{ "type": "bundle", "id": "bundle--592144d2-9100-4405-b018-4fd902de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--592144d2-9100-4405-b018-4fd902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "name": "OSINT - New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two", "published": "2017-05-21T07:54:33Z", "object_refs": [ "observed-data--592144dc-42e8-4149-97a3-4fbb02de0b81", "url--592144dc-42e8-4149-97a3-4fbb02de0b81", "x-misp-attribute--592144eb-a280-449c-97ba-4d3702de0b81", "observed-data--59214509-454c-474d-bacf-443802de0b81", "url--59214509-454c-474d-bacf-443802de0b81", "indicator--59214567-aa10-4200-a3c7-4b8502de0b81", "indicator--59214568-9d58-416f-b034-474502de0b81", "indicator--59214568-7a90-4544-b7e3-4e8c02de0b81", "indicator--5921458c-c068-44cd-94de-499302de0b81", "indicator--5921458c-5bd4-4aad-ac0d-4edd02de0b81", "indicator--5921458d-69e0-4865-ae74-4be902de0b81", "indicator--5921458d-6d7c-4955-bfe8-462902de0b81", "indicator--5921458e-dbc4-4695-88d6-4c3002de0b81", "indicator--5921458e-4f3c-48a3-906f-44b602de0b81", "indicator--5921458f-f984-4709-b3c4-465c02de0b81", "indicator--5921458f-4f50-4859-a4f3-4a6b02de0b81", "indicator--59214590-96e4-4e1a-8211-4de102de0b81", "indicator--59214590-48c0-4936-85b3-45bc02de0b81", "indicator--59214591-83c8-44cd-bb90-4ccb02de0b81", "indicator--59214591-bee4-4a98-ba15-46eb02de0b81", "indicator--59214592-c22c-4c34-bc20-407602de0b81", "indicator--592145ba-0934-4078-86f7-44cb02de0b81", "indicator--592145ba-0978-4a0e-b799-461102de0b81", "indicator--592145bb-e7f8-4ba7-90e6-487a02de0b81", "indicator--592145de-8f1c-47bd-9d64-4b0a02de0b81", "x-misp-attribute--59214605-2fa4-41ad-9301-40b502de0b81", "x-misp-attribute--59214606-b5fc-4f4b-bdbf-484f02de0b81", "x-misp-attribute--59214606-2d44-4445-8469-400d02de0b81", "x-misp-attribute--59214606-c884-4c98-8672-4b3402de0b81", "x-misp-attribute--59214607-0ae4-4de2-b171-46ce02de0b81", "observed-data--5921462e-a604-4be3-85a9-472a02de0b81", "url--5921462e-a604-4be3-85a9-472a02de0b81", "observed-data--59214647-9828-44af-bab7-434002de0b81", "url--59214647-9828-44af-bab7-434002de0b81", "indicator--5921465f-ec80-4d55-862b-497a02de0b81", "indicator--59214676-e704-412d-b4db-451202de0b81", "x-misp-attribute--59214697-2604-4d4d-8336-406402de0b81", "x-misp-attribute--59214697-11bc-4454-adf2-4c6502de0b81", "indicator--59214798-f018-439b-aea9-4c7f02de0b81", "indicator--59214798-7234-4525-8617-4ed202de0b81", "observed-data--59214799-3164-4fc4-a193-416e02de0b81", "url--59214799-3164-4fc4-a193-416e02de0b81", "indicator--59214799-da18-4be2-a503-42d602de0b81", "indicator--59214799-35f8-4858-a660-46ef02de0b81", "observed-data--5921479a-3a84-4b4d-88c8-410d02de0b81", "url--5921479a-3a84-4b4d-88c8-410d02de0b81", "indicator--5921479a-9534-40ba-9010-44c602de0b81", "indicator--5921479b-4544-4031-97b3-408002de0b81", "observed-data--5921479b-6fd0-4131-ba06-4fd302de0b81", "url--5921479b-6fd0-4131-ba06-4fd302de0b81", "indicator--5921479b-3d7c-4620-878e-4f3c02de0b81", "indicator--5921479c-7c70-4d05-bb56-4f9302de0b81", "observed-data--5921479c-47fc-4946-a54c-410d02de0b81", "url--5921479c-47fc-4946-a54c-410d02de0b81", "indicator--5921479c-bac0-4c02-883f-49ee02de0b81", "indicator--5921479d-c6ac-43c7-b8fe-4fa702de0b81", "observed-data--5921479d-8944-410b-b861-442a02de0b81", "url--5921479d-8944-410b-b861-442a02de0b81", "indicator--5921479e-4180-4d80-a484-466802de0b81", "indicator--5921479e-3174-407f-961b-4d9d02de0b81", "observed-data--5921479e-52f8-4333-894c-441802de0b81", "url--5921479e-52f8-4333-894c-441802de0b81", "indicator--5921479f-b5b4-4437-83e0-449902de0b81", "indicator--5921479f-0ca8-445d-a6ef-4f5902de0b81", "observed-data--592147a0-e5dc-4358-b8a8-44da02de0b81", "url--592147a0-e5dc-4358-b8a8-44da02de0b81", "indicator--592147a0-8434-45c4-ab3a-435302de0b81", "indicator--592147a1-6984-43e2-be35-430802de0b81", "observed-data--592147a1-b764-420e-bcf8-4e7302de0b81", "url--592147a1-b764-420e-bcf8-4e7302de0b81", "indicator--592147a2-f2bc-4bcd-92cd-4f0102de0b81", "indicator--592147a2-49c8-4a16-ab00-4ada02de0b81", "observed-data--592147a2-9c98-4a76-9053-4c3902de0b81", "url--592147a2-9c98-4a76-9053-4c3902de0b81", "indicator--592147a3-1ed8-4ffb-86c9-421202de0b81", "indicator--592147a3-1200-4f89-a06f-440202de0b81", "observed-data--592147a3-3234-4995-99a3-4c8102de0b81", "url--592147a3-3234-4995-99a3-4c8102de0b81", "indicator--592147a4-34e0-45f3-90a5-411e02de0b81", "indicator--592147a4-c318-4643-ba8e-4ab902de0b81", "observed-data--592147a5-40c0-451d-b787-42d202de0b81", "url--592147a5-40c0-451d-b787-42d202de0b81", "indicator--592147a5-3c38-445e-a467-414302de0b81", "indicator--592147a5-9bf4-484a-8562-442f02de0b81", "observed-data--592147a6-3a08-4eb8-b971-475b02de0b81", "url--592147a6-3a08-4eb8-b971-475b02de0b81", "indicator--592147a6-09b4-45c5-9ef5-4c6802de0b81", "indicator--592147a7-e34c-4d74-ae52-4f5202de0b81", "observed-data--592147a7-7f0c-4001-aec3-4e5902de0b81", "url--592147a7-7f0c-4001-aec3-4e5902de0b81", "indicator--592147a7-07ac-445c-897e-44e502de0b81", "indicator--592147a8-5e20-497b-91f0-4e2302de0b81", "observed-data--592147a8-c034-4647-aaa5-486e02de0b81", "url--592147a8-c034-4647-aaa5-486e02de0b81", "indicator--592147a9-7998-4c9d-92b2-4d3102de0b81", "indicator--592147a9-5074-491b-945a-479b02de0b81", "observed-data--592147a9-e100-4719-b4d7-4f2e02de0b81", "url--592147a9-e100-4719-b4d7-4f2e02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "ms-caro-malware:malware-platform=\"Win64\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592144dc-42e8-4149-97a3-4fbb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "first_observed": "2017-05-21T07:53:45Z", "last_observed": "2017-05-21T07:53:45Z", "number_observed": 1, "object_refs": [ "url--592144dc-42e8-4149-97a3-4fbb02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592144dc-42e8-4149-97a3-4fbb02de0b81", "value": "https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--592144eb-a280-449c-97ba-4d3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two.\r\n\r\nThe worm's existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws.\r\n\r\nEternalRocks uses seven NSA tools\r\nThe worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.\r\n\r\nOnce the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59214509-454c-474d-bacf-443802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "first_observed": "2017-05-21T07:53:45Z", "last_observed": "2017-05-21T07:53:45Z", "number_observed": 1, "object_refs": [ "url--59214509-454c-474d-bacf-443802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59214509-454c-474d-bacf-443802de0b81", "value": "https://github.com/stamparm/EternalRocks/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214567-aa10-4200-a3c7-4b8502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "pattern": "[mutex:name = '{8F6F00C4-B901-45fd-08CF-72FDEFF}']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"mutex\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214568-9d58-416f-b034-474502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "pattern": "[mutex:name = '{8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"mutex\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214568-7a90-4544-b7e3-4e8c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "pattern": "[mutex:name = '20b70e57-1c2e-4de9-99e5-69f369006912']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"mutex\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921458c-c068-44cd-94de-499302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (captured)", "pattern": "[file:hashes.SHA256 = 'e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921458c-5bd4-4aad-ac0d-4edd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:name = 'UpdateInstaller.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921458d-69e0-4865-ae74-4be902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = '1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921458d-6d7c-4955-bfe8-462902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = '64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921458e-dbc4-4695-88d6-4c3002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = '94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921458e-4f3c-48a3-906f-44b602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = '9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921458f-f984-4709-b3c4-465c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = 'a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921458f-4f50-4859-a4f3-4a6b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = 'ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214590-96e4-4e1a-8211-4de102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = 'b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214590-48c0-4936-85b3-45bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = 'c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214591-83c8-44cd-bb90-4ccb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = 'd43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214591-bee4-4a98-ba15-46eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = 'd86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214592-c22c-4c34-bc20-407602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "UpdateInstaller.exe (variant)", "pattern": "[file:hashes.SHA256 = 'fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592145ba-0934-4078-86f7-44cb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "# taskhost.exe (captured)", "pattern": "[file:hashes.SHA256 = 'cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592145ba-0978-4a0e-b799-461102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "# taskhost.exe (variant)", "pattern": "[file:hashes.SHA256 = 'a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592145bb-e7f8-4ba7-90e6-487a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "# shadowbrokers.zip (exploits)", "pattern": "[file:hashes.SHA256 = '70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592145de-8f1c-47bd-9d64-4b0a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "pattern": "[domain-name:value = 'ubgdgno5eswkhmpy.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59214605-2fa4-41ad-9301-40b502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "Debug strings", "x_misp_type": "pattern-in-file", "x_misp_value": "%PROGRAMFILES%\\(x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59214606-b5fc-4f4b-bdbf-484f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "Debug strings", "x_misp_type": "pattern-in-file", "x_misp_value": "%USERPROFILE%\\Documents\\DownLoader\\Project1.vbp" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59214606-2d44-4445-8469-400d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "Debug strings", "x_misp_type": "pattern-in-file", "x_misp_value": "%USERPROFILE%\\Documents\\TorUnzip\\Project1.vbp" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59214606-c884-4c98-8672-4b3402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "Debug strings", "x_misp_type": "pattern-in-file", "x_misp_value": "%USERPROFILE%\\Documents\\Visual Studio 2015\\Projects\\MicroBotMassiveNet\\taskhost\\obj\\x86\\Debug\\taskhost.pdb" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59214607-0ae4-4de2-b171-46ce02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "Debug strings", "x_misp_type": "pattern-in-file", "x_misp_value": "%USERPROFILE%\\Documents\\Visual Studio 2015\\Projects\\WindowsServices\\svchost\\bin\\svchost.pdb" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5921462e-a604-4be3-85a9-472a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "first_observed": "2017-05-21T07:53:45Z", "last_observed": "2017-05-21T07:53:45Z", "number_observed": 1, "object_refs": [ "url--5921462e-a604-4be3-85a9-472a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5921462e-a604-4be3-85a9-472a02de0b81", "value": "https://raw.githubusercontent.com/stamparm/EternalRocks/master/misc/exploitation.pcap" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59214647-9828-44af-bab7-434002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "first_observed": "2017-05-21T07:53:45Z", "last_observed": "2017-05-21T07:53:45Z", "number_observed": 1, "object_refs": [ "url--59214647-9828-44af-bab7-434002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59214647-9828-44af-bab7-434002de0b81", "value": "https://raw.githubusercontent.com/stamparm/EternalRocks/master/misc/svchost.7z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921465f-ec80-4d55-862b-497a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "description": "# older (VB6) variants of UpdateInstaller.exe", "pattern": "[file:hashes.IMPHASH = '8ef751c540fdc6962ddc6799f35a907c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"imphash\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214676-e704-412d-b4db-451202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft Updates\\\\']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59214697-2604-4d4d-8336-406402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "labels": [ "misp:type=\"windows-scheduled-task\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "windows-scheduled-task", "x_misp_value": "ServiceHost" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59214697-11bc-4454-adf2-4c6502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:53:45.000Z", "modified": "2017-05-21T07:53:45.000Z", "labels": [ "misp:type=\"windows-scheduled-task\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "windows-scheduled-task", "x_misp_value": "TaskHost" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214798-f018-439b-aea9-4c7f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:00.000Z", "modified": "2017-05-21T07:54:00.000Z", "description": "# shadowbrokers.zip (exploits) - Xchecked via VT: 70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d", "pattern": "[file:hashes.SHA1 = 'd553d55d3a9d99453550c9493468db663e0af4ec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214798-7234-4525-8617-4ed202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:00.000Z", "modified": "2017-05-21T07:54:00.000Z", "description": "# shadowbrokers.zip (exploits) - Xchecked via VT: 70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d", "pattern": "[file:hashes.MD5 = '6fdbee99dc99a63ac6a5809450d55ad5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59214799-3164-4fc4-a193-416e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:01.000Z", "modified": "2017-05-21T07:54:01.000Z", "first_observed": "2017-05-21T07:54:01Z", "last_observed": "2017-05-21T07:54:01Z", "number_observed": 1, "object_refs": [ "url--59214799-3164-4fc4-a193-416e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59214799-3164-4fc4-a193-416e02de0b81", "value": "https://www.virustotal.com/file/70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d/analysis/1495120618/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214799-da18-4be2-a503-42d602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:01.000Z", "modified": "2017-05-21T07:54:01.000Z", "description": "# taskhost.exe (variant) - Xchecked via VT: a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0", "pattern": "[file:hashes.SHA1 = 'e8b40f35af4d5bb24d73faa5a4babb86191b5310']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59214799-35f8-4858-a660-46ef02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:01.000Z", "modified": "2017-05-21T07:54:01.000Z", "description": "# taskhost.exe (variant) - Xchecked via VT: a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0", "pattern": "[file:hashes.MD5 = '198f27f5ab972bfd99e89802e40d6ba7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5921479a-3a84-4b4d-88c8-410d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:02.000Z", "modified": "2017-05-21T07:54:02.000Z", "first_observed": "2017-05-21T07:54:02Z", "last_observed": "2017-05-21T07:54:02Z", "number_observed": 1, "object_refs": [ "url--5921479a-3a84-4b4d-88c8-410d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5921479a-3a84-4b4d-88c8-410d02de0b81", "value": "https://www.virustotal.com/file/a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0/analysis/1495206561/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479a-9534-40ba-9010-44c602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:02.000Z", "modified": "2017-05-21T07:54:02.000Z", "description": "# taskhost.exe (captured) - Xchecked via VT: cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30", "pattern": "[file:hashes.SHA1 = '8a2cfe220eebde096c17266f1ba597a1065211ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479b-4544-4031-97b3-408002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:03.000Z", "modified": "2017-05-21T07:54:03.000Z", "description": "# taskhost.exe (captured) - Xchecked via VT: cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30", "pattern": "[file:hashes.MD5 = 'c52f20a854efb013a0a1248fd84aaa95']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5921479b-6fd0-4131-ba06-4fd302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:03.000Z", "modified": "2017-05-21T07:54:03.000Z", "first_observed": "2017-05-21T07:54:03Z", "last_observed": "2017-05-21T07:54:03Z", "number_observed": 1, "object_refs": [ "url--5921479b-6fd0-4131-ba06-4fd302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5921479b-6fd0-4131-ba06-4fd302de0b81", "value": "https://www.virustotal.com/file/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30/analysis/1495334571/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479b-3d7c-4620-878e-4f3c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:03.000Z", "modified": "2017-05-21T07:54:03.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd", "pattern": "[file:hashes.SHA1 = '7ffc0e123e6111e558fb99844d3b317694e419b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479c-7c70-4d05-bb56-4f9302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:04.000Z", "modified": "2017-05-21T07:54:04.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd", "pattern": "[file:hashes.MD5 = '5e8e046cb09f73b1e02aa4ac69c5765e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5921479c-47fc-4946-a54c-410d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:04.000Z", "modified": "2017-05-21T07:54:04.000Z", "first_observed": "2017-05-21T07:54:04Z", "last_observed": "2017-05-21T07:54:04Z", "number_observed": 1, "object_refs": [ "url--5921479c-47fc-4946-a54c-410d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5921479c-47fc-4946-a54c-410d02de0b81", "value": "https://www.virustotal.com/file/fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd/analysis/1495312487/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479c-bac0-4c02-883f-49ee02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:04.000Z", "modified": "2017-05-21T07:54:04.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5", "pattern": "[file:hashes.SHA1 = '0d1535b51fd21a976a9c1184a56fbde4592a0f8f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479d-c6ac-43c7-b8fe-4fa702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:05.000Z", "modified": "2017-05-21T07:54:05.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5", "pattern": "[file:hashes.MD5 = 'c0321a1a0d33cd88bb04ec0250f8e924']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5921479d-8944-410b-b861-442a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:05.000Z", "modified": "2017-05-21T07:54:05.000Z", "first_observed": "2017-05-21T07:54:05Z", "last_observed": "2017-05-21T07:54:05Z", "number_observed": 1, "object_refs": [ "url--5921479d-8944-410b-b861-442a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5921479d-8944-410b-b861-442a02de0b81", "value": "https://www.virustotal.com/file/d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5/analysis/1495132402/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479e-4180-4d80-a484-466802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:06.000Z", "modified": "2017-05-21T07:54:06.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c", "pattern": "[file:hashes.SHA1 = 'ae461ac186c4e42f935ff9e49408bbae47899706']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479e-3174-407f-961b-4d9d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:06.000Z", "modified": "2017-05-21T07:54:06.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c", "pattern": "[file:hashes.MD5 = 'b61068f85f030ee23d5b33b5b0c03930']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5921479e-52f8-4333-894c-441802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:06.000Z", "modified": "2017-05-21T07:54:06.000Z", "first_observed": "2017-05-21T07:54:06Z", "last_observed": "2017-05-21T07:54:06Z", "number_observed": 1, "object_refs": [ "url--5921479e-52f8-4333-894c-441802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5921479e-52f8-4333-894c-441802de0b81", "value": "https://www.virustotal.com/file/d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c/analysis/1495133936/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479f-b5b4-4437-83e0-449902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:07.000Z", "modified": "2017-05-21T07:54:07.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491", "pattern": "[file:hashes.SHA1 = '64cb5c3f2cbd238f7f1d707f99dd98713c539f11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5921479f-0ca8-445d-a6ef-4f5902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:07.000Z", "modified": "2017-05-21T07:54:07.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491", "pattern": "[file:hashes.MD5 = '35c29de908e04eca97b39b96b3cadc2d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a0-e5dc-4358-b8a8-44da02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:08.000Z", "modified": "2017-05-21T07:54:08.000Z", "first_observed": "2017-05-21T07:54:08Z", "last_observed": "2017-05-21T07:54:08Z", "number_observed": 1, "object_refs": [ "url--592147a0-e5dc-4358-b8a8-44da02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a0-e5dc-4358-b8a8-44da02de0b81", "value": "https://www.virustotal.com/file/c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491/analysis/1495319617/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a0-8434-45c4-ab3a-435302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:08.000Z", "modified": "2017-05-21T07:54:08.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867", "pattern": "[file:hashes.SHA1 = '0cc1d20c48a0ec73329fac801ef5bf212a5a8dd6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a1-6984-43e2-be35-430802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:09.000Z", "modified": "2017-05-21T07:54:09.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867", "pattern": "[file:hashes.MD5 = '344d431a88391fc89f97f3ccf87a603e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a1-b764-420e-bcf8-4e7302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:09.000Z", "modified": "2017-05-21T07:54:09.000Z", "first_observed": "2017-05-21T07:54:09Z", "last_observed": "2017-05-21T07:54:09Z", "number_observed": 1, "object_refs": [ "url--592147a1-b764-420e-bcf8-4e7302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a1-b764-420e-bcf8-4e7302de0b81", "value": "https://www.virustotal.com/file/b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867/analysis/1495133695/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a2-f2bc-4bcd-92cd-4f0102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:10.000Z", "modified": "2017-05-21T07:54:10.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa", "pattern": "[file:hashes.SHA1 = '822db2fd78b39b49547cce2f7fb92b276c74bcef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a2-49c8-4a16-ab00-4ada02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:10.000Z", "modified": "2017-05-21T07:54:10.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa", "pattern": "[file:hashes.MD5 = '2d540860d91cd25cc8d61555523c76ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a2-9c98-4a76-9053-4c3902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:10.000Z", "modified": "2017-05-21T07:54:10.000Z", "first_observed": "2017-05-21T07:54:10Z", "last_observed": "2017-05-21T07:54:10Z", "number_observed": 1, "object_refs": [ "url--592147a2-9c98-4a76-9053-4c3902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a2-9c98-4a76-9053-4c3902de0b81", "value": "https://www.virustotal.com/file/ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa/analysis/1495132708/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a3-1ed8-4ffb-86c9-421202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:11.000Z", "modified": "2017-05-21T07:54:11.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392", "pattern": "[file:hashes.SHA1 = '7d0a8cef28518f9be8ad083dcbd719ac4c85d89c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a3-1200-4f89-a06f-440202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:11.000Z", "modified": "2017-05-21T07:54:11.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392", "pattern": "[file:hashes.MD5 = '67ef79ee308b8625d5f20ea3e5379436']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a3-3234-4995-99a3-4c8102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:11.000Z", "modified": "2017-05-21T07:54:11.000Z", "first_observed": "2017-05-21T07:54:11Z", "last_observed": "2017-05-21T07:54:11Z", "number_observed": 1, "object_refs": [ "url--592147a3-3234-4995-99a3-4c8102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a3-3234-4995-99a3-4c8102de0b81", "value": "https://www.virustotal.com/file/a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392/analysis/1495116317/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a4-34e0-45f3-90a5-411e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:12.000Z", "modified": "2017-05-21T07:54:12.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b", "pattern": "[file:hashes.SHA1 = '1cbc9d531ba0e5e67a1ada95cff19bf0020f88f8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a4-c318-4643-ba8e-4ab902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:12.000Z", "modified": "2017-05-21T07:54:12.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b", "pattern": "[file:hashes.MD5 = 'b7cf3852a0168777f8856e6565d8fe2e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a5-40c0-451d-b787-42d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:13.000Z", "modified": "2017-05-21T07:54:13.000Z", "first_observed": "2017-05-21T07:54:13Z", "last_observed": "2017-05-21T07:54:13Z", "number_observed": 1, "object_refs": [ "url--592147a5-40c0-451d-b787-42d202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a5-40c0-451d-b787-42d202de0b81", "value": "https://www.virustotal.com/file/9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b/analysis/1495206518/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a5-3c38-445e-a467-414302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:13.000Z", "modified": "2017-05-21T07:54:13.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97", "pattern": "[file:hashes.SHA1 = 'f1c027679d5009da067b12af258adc8afaade178']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a5-9bf4-484a-8562-442f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:13.000Z", "modified": "2017-05-21T07:54:13.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97", "pattern": "[file:hashes.MD5 = '496131b90f83e8278462d2dd21213646']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a6-3a08-4eb8-b971-475b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:14.000Z", "modified": "2017-05-21T07:54:14.000Z", "first_observed": "2017-05-21T07:54:14Z", "last_observed": "2017-05-21T07:54:14Z", "number_observed": 1, "object_refs": [ "url--592147a6-3a08-4eb8-b971-475b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a6-3a08-4eb8-b971-475b02de0b81", "value": "https://www.virustotal.com/file/94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97/analysis/1495116293/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a6-09b4-45c5-9ef5-4c6802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:14.000Z", "modified": "2017-05-21T07:54:14.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15", "pattern": "[file:hashes.SHA1 = 'f57f71ae1e52f25ec9f643760551e1b6cfb9c7ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a7-e34c-4d74-ae52-4f5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:15.000Z", "modified": "2017-05-21T07:54:15.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15", "pattern": "[file:hashes.MD5 = '3771b97552810a0ed107730b718f6fe1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a7-7f0c-4001-aec3-4e5902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:15.000Z", "modified": "2017-05-21T07:54:15.000Z", "first_observed": "2017-05-21T07:54:15Z", "last_observed": "2017-05-21T07:54:15Z", "number_observed": 1, "object_refs": [ "url--592147a7-7f0c-4001-aec3-4e5902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a7-7f0c-4001-aec3-4e5902de0b81", "value": "https://www.virustotal.com/file/64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15/analysis/1495260898/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a7-07ac-445c-897e-44e502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:15.000Z", "modified": "2017-05-21T07:54:15.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d", "pattern": "[file:hashes.SHA1 = '70181383eedd8e93e3ecf1c05238c928e267163d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a8-5e20-497b-91f0-4e2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:16.000Z", "modified": "2017-05-21T07:54:16.000Z", "description": "UpdateInstaller.exe (variant) - Xchecked via VT: 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d", "pattern": "[file:hashes.MD5 = '76e94e525a2d1a350ff989d532239976']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a8-c034-4647-aaa5-486e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:16.000Z", "modified": "2017-05-21T07:54:16.000Z", "first_observed": "2017-05-21T07:54:16Z", "last_observed": "2017-05-21T07:54:16Z", "number_observed": 1, "object_refs": [ "url--592147a8-c034-4647-aaa5-486e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a8-c034-4647-aaa5-486e02de0b81", "value": "https://www.virustotal.com/file/1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d/analysis/1495312044/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a9-7998-4c9d-92b2-4d3102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:17.000Z", "modified": "2017-05-21T07:54:17.000Z", "description": "UpdateInstaller.exe (captured) - Xchecked via VT: e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc", "pattern": "[file:hashes.SHA1 = 'b05f2d07d0af1184066f766bc78d1b680236c1b3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--592147a9-5074-491b-945a-479b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:17.000Z", "modified": "2017-05-21T07:54:17.000Z", "description": "UpdateInstaller.exe (captured) - Xchecked via VT: e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc", "pattern": "[file:hashes.MD5 = '994bd0b23cce98b86e58218b9032ffab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-21T07:54:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--592147a9-e100-4719-b4d7-4f2e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-21T07:54:17.000Z", "modified": "2017-05-21T07:54:17.000Z", "first_observed": "2017-05-21T07:54:17Z", "last_observed": "2017-05-21T07:54:17Z", "number_observed": 1, "object_refs": [ "url--592147a9-e100-4719-b4d7-4f2e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--592147a9-e100-4719-b4d7-4f2e02de0b81", "value": "https://www.virustotal.com/file/e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc/analysis/1495348433/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }