mere7Icktmt5PstuClPEOqUnR9AASCLRQLxjlxDPrdBUXxtEYq2BJ99rX4iWtqGDSNZY3WdREBSWwqONBNsmyfiV4BakDG1CYqySfG67EUZiphr5Lytyk8CEX2S2a722anvhi+uNnfAsx1fjgfpx3Hh4jiVWyDHthUB1BxGL3ZaMTgkr6LvTndNwjPkGcjPiX1L2UekuApmbaA0OWPqEa8Rk6tUsGUpvysl/KxXbxFrL0LQMsHtoIRo1il3tHCo8qbGoSBjke9pkYLg9RYy+uOXNhrDPuSph8h3v0/FAtEIg2gTUYv8xNBbEGBz6KRUG8QC01EvRgxi3GkLrk0/PzSGCwQ62c+7Gz1eeSDcIeMPdumhPC9jRiNpKTAqYGTmcUAqNFVZgGY1yFzhb+WdpDdjp9QOyw+1T6WV5z0VabCeTr1XTDyCuOQAvwHY10wRrw8VsiXqYVYb0bucaxbMQ+8fLKw+12wEtQrhjiTFYSMG+k8/f+6sPNo4+863UHhLNQMCylrVbLOpmZHszJKbioCNCivHiR3kYQmE0ed1vXnD+6H/0Dk6isuSSa9NxsV5FaoWgn6VU8vX9kU7yYh1LH2E5FpAKdLa6sGDqq9cMxEDKHaX5hBuFjkOye7L7CH4o3OfcF87FZyuesPSx3AFVfPoUDNlGWJHIfDBQrAlrvlAWdeuAOers/WicSXrovMi5FSj0mOJ3KsP3cdAUsRkBfKFTGGQRX54X68O+w3vMYI1vRlDTdhim2LOAR6Fh4xhlMnmZ1sB1MIcaTJUwCl9Roxt6P2EQ9caffdPMhjD7FxIi8eWRehgjXm5jKNA5pPuVJ/kXV3Y1xk+4veJjljDG8Kn9Ev1saRz+bTZbWfsSu8Eg55QlJPSFDimZfvG8YzuZdpn2+axC21yArzbGO6nctHJV6MFzu6gi+Trg2IibLCaaPrDjIg8Ih+TXS2/nYqvunKb5qehAWzpgi7orLW2wHIlgFmzOCc2MzWSGRjk/LeONnaFI7vPnsJVlpHDQFMt2KNOPDVK4q3cW52gvczAWp5oG8N+T5lHwdozgnhfp5T/19JLjBPybi4Q7HosgBMiUP8F/c5wP12KGIkQ/1gHF2mxmRmCFESN3zEZYGv1blkPs3NExhk8WsON0hk8lH9sOhrKu1JgiRe5wR+ywdU/W0iQTpQcyqnmHeDILkDaigf/jBgJ9j8Uc70gjMZI/FQDsPjjfI08eWOa/7BYStMm4Ct5zk0ZWDn9iDbQThWKj9vk5uj7BC2N81VvNRtdeTTVmzQX3Pwnu8+NoMaUgWp9Q81RXyddN72h8jht7FVky5CdHVJM9tSKS/m2w4mO+qDV1Fc1GgksXrN6zQKeNf/7BMu244VZdP3OFqzt1lz+d7y8mc3EVs9Ln3+x/aDggem3pU2P8NaOZxXyo5lbuagRGPjgYk+HCh7LFT+TpPJYsNKXj0oHPOM/i8pnd6JZfW0I3ToLx3VSk4KK6yi5sElENcb6Se0xzIwuf1CAxIjzGNlJmKTD1NNGN+ABLqLgN6/ZJ8wW1a9/MVbAXHv04YFjn9CNIqUStAgPFPuVFzrgGLyEw6MkArScg7TOlz1dvA33jOsoDFU2Yv/XoW1qIIyBkjgDsU5mj8GZ461K+1oW6wSzD0uJdQMIxReryCXGJyXkR+Pf/C8M7ruuD1kEGrr6FgxTXUQN7hJAxbrd6caLOCAEEXzjmRSk5z9
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-12T13:26:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ee3827b-96ac-4da2-8d46-4ade950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-12T13:26:19.000Z",
"modified": "2020-06-12T13:26:19.000Z",
"pattern": "[file:hashes.MD5 = '9b0d6df42f879ba969f82c7a0ab48bc6' AND file:hashes.SHA1 = 'b5d6f94f270a02abedc7484dc7214d15d2cee99e' AND file:hashes.SHA256 = 'e25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593' AND file:name = 'closeapps.bat' AND file:size = '3611' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAEprzFA+CgJcPwMAABsOAAAgABwAOWIwZDZkZjQyZjg3OWJhOTY5ZjgyYzdhMGFiNDhiYzZVVAkAA3uC4157guNedXgLAAEEIQAAAAQhAAAAJGTC79urpRw78MMkXDoxs1DaeVy8tRk/4oYMpKdycWKBNJN8TUNryHLM7/8gwj1QoI5Tt2OIP3kWNi23M43QA8kU9VSMOeMSibp6MQR+a7E9sgvfo/i4lLDBbB3qeYCmPcWwJyMeGNqb/mZbgtIdN1f6OZ1VO23stimt0tAZ1los6ZXF6f+bB8v7qSLwou86fycGoNVyrVE2iHzPI2wGBz9qZpGxpocViMR5wyRiIpD+HGo5xoilm1fK6U0ulu+XbF3CRS+gr3n2//3rEea3IuOWsPu6k3bqlRbi0gjurvRR52+oPWk9aSw4pwFkF6VEoJZrv3PVm8ThtT6kjS4JJIOvEMIWpEKZ7iJq0CmUQ0bbkR0AlMbP2Z+jklgsISlJKPIZyzh02MmIJHyf4ZOaUmaBs8c0+WG7n+IgjHfEJx6IjIiYmdAh+XWsSV8irPoLwh3RTaxDlq3Hl4QDAXa7UKF02GdJBFWmiw11EwlsBciBBtrIBthn21jnqaI+ifXrUA6W8/K7eXdp7dZ9+Q6AiX93SMdAkkNvL01V1bIuYmGbWCOMLMUchWX6wkOuvuBilB7QxvqGeQ1LA/fRQdDV7942+SUFL909wpdQMgK1fjB8M7vcIOVcxRo/Rb+8JrFShbukz2ysfOZGbOBVgBI4vLIAayiL99DIJaq6PopCGlOUT+ndLhzFIKJEp8KueNrnfnwCk9EBgBw1S0QccUY1v2lBNLntfYa6Ux8s4hZuTi6/rGuxcFfTRYFmvR+T8B/kne3jwTqpw2oAOCtT0eair+1QeqLTrdrTFccfPvZdKAjlfUvAxG5Ys2vxLhmlW1L62ZwqxMBhPpbUPgM9kvFHe3T7t/lPkxV0ssbkPX88SsdRS2KA8NdsPDUegCduVhF50rOHtrwGKX/9tfJxAXorUovMgIBvmdfv7mU/RdYXPnxh+PoPnntdG/0bWNy87BZIStT7Lb6mkY1Zy4Q5koezywl9jdDBjH4fsNzRUlJ8RRIoVjK/bQB4TmwXnIzt3aMgpapsfEInFS9fZrn7DAM1gRmHEtlPF4fX1gadl0sa1lvaphsO187KgtNSxqMNuYQs1CH65hoquvfLUVbEX3abUEsHCD4KAlw/AwAAGw4AAFBLAwQKAAkAAABKa8xQRYb6PBkAAAANAAAALQAcADliMGQ2ZGY0MmY4NzliYTk2OWY4MmM3YTBhYjQ4YmM2LmZpbGVuYW1lLnR4dFVUCQADe4LjXnuC4151eAsAAQQhAAAABCEAAAD9KdpzjSYt6QvioyAnChI5W73UEcaTWAMHUEsHCEWG+jwZAAAADQAAAFBLAQIeAxQACQAIAEprzFA+CgJcPwMAABsOAAAgABgAAAAAAAEAAACkgQAAAAA5YjBkNmRmNDJmODc5YmE5NjlmODJjN2EwYWI0OGJjNlVUBQADe4LjXnV4CwABBCEAAAAEIQAAAFBLAQIeAwoACQAAAEprzFBFhvo8GQAAAA0AAAAtABgAAAAAAAEAAACkgakDAAA5YjBkNmRmNDJmODc5YmE5NjlmODJjN2EwYWI0OGJjNi5maWxlbmFtZS50eHRVVAUAA3uC4151eAsAAQQhAAAABCEAAABQSwUGAAAAAAIAAgDZAAAAOQQAAAAA' AND file:content_ref.x_misp_filename = 'closeapps.bat' AND file:content_ref.hashes.MD5 = '9b0d6df42f879ba969f82c7a0ab48bc6' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-12T13:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ee38287-bc8c-462b-863d-2f22950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-12T13:26:31.000Z",
"modified": "2020-06-12T13:26:31.000Z",
"pattern": "[file:hashes.MD5 = '8add121fa398ebf83e8b5db8f17b45e0' AND file:hashes.SHA1 = 'c8107e5c5e20349a39d32f424668139a36e6cfd0' AND file:hashes.SHA256 = '35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413' AND file:name = 'Everything.exe' AND file:size = '1668200' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAFBrzFBplHUlq5IKAGh0GQAgABwAOGFkZDEyMWZhMzk4ZWJmODNlOGI1ZGI4ZjE3YjQ1ZTBVVAkAA4eC416HguNedXgLAAEEIQAAAAQhAAAAgLlZdtUm3KlH9fAxz/AuKuy8i+y7Wfg3FQ3tdIKSvBGbGWm4UIpR/IhCC57ISfV14PdBkq3t5wSzP44Az25s8Pxco0uH8enkGr+xXcIQPQqJZjqec6MgUW6a38ZRu4OUcOSJd3+r3jemIJ+xTDisNVcKTvS16r8UD/y2ZmflVxhSIBkow7L9MB4t6oA6jF78NdrZugfAgro8qQfr87hGR23kjYO7bf03ogoTS7xw0+OV2KL9nknBLZKv1/Lpz/J4BCtim+6BhenqPfcMJ9uSarP7maPfdPpTA0TL155O2fOY4sFZ79AKZURAUcg6X0fhT9GfmzqApWp89225hO6+8JK/39hEfXrOQi+riWju9i6BY4VkOOt4VHs9MRkulDXxKlCb1v9L0oiI/bZ2Uj1rDYshkyPdnVtZMVir1fKwwVJWLHo7Di6+MIRTSxmcszKIZkBojJP7Mwk2BqJy/HAwvPGudo6/rXA7y8L1+mjp80qbbV8XyNQkGLIvnwBGhTWWzV7j76b2r865yy5rScAZCZf7Xg8Aqa4aOC2VYIy2Ir8dHBKtmuYsaqQ50JMCWRjwcBjSSS7YLq++Mxqx6K/Bq6PkcG02phnPdY+Gf2p4Qk21g1pHlL7+BW13rkgJ9dymDGRgWBjV8R3CwS/qbM+WWFRMIIUlTVNArx7+jTwOpo3NRpogwFID5/l6ziunO0XXOyZHmM77Pm8H9we6xc796ujBE+jBrFCageOzghRt/tMHb7YOumhJWH0GWVAWZhAl7871bhEeTkD6PX+mD5wtqRo3ZOWl68RS14KGMI/aTDdr7pHz8vaGZhapOmB5XZHWx1haARzmSt8vpCTBT9tISv+oEg1pObV3v7pPqNkYdy5CeLBu2ak314p8MSakfh6uRoWirrIJVxG52vmFCNJkbhZ39qsQOX6SOJJBLoLjdCk83Cx1oRNyFf/AqQ5nJE95ZXHa+dpkJ5Wd0m9rFzdWlNNWHFkVyqmzlb+gyzVIPBzdNucrM7FWP8RWKYdqbA87cNZvDh/F9AzOy+PbmbNwFJymyuxcW08K7+DGXbKBnskKVZ0WRh77gkk4n3cBX+YF0XrXF6yZ/V5Yu6ceBS4ZFZ00dh/jiDLZPBhFLaMHNsC3dU1EIXjPpA/Z4uluqmj9wTZ3KonaIbeDCk3URDiJHtHEJpp9ojbjIsCm9qrWpyCFEzmcFl0CLnSq5kzu7xLw4LuRaSKLolzdnyQtd92DgY3MtmB7JU6yKtvyVN6mxWRYZeetRyAV115RDcuSocGd7Ke4PkP+Wd6SXI4tjHb09Y3McsynEF1JX11+68R2l2GYSYiK4gvdc0p0C3Pxzk815Cn3UomOLNZzS4vwOSMB33w91OzGEAPQ8+y+njH9YYZKg8MVbxmJ8nyQIJ8a6bQ7QzWMeAX26GlwT/lavrJLxzHKIXDrszT3A3E7sarn1Vm0zLGNU4eaSvd9fFI1QjrImA5sgSDRDdIDmVWggm6G/lTRuN3ZIvutAikQjV2OBtGt5mpT4DDqF33hUKZgmLP/wU5fw6B8J33uU3kyU5stiY8mxlxhDYjYiPqicDu+H9R0S/8XvxsiGWJKkzhWnOaVXSsYVeterX06hhDp8zHzUbJw2zRPWvH+cDDCFX/cLp5VZYDCXaecpMpCSbDFGwz3O21mvvYYKynGcfjPcj1Xxy98Aqu7e3xjLIgwdyi1VWeFhA3XjeExmM6JXnqJURjP/6csyvLjtV8mXlCcVmag2Up1kfOWjOjJg/q5bjriPM12zQe+ytYu6iJ15kDzy4pn1XMtrfiNPSv4StiVPTxlzsTzem/ji0GYn/z4MBEFXn63CUlKILL1+ejGjkkHJNGBggdVr6egjL+oDblV85izBMGRPPLsnxrFCGwt68rIG4uTK2k8cpTaLxa9WutrVH6lI/M8mn2DKnHIt9LgzEGSiTx7qWiPelMVWh7ngfwGoE0ITqlEpf9MLT43S+80s7GlTw2BIAPKnU6i4Rjn1cdPpuPvNeu/69hMB5W20/Gn7omJ+0kLhUn7PWAFpfVDDoWHRHo37yTpAmth3TEVc+guJdId6hxMzJsqLg8urs9yDk4nElbni5+l22I7p8uyEs+C2XKyIKA6Vo3Bdf1dWre+pWxszCeE0g2k3NE4TGBq+5YqmCcOm5N+kIyRLF/BTGS2hfrmBG8F0CpQdfscjO84M0AVDj56ObX8IedYPk832s+a0ub3G5D9fSbwUjSN/XWXjwTVoR5PDsLJc27ST2YAmNFaSsfoMVxQI01DP+Q+2l+veWldzrIR3dJpBu4N5XMZQA0B1D7WiMhkFmN8y+/vA/LRbLaqYPMJxfmN0mGnjpWXIM+HIwVZhuL4a5EUm3pxBSZoofdsLEEPCxciNFURI63zEKnVKz0E8BLRDDKOJo5lEN/yNcDzXIOBw23ubWYBIc8MqTcV3ug6boa6kmKXby1PfiAFLGLUv77c+hL1Io/YJyKvtFViuNoiJwgV6cEvD8wCHwnIHaWdwhQjzh531oR98S9G0N9uox3j5sGPXkBmLCYxYjeEC9Hfpnka1lTjb1SG6Lwkf7XbyokwD5eEjlmoZ6VowgkmKCW0m66ZpV9oj04wH4wKUsO1i0CDS5dwy363/40V5q/xySGVpK7IwODEvF0DXnzzMd0FXPYP24cT5jZNxnKXdKSYFVPxF5DNxDlfKjxdBhA4x4slLicjhUOkc7wRB7DWkWQ1YCzuDuk7Ec6+N1zeyMRoUKoksmWrow/FglqZg4x6LezkuHDB/FIIZx3rObBywKKK8kEEFoTvNDJiGFKEjKq6TUUylMizAOwzkRErQFI+AwKN0ArR2gGwjh7x/jgIbeAtVQvAN7SKoctDIR8dec4y6CgU59dYUPIVJ1YSO75T7klnBtwNgJofUospiv8qQmnWr/w1+/RRD+ejZRO/lfl3CHNnIAtsTVUPbA+xajOEChZFMbFTe1DtJM9RTV8weAWxvkFIQugvkyZjXFjBIOx6W2ypdL299KFZmHMsViChrcKB9XaEsd9K3LB3gv2lHNsE9QbHRTi36OXQKAkLDJ48bDi9R6ljLjBmo4DpcKnoSHbbBmqDnKH33JiNkS0p1I4P0fPl21EVqqXKQ7r0Pn7wC4Ht2sWz4Rr8+7brXFXFpd+oho+RgJJF+OSgOIXQra3Y4d28Gby4jdpJObHXPxZoiK81ljcEZM00EZwU56QlRt9NCkiqFhKteg4tw+wUqtrYbeseF+N0gTrY8LJUM3OoVFx47/fsqceBVundzjK0N7v1ELDReIW1TR1g4a+DT+oQNVYvGIGtU9woaKugu9RFlRnu05CkgxA1oM/bn4xyWzod+CE7e+jYO7bsUqFFFmLbK+cTOWQOUBUDlVwCbNzgehtjBsbasfevi3x5rxZ3gzPAjNjac2q7334Hu2zBFvA04S7MJGIIwXTaFNL9ql4/Xv6Fwnz4O9nRMWvAr5sL/bqcPQk4aAnx8rImTzSoMHrrFpATSf2VorWuEbFgNXJnTPjhHN6YQqWhyPGfvJPIjs9EgcoUtu1UGN++uw1I/M/Cg5jK4BRH+SqoVGq/j2ddoH07dNhZy7YMsAKcdFj+Vtz6dLBYhdMCICvEkUEq6g/Wo8k/nT8LTyGtddSUeslWT9p
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-12T13:26:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ee382ca-87f8-4144-86b7-fe8b950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-12T13:27:38.000Z",
"modified": "2020-06-12T13:27:38.000Z",
"pattern": "[file:hashes.MD5 = 'fb9c610ba195f9b18a96b84c5e755df7' AND file:hashes.SHA1 = '5e4f2074850cce0eab4d6165807e86c88b5b8c0b' AND file:hashes.SHA256 = 'e17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd' AND file:name = 'LogDelete.bat' AND file:size = '63' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAHNrzFAT3/k6RQAAAD8AAAAgABwAZmI5YzYxMGJhMTk1ZjliMThhOTZiODRjNWU3NTVkZjdVVAkAA8qC417KguNedXgLAAEEIQAAAAQhAAAAkJAWEDFbPYZ2o3WgIF6QJ8CFWZ5A8i3V8Wgfc5l9GFagLS9/8geHrmjx5zmDQoFwbvW3G0sOFzHgyvkX4q2yNZ1w7R4OUEsHCBPf+TpFAAAAPwAAAFBLAwQKAAkAAABza8xQ/TRUNRkAAAANAAAALQAcAGZiOWM2MTBiYTE5NWY5YjE4YTk2Yjg0YzVlNzU1ZGY3LmZpbGVuYW1lLnR4dFVUCQADyoLjXsqC4151eAsAAQQhAAAABCEAAAALb0KLMLoBXwW8baPXrym/BpzCqab++U/FUEsHCP00VDUZAAAADQAAAFBLAQIeAxQACQAIAHNrzFAT3/k6RQAAAD8AAAAgABgAAAAAAAEAAACkgQAAAABmYjljNjEwYmExOTVmOWIxOGE5NmI4NGM1ZTc1NWRmN1VUBQADyoLjXnV4CwABBCEAAAAEIQAAAFBLAQIeAwoACQAAAHNrzFD9NFQ1GQAAAA0AAAAtABgAAAAAAAEAAACkga8AAABmYjljNjEwYmExOTVmOWIxOGE5NmI4NGM1ZTc1NWRmNy5maWxlbmFtZS50eHRVVAUAA8qC4151eAsAAQQhAAAABCEAAABQSwUGAAAAAAIAAgDZAAAAPwEAAAAA' AND file:content_ref.x_misp_filename = 'LogDelete.bat' AND file:content_ref.hashes.MD5 = 'fb9c610ba195f9b18a96b84c5e755df7' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-12T13:27:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ee38314-c71c-4493-ae54-40a6950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-16T00:21:07.000Z",
"modified": "2020-06-16T00:21:07.000Z",
"pattern": "[file:hashes.MD5 = '597de376b1f80c06d501415dd973dcec' AND file:hashes.SHA1 = '629c9649ced38fd815124221b80c9d9c59a85e74' AND file:hashes.SHA256 = 'f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446' AND file:name = 'NS.exe' AND file:size = '128000' AND file:parent_directory_ref.path = '\\\\%USERPROFILE\\\\%\\\\Desktop\\\\Oc\\\\NS.exe' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAJprzFB8peOKDQQBAAD0AQAgABwANTk3ZGUzNzZiMWY4MGMwNmQ1MDE0MTVkZDk3M2RjZWNVVAkAAxSD414Ug+NedXgLAAEEIQAAAAQhAAAADr51GETUX5gG9yc4dxKaWgpRorkA0+YQCyCFBlVTtUs60TysWkqeV8q8bteYwUk9TDPlDomcMeFWpBbUqcN8GlAlDJQiB84pHFNM5olcXFJBiJUohtSPsXcnDGWbOu2/4fzM8kk6DoJ8oLZ1qp5wnyiATw2gkw42kYbKfpQUquk7Obx6mS+uV037GRo1NgJ+dHJlwQ0LVjTQgFErjebgRi7Vp4Zp/o+k3akYcA15FevykMMZ2kMWS+2mIyUlW5AxQseC0POvYSaGq16Mx7sTJ1v4MJbFblpBiufdDaDJCLcwHeQUEaRyxFtlwGcAXAjBSZ9Sybw0bt4ue6EeXRZLh9Dupn4mLgsIjulNALcX6iu90WhNLYEeL5BfoWxbq038GvmGdi8yuuCb+eLKpuh0/Ax1m4D0ifop+VCIBs71gZiDRZoYEaBZ+bDvHF6Ue7aj0PKO7dAzgdAJnS4QyJ+I4KrLz8o9Jf3fBjHXWyYPn9fuVnUpg8YWRsyJ0asfBfmqXmnJH4htbhGux3ysm06WSHeUXkePDxtXpOobjCPKAePSym3thlvrBwtrk5f7KVmOTJ7PqZ1pPdrhn+g4StIlEm+8X0wzW9+H1oGWx7ENgmLggvkz1ecdFxtM9zdFC7BayvyHHywGK/smFoO7swB5T2qFeJKViGonVu8d76jyuWFGuwN20lFnGtQrd/2XpKevd8Ov/2jQ5HPjq41NT4AJmPrjd0ITgQ77EnFgatO346YKuvoSrWywSWDeiwqmINO9kMlI9DeVd09AWQGK49AMM/3tsWH3XVv2Fu+IjeMcpGDN87F0VvbplG2ItKUL517fK5qqQ6RDfC3sPB5M1S8N01HHXe8bx/x0a8hgw6NRWMgZ9OxTQSzb9EZ3xsTINtgH3INqWmbRp5+8m8jMY5L/uI9wfXXKLkfdd9BkJ3+MiQye/HYIUC5UiVD3X5KxsbZRLblaNvnn2x9zbnwbIJzQ1Ou80lHu8czCJKj14Gf5ZL1Q2fi+jjMVwexf0M0iW+MQe5nSDsivxlBm0sgRRRQ/X7UUhYtD73MgVfyjw5xFvy4vtGmcB9tf+xAiHaCyw910sc6ymCe+zwUM6GPCRreFq2Ph352zKWn7xAn1NsePDoG6YZOGrejtkeXlhmiFuuwBx+FAkNlFaLn0MkyyLSK4hL7L6Gb5tZugipBRXMoz6tlRIoZVvATMogPxlYH1o6izahRmn0h8fXcz3Lffi+n8qFwqO6ZJY032gaoArfQYYzstrK2mP6L7ST15jSDKTW+mXMJoSu6T+rNHOYC0NE3IeraIjPSiWuWJ8pusIAJlGm8PLKkwLDDnvw7Bt9qYcyXvSI7346G4P43eaxaAN3+t1P1l5s9Q57BSlIXGWfeegWp8EQnGdObst2evrs0v1hXrY9kKqc3DwTtsIEykAKcdTWghRL9dRgYVwzd32YF5KsT1crCp1FStIbhW2hKPyFVSa0O+FRpaqY3V6jgaljnoc8vX9w5Zzwfu02C1Zc4vMthhg0KmUgQfEa0zD754BDGOTmxv+I7gIA33PERY8N7CgIDnmVD3SiJRsnxUrXyzwIVHv3yuotc+iLT8ZHMOcsOzzV4Sff3P4NwJQRu6SN5guDmmNT4O8XSDRG3saSiD2jOrz7I4Wp2/L1HcfhP26aEpAUV6AhtbQRmiwFrit6VOLip3OYAcwOhriZJcf2/WHKbxgQZ4+h/15xvJa94IyNSu9zsd5rVLOOuR3ijrJCSN47hpakOgrPmsXaTHnt+a/4QEn5R1kHWwIkXKgz/nEAEqpQ8lggV8adMiFO+721FOxqdRjWIV4W2wC56xs9AS9yfu5dcnJilNDNlDzNYkm/MRKRYJJ3q22R0fGMBIBa62K4vmYpoGdrs2zEUgB8Kflxxlm6Z4jxQIp5mMT8nrYZ/aBcsV8RIQHSNpogONSKBCqyQoFH+v51l8odTBmCrOHriYku/xwctZ+Se6npK4kCkBs7J8AhjOphu6XWPlczMZTbQmkWipSPmHIRrCJfTeAvjzDdo4XakwmOsuuf963i8xwqO8ISnAtLUJjclXdS/rz9PZHv1H9yLr3KFgkTPIGVZ4C5xh30GhnegBKRxZju/mlO1wLcqGKrsYbfgLt51gtjgfhb9dD6rq7hG39ToIDnAaYEMl6ewYLGriWRoUWJeLQEU5A/YVXlL8w4kb0niejK8X67bZi/BFYKvwFCfDqN9ZAYVAPO4x9rpi7XME0oN09VLTEfdou/hvobuTOdsqfsQdNG7eHT/yAtT1vMyQZFAKFlTSMY4gYtDjvCIyzp4OF4ntedfSycCQ722f1a+1P+WKaaR+726bR05FB+ELhnbTvG3rr37rjt9ob+gRX2sna4u7aszXDqPpSWllxtsydgcyvJz3gx4ByHVKx77GEJFCADlS6ViPHI8J/em/nnZY1nNW0YEWYz6kZtIl2LGJqhYHW/jSDVRJw53N5bD+UthACjmnNL3Ae15IN6y2/w0TMsguj7VEngZLCO+TlZ4i14RBNIs6fq7cQcdowM1TGsH5OpnbcSK5pFGcpuv3eR9NnnHmRWXpdLhzmZSldwcJuFV9/uyvuTUSs0ruOL2WTSyhPAdriRyADS7a73mW2DIGkyDl3XdIJUXk4BHVZskf7ct4TtoR3dY7cW3Fq3372qyr2AuSg0b3upG5qkcBy/23xHexeeXr57mwBC37cd8R/wdDYKeVs/1+K28g2EW/LzSHMgJ5U9exVGCME8Wnk4hoZNkk8FG6dkQp4cBGJXvJ92QyY6I4utVBeGmgD1Gp09qsswQIOrOyXbGynaH2VnLX0QwhXOZEgm1W6GCCPQiZCUBUT+K194bte2RkIwAT/5BiWj6JPFEiammvLJKDYGy659kxnIyvUg5r/ximOR4jpo3qLwuCyAlc9HojF8REfuLqJbbVCWpAJq1x3gvRbDUUgU7nYZKEEmGQOZrTFOzG51Ivge0tkKCvbnvaODws98UenR5ot1DsVU4ajss7e/6XfHxdhxNXrsuBPYS4Cd1XWc7Pr0K+ejMn7yZEOKD4GtzCrDOqrOLqVFhLLQg07W0dPXoaRsKTJm8JoIzDVokqEAXbCo05ezD7wy5YM1+N7btN+zW4fEz/wV539eIULJRLj/7LJRRfer8wMF8AjaIiI3LK1fW8na2tcgs63HB79dS5xDTpBEh8e9Lsma5xtbt6BPxTMHGUdMgI9HnxYVV9eI4ibxjDhqh1mKneToy+HT6IWBHEtTaLcdVWqKE1DrHRlYJyKKwd8jfX9nUAgoNJV2shvSJiD+C3U+QdD2iFseb7Ol9RmX4X1LzcAVVB2ms2qIUeP7+kBrje6DTEYWjqpoSkHJQ1sj7+4nyo0ZBjZPcbX61Ztw9T6ArVGrwbI7YMmSuUZ9fHDEGx6AfxCWnr8K3/L+gbfMpXrZgrS1QqHWdg+WYhibk8JZF9Ad5zwmgP5HmEqiSaXGPV/Yw3WX+/12fbOFCtXtJIaQzscsbNMXyUraOlvLDc/tTV4cENmDufd2sXgwuWuys+id9QQSAoXvWo6PdUK7YwB6DwXZB3Jnd+
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-16T00:21:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ee38343-f910-44d1-b837-fe5d950d210f",
"created_by_ref": "identity--5e9e5d86-5b94-4ff6-b07e-4e3e950d210f",
"created": "2020-06-12T13:29:39.000Z",
"modified": "2020-06-12T13:29:39.000Z",
"pattern": "[file:hashes.MD5 = 'df8394082a4e5b362bdcb17390f6676d' AND file:hashes.SHA1 = '5750248ff490ceec03d17ee9811ac70176f46614' AND file:hashes.SHA256 = 'da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878' AND file:name = 'Shadow.bat' AND file:size = '28' AND (file:content_ref.payload_bin = 'UEsDBAoACQAAALRrzFCwl2wlKAAAABwAAAAgABwAZGY4Mzk0MDgyYTRlNWIzNjJiZGNiMTczOTBmNjY3NmRVVAkAA0OD415Dg+NedXgLAAEEIQAAAAQhAAAAxkuUBupOxYH1WPeLxc8qnjJZJAGL5FaJbdlEpu7iMW3IJ30qHl9suVBLBwiwl2wlKAAAABwAAABQSwMECgAJAAAAtGvMUIIXyqcWAAAACgAAAC0AHABkZjgzOTQwODJhNGU1YjM2MmJkY2IxNzM5MGY2Njc2ZC5maWxlbmFtZS50eHRVVAkAA0OD415Dg+NedXgLAAEEIQAAAAQhAAAA5snHYoa6G1Xvvc31fr846Fr/w0SoO1BLBwiCF8qnFgAAAAoAAABQSwECHgMKAAkAAAC0a8xQsJdsJSgAAAAcAAAAIAAYAAAAAAABAAAApIEAAAAAZGY4Mzk0MDgyYTRlNWIzNjJiZGNiMTczOTBmNjY3NmRVVAUAA0OD4151eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAAC0a8xQghfKpxYAAAAKAAAALQAYAAAAAAABAAAApIGSAAAAZGY4Mzk0MDgyYTRlNWIzNjJiZGNiMTczOTBmNjY3NmQuZmlsZW5hbWUudHh0VVQFAANDg+NedXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.x_misp_filename = 'Shadow.bat' AND file:content_ref.hashes.MD5 = 'df8394082a4e5b362bdcb17390f6676d' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-12T13:29:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}