{ "type": "bundle", "id": "bundle--58ed2c42-04f0-44b7-baa4-9f1f02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:31:01.000Z", "modified": "2017-04-11T19:31:01.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58ed2c42-04f0-44b7-baa4-9f1f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:31:01.000Z", "modified": "2017-04-11T19:31:01.000Z", "name": "OSINT - CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler", "published": "2017-04-11T19:37:35Z", "object_refs": [ "x-misp-attribute--58ed2c51-35cc-45dc-9afe-4c0102de0b81", "observed-data--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81", "url--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81", "indicator--58ed2caa-a484-459e-ab44-446802de0b81", "indicator--58ed2cab-1eec-4d47-8efe-455502de0b81", "indicator--58ed2cac-fc8c-49d8-a0e3-47f302de0b81", "indicator--58ed2cad-febc-4229-b7bd-430f02de0b81", "vulnerability--58ed2cbc-9e64-4851-9097-475802de0b81", "indicator--58ed2d51-5fec-442b-a196-41dd02de0b81", "indicator--58ed2d52-d5d0-4238-ad25-496502de0b81", "indicator--58ed2d53-d174-406f-9e97-438e02de0b81", "indicator--58ed2d54-b650-421e-a53e-435c02de0b81", "indicator--58ed2d55-aaa0-4f29-86dd-494402de0b81", "indicator--58ed2d56-1cfc-43ee-af58-4f2602de0b81", "indicator--58ed2d57-db7c-4112-bec8-4f4602de0b81", "indicator--58ed2da6-63f4-4aed-8cd0-41e802de0b81", "indicator--58ed2dbf-5660-4fd9-a6ba-4bc502de0b81", "indicator--58ed2de5-2bd0-4a4d-959c-45df02de0b81", "indicator--58ed2e50-6ad8-4998-9917-4d0402de0b81", "indicator--58ed2e69-fcc8-4231-96c5-4dc602de0b81", "indicator--58ed2ea1-de84-4fd8-83e4-427602de0b81", "indicator--58ed2ea2-1270-450c-b73a-498a02de0b81", "observed-data--58ed2ea3-9304-4143-ba8c-478902de0b81", "url--58ed2ea3-9304-4143-ba8c-478902de0b81", "indicator--58ed2ea4-f158-4709-9f95-497702de0b81", "indicator--58ed2ea5-cb4c-4612-8f43-436702de0b81", "observed-data--58ed2ea7-ad1c-40b8-b755-485a02de0b81", "url--58ed2ea7-ad1c-40b8-b755-485a02de0b81", "indicator--58ed2ea8-aaec-4ba9-a2e0-4cdd02de0b81", "indicator--58ed2ea9-d300-445f-a127-4bed02de0b81", "observed-data--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81", "url--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81", "indicator--58ed2eab-5f60-4ec0-ad19-4c4702de0b81", "indicator--58ed2eac-4b60-492d-82b1-45be02de0b81", "observed-data--58ed2eae-944c-443c-a126-421302de0b81", "url--58ed2eae-944c-443c-a126-421302de0b81", "indicator--58ed2eae-b31c-4009-ac2d-4be002de0b81", "indicator--58ed2eaf-af18-47b9-8151-44ea02de0b81", "observed-data--58ed2eb0-2948-4c1f-9107-4f8002de0b81", "url--58ed2eb0-2948-4c1f-9107-4f8002de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58ed2c51-35cc-45dc-9afe-4c0102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:30:40.000Z", "modified": "2017-04-11T19:30:40.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.\r\n\r\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here.\r\n\r\nThe vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the patch from Microsoft." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:30:39.000Z", "modified": "2017-04-11T19:30:39.000Z", "first_observed": "2017-04-11T19:30:39Z", "last_observed": "2017-04-11T19:30:39Z", "number_observed": 1, "object_refs": [ "url--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81", "value": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2caa-a484-459e-ab44-446802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc", "pattern": "[file:hashes.MD5 = 'c10dabb05a38edd8a9a0ddda1c9af10e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2cab-1eec-4d47-8efe-455502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "template.doc", "pattern": "[file:hashes.MD5 = '9dec125f006f787a3f8ad464d480eed1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2cac-fc8c-49d8-a0e3-47f302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "copy.jpg/winword.exe", "pattern": "[file:hashes.MD5 = 'acde6fb59ed431000107c8e8ca1b7266']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2cad-febc-4229-b7bd-430f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "docu.doc/document.doc", "pattern": "[file:hashes.MD5 = 'e01982913fbc22188b83f5f9fadc1c17']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--58ed2cbc-9e64-4851-9097-475802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "name": "CVE-2017-0199", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-0199" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2d51-5fec-442b-a196-41dd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "hire_form.doc Malicious document", "pattern": "[file:hashes.MD5 = '5ebfd13250dd0408e3de594e419f9e01']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2d52-d5d0-4238-ad25-496502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "template.doc/template[?].hta Malicious HTA file", "pattern": "[file:hashes.MD5 = 'fb475f0d8c8e9bf1bc360211179d8a28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2d53-d174-406f-9e97-438e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "ww.vbs/maintenance.vbs Stage two VBScript", "pattern": "[file:hashes.MD5 = '984658e34e634d56423797858a711846']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2d54-b650-421e-a53e-435c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "questions.doc/document.doc Decoy document", "pattern": "[file:hashes.MD5 = '73bf8647920eacc7cc377b3602a7ee7a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2d55-aaa0-4f29-86dd-494402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "eoobvfwiglhiliqougukgm.js Malicious script", "pattern": "[file:hashes.MD5 = '11fb87888bbb4dcea4891ab856ac1c52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2d56-1cfc-43ee-af58-4f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "wood.exe/ dcihprianeeyirdeuceulx.exe Final payload", "pattern": "[file:hashes.MD5 = 'a1faa23a3ef8cef372f5f74aed82d2de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2d57-db7c-4112-bec8-4f4602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload", "pattern": "[file:hashes.MD5 = '15e51cdbd938545c9af47806984b1667']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2da6-63f4-4aed-8cd0-41e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "pattern": "[url:value = 'http://www.modani.com/media/wysiwyg/ww.vbs']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2dbf-5660-4fd9-a6ba-4bc502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "pattern": "[url:value = 'http://www.modani.com/media/wysiwyg/wood.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2de5-2bd0-4a4d-959c-45df02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "variant then connects to the following command and control (C2) server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.203.90']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2e50-6ad8-4998-9917-4d0402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "The initial stage reached out to the following URL to download the stage one malicious HTA file:", "pattern": "[url:value = 'http://95.141.38.110/mo/dnr/tmp/template.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2e69-fcc8-4231-96c5-4dc602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:18.000Z", "modified": "2017-04-11T19:29:18.000Z", "description": "Malicious HTA", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.141.38.110']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2ea1-de84-4fd8-83e4-427602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:37.000Z", "modified": "2017-04-11T19:29:37.000Z", "description": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667", "pattern": "[file:hashes.SHA256 = '169c9cc7120fa64c7c02cbbf3aeeefd02fef32ca5dcc61093d1ea012e4f39a18']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2ea2-1270-450c-b73a-498a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:38.000Z", "modified": "2017-04-11T19:29:38.000Z", "description": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667", "pattern": "[file:hashes.SHA1 = 'ea434604b3de06110de582a9c003c2b60368b33e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58ed2ea3-9304-4143-ba8c-478902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:39.000Z", "modified": "2017-04-11T19:29:39.000Z", "first_observed": "2017-04-11T19:29:39Z", "last_observed": "2017-04-11T19:29:39Z", "number_observed": 1, "object_refs": [ "url--58ed2ea3-9304-4143-ba8c-478902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58ed2ea3-9304-4143-ba8c-478902de0b81", "value": "https://www.virustotal.com/file/169c9cc7120fa64c7c02cbbf3aeeefd02fef32ca5dcc61093d1ea012e4f39a18/analysis/1491819886/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2ea4-f158-4709-9f95-497702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:40.000Z", "modified": "2017-04-11T19:29:40.000Z", "description": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28", "pattern": "[file:hashes.SHA256 = '3e72bfa3ca0880226cacdbac28299d2a0bacde556ad3400d76be8f1666940828']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2ea5-cb4c-4612-8f43-436702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:41.000Z", "modified": "2017-04-11T19:29:41.000Z", "description": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28", "pattern": "[file:hashes.SHA1 = '3bb5af725d63a18a306506b3ebd12aed820e00eb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58ed2ea7-ad1c-40b8-b755-485a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:43.000Z", "modified": "2017-04-11T19:29:43.000Z", "first_observed": "2017-04-11T19:29:43Z", "last_observed": "2017-04-11T19:29:43Z", "number_observed": 1, "object_refs": [ "url--58ed2ea7-ad1c-40b8-b755-485a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58ed2ea7-ad1c-40b8-b755-485a02de0b81", "value": "https://www.virustotal.com/file/3e72bfa3ca0880226cacdbac28299d2a0bacde556ad3400d76be8f1666940828/analysis/1491935832/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2ea8-aaec-4ba9-a2e0-4cdd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:44.000Z", "modified": "2017-04-11T19:29:44.000Z", "description": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01", "pattern": "[file:hashes.SHA256 = '13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2ea9-d300-445f-a127-4bed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:45.000Z", "modified": "2017-04-11T19:29:45.000Z", "description": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01", "pattern": "[file:hashes.SHA1 = '0f3b135fd9eb3c6befbeb69f418ac182aeb56557']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:46.000Z", "modified": "2017-04-11T19:29:46.000Z", "first_observed": "2017-04-11T19:29:46Z", "last_observed": "2017-04-11T19:29:46Z", "number_observed": 1, "object_refs": [ "url--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81", "value": "https://www.virustotal.com/file/13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575/analysis/1491931544/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2eab-5f60-4ec0-ad19-4c4702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:47.000Z", "modified": "2017-04-11T19:29:47.000Z", "description": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17", "pattern": "[file:hashes.SHA256 = '01220917060a94315eeeb04e1ee1263c024e54e66058cb1f910dec3a48fef42a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2eac-4b60-492d-82b1-45be02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:48.000Z", "modified": "2017-04-11T19:29:48.000Z", "description": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17", "pattern": "[file:hashes.SHA1 = 'fa504cb04ea83ecf1d360062fe612aba5e678f68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58ed2eae-944c-443c-a126-421302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:50.000Z", "modified": "2017-04-11T19:29:50.000Z", "first_observed": "2017-04-11T19:29:50Z", "last_observed": "2017-04-11T19:29:50Z", "number_observed": 1, "object_refs": [ "url--58ed2eae-944c-443c-a126-421302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58ed2eae-944c-443c-a126-421302de0b81", "value": "https://www.virustotal.com/file/01220917060a94315eeeb04e1ee1263c024e54e66058cb1f910dec3a48fef42a/analysis/1491867682/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2eae-b31c-4009-ac2d-4be002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:50.000Z", "modified": "2017-04-11T19:29:50.000Z", "description": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e", "pattern": "[file:hashes.SHA256 = 'f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ed2eaf-af18-47b9-8151-44ea02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:51.000Z", "modified": "2017-04-11T19:29:51.000Z", "description": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e", "pattern": "[file:hashes.SHA1 = '9aed05edab5d0200eb509ed22c8c30f19652814c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-11T19:29:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58ed2eb0-2948-4c1f-9107-4f8002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-11T19:29:52.000Z", "modified": "2017-04-11T19:29:52.000Z", "first_observed": "2017-04-11T19:29:52Z", "last_observed": "2017-04-11T19:29:52Z", "number_observed": 1, "object_refs": [ "url--58ed2eb0-2948-4c1f-9107-4f8002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58ed2eb0-2948-4c1f-9107-4f8002de0b81", "value": "https://www.virustotal.com/file/f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66/analysis/1491801507/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }