{ "Event": { "analysis": "1", "date": "2019-10-07", "extends_uuid": "", "info": "Emotet in Depth TTP 10-07-19", "publish_timestamp": "1592358012", "published": true, "threat_level_id": "2", "timestamp": "1621850615", "uuid": "5d9b5933-964c-433c-b84f-4c680a2fe004", "Orgc": { "name": "MiSOC", "uuid": "5d49b744-1ef4-4480-b486-40f06b08ac45" }, "Tag": [ { "colour": "#4de3bf", "name": "Emotet" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-tool=\"Empire - S0363\"" }, { "colour": "#0088cc", "name": "misp-galaxy:tool=\"Emotet\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-tool=\"Cobalt Strike - S0154\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"New Service - T1050\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "Network activity", "comment": "Maldoc 1st stage Download URL's", "deleted": false, "disable_correlation": false, "timestamp": "1570462687", "to_ids": true, "type": "url", "uuid": "5d9b5bdf-36e8-494f-9bda-4522a63f8736", "value": "http://dulich.goasiatravel.com/calendar/u8hsm_46c4yi-6024747470/" }, { "category": "Network activity", "comment": "Maldoc 1st stage Download URL's", "deleted": false, "disable_correlation": false, "timestamp": "1570462687", "to_ids": true, "type": "url", "uuid": "5d9b5bdf-b5ac-4550-8ee8-4491a63f8736", "value": "https://drewnianazagroda.pl/c0nm/PtlOoIWOzs/" }, { "category": "Network activity", "comment": "Maldoc 1st stage Download URL's", "deleted": false, "disable_correlation": false, "timestamp": "1570462687", "to_ids": true, "type": "url", "uuid": "5d9b5bdf-b0a8-4c75-a2b0-49b4a63f8736", "value": "http://latestgovernment.com/pramodchoudhary.examqualify.com/CKBOIhWtjs/" }, { "category": "Network activity", "comment": "Maldoc 1st stage Download URL's", "deleted": false, "disable_correlation": false, "timestamp": "1570462687", "to_ids": true, "type": "url", "uuid": "5d9b5bdf-b654-4401-9164-4f6ba63f8736", "value": "https://kurumsalinternetsitesi.com/wp-content/wgSCKDClY/" }, { "category": "Network activity", "comment": "Maldoc 1st stage Download URL's", "deleted": false, "disable_correlation": false, "timestamp": "1570462687", "to_ids": true, "type": "url", "uuid": "5d9b5bdf-9bf0-4a3f-8387-404ca63f8736", "value": "https://edealsadvisor.com/wp-includes/ZqLAroEkK/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-879c-49ef-846b-315974656a8a", "value": "http://201.184.105.242/ban/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-325c-4d0b-a401-315974656a8a", "value": "http://201.184.105.242/cone/dma/arizona/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-7ae4-4276-abff-315974656a8a", "value": "http://201.184.105.242/health/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-90e4-4122-9476-315974656a8a", "value": "http://201.184.105.242/iplk/enable/loadan/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-f444-4981-917b-315974656a8a", "value": "http://201.184.105.242/loadan/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-558c-4548-a83c-315974656a8a", "value": "http://201.184.105.242/sess/pnp/ringin/merge/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-3d98-416c-9ff5-315974656a8a", "value": "http://201.184.105.242/site/vermont/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-94f8-4ae2-9a3b-315974656a8a", "value": "http://201.184.105.242/symbols/schema/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-4208-483c-badc-315974656a8a", "value": "http://45.123.3.54/badge/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-e7d4-4ece-94ac-315974656a8a", "value": "http://45.123.3.54/publish/acquire/enabled/merge/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-3188-4a7f-8e13-315974656a8a", "value": "http://45.123.3.54/site/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-9f88-43a2-9b73-315974656a8a", "value": "http://80.79.23.144/free/schema/scripts/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-5b0c-49d0-802a-315974656a8a", "value": "http://80.79.23.144/results/cone/window/merge/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-4e48-4b7d-ba67-315974656a8a", "value": "http://80.79.23.144/splash/prov/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-47a0-4480-a429-315974656a8a", "value": "http://104.131.11.150/cookies/usbccid/enabled/merge/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-6acc-48a8-abba-315974656a8a", "value": "http://104.131.11.150/dma/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-04f8-46df-bf49-315974656a8a", "value": "http://104.131.11.150/img/enabled/scripts/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-cb88-445a-8eaa-315974656a8a", "value": "http://142.44.162.209/pnp/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-3910-4501-8065-315974656a8a", "value": "http://142.44.162.209/report/chunk/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-4910-4e43-9939-315974656a8a", "value": "http://142.44.162.209/results/glitch/merge/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-55f8-4fd0-807a-315974656a8a", "value": "http://178.254.6.27/site/results/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-24e0-4062-9bba-315974656a8a", "value": "http://178.254.6.27/stubs/pnp/window/merge/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-560c-4070-b46f-315974656a8a", "value": "http://178.254.6.27/taskbar/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-dec8-4574-9ced-315974656a8a", "value": "http://192.254.173.31/child/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571266221", "to_ids": true, "type": "url", "uuid": "5da79ead-048c-4da7-92c0-315974656a8a", "value": "http://192.254.173.31/json/add/" }, { "category": "External analysis", "comment": "Source of the MISP event", "deleted": false, "disable_correlation": false, "timestamp": "1576589797", "to_ids": false, "type": "link", "uuid": "5df8d9e5-f7a0-45b8-87c3-45ea950d210f", "value": "https://github.com/Hestat/intel-sharing/blob/master/powershell-empire-12-16-19/misp.event.7941.json" } ], "Object": [ { "comment": "Selected Malware Document for sandbox run", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1570462332", "uuid": "5d9b5a7c-7204-4384-9512-48970a2fe004", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "malware-sample", "timestamp": "1570462332", "to_ids": true, "type": "malware-sample", "uuid": "5d9b5a7c-2560-44ac-969d-42e60a2fe004", "value": "SCAN_10079460983_IB_1007.doc|9ce5126ffcbc936ad6c0155763898f19" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1570462332", "to_ids": false, "type": "filename", "uuid": "5d9b5a7c-c814-4b59-903f-4c0e0a2fe004", "value": "SCAN_10079460983_IB_1007.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1570462332", "to_ids": true, "type": "md5", "uuid": "5d9b5a7c-6d60-4555-90a2-42c30a2fe004", "value": "9ce5126ffcbc936ad6c0155763898f19" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1570462332", "to_ids": true, "type": "sha1", "uuid": "5d9b5a7c-74a0-4902-addb-4afa0a2fe004", "value": "284534ae3c3ca467f098115d07cd7e14cbec9583" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1570462332", "to_ids": true, "type": "sha256", "uuid": "5d9b5a7c-3ef8-48e9-8671-40760a2fe004", "value": "dd007df90f91857a9efe65008cf015f7955ff05a5b243017e4931087f5742355" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1570462332", "to_ids": false, "type": "size-in-bytes", "uuid": "5d9b5a7c-4740-4d31-bca2-4f830a2fe004", "value": "175104" } ] }, { "comment": "Cobalt strike payload called by powershell", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1570462376", "uuid": "5d9b5aa8-9a10-4649-bfd4-4dff0a2fe004", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "malware-sample", "timestamp": "1570462376", "to_ids": true, "type": "malware-sample", "uuid": "5d9b5aa8-5124-4bfe-bcc4-446c0a2fe004", "value": "ikillyou.txt|26017e97acce09276f3b4c6800dec256" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1570462376", "to_ids": false, "type": "filename", "uuid": "5d9b5aa8-6c48-43a7-a725-4a860a2fe004", "value": "ikillyou.txt" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1570462376", "to_ids": true, "type": "md5", "uuid": "5d9b5aa8-a07c-4401-99ee-44b80a2fe004", "value": "26017e97acce09276f3b4c6800dec256" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1570462376", "to_ids": true, "type": "sha1", "uuid": "5d9b5aa8-e53c-4d68-a233-4d5f0a2fe004", "value": "b49b6719495f8398f72e18c0e9450feacb0f9bd9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1570462376", "to_ids": true, "type": "sha256", "uuid": "5d9b5aa8-732c-4ebc-b096-429a0a2fe004", "value": "3306d41a09840db2e94e7497c911e8d61d15776b44346f02bbb6a88f5bd51caa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1570462376", "to_ids": false, "type": "size-in-bytes", "uuid": "5d9b5aa8-72c0-4d0f-9783-47980a2fe004", "value": "2789" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1570467114", "uuid": "5d9b6d2a-f048-4333-a71b-4f830a2fe004", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "malware-sample", "timestamp": "1570467114", "to_ids": true, "type": "malware-sample", "uuid": "5d9b6d2a-661c-4c0a-8813-4ab70a2fe004", "value": "26017e97acce09276f3b4c6800dec256_unzipped_decoded.zip|0e8c5174646dcd87ac893271b80c9633" } ] }, { "comment": "Emotet Exe", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1570472117", "uuid": "5d9b80b5-67ac-4570-8958-4ea90a2fe004", "Attribute": [ { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "malware-sample", "timestamp": "1570472117", "to_ids": true, "type": "malware-sample", "uuid": "5d9b80b5-83e8-4811-933f-40dc0a2fe004", "value": "pixelproc.exe|9afcbf6f4f13a40791d368df767b4304", "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:tool=\"Emotet\"" } ] }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1570472117", "to_ids": false, "type": "filename", "uuid": "5d9b80b5-1bfc-4bbd-aabf-4e400a2fe004", "value": "pixelproc.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1570472117", "to_ids": true, "type": "md5", "uuid": "5d9b80b5-ff4c-4d46-98ce-40cd0a2fe004", "value": "9afcbf6f4f13a40791d368df767b4304" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1570472117", "to_ids": true, "type": "sha1", "uuid": "5d9b80b5-c704-4916-a3bb-45780a2fe004", "value": "019a178ee95b34980a2f07ee624528de5f4eae44" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1570472117", "to_ids": true, "type": "sha256", "uuid": "5d9b80b5-437c-41c1-823b-459c0a2fe004", "value": "16d007d650d117c68da005747378f16cebe820e75a2565be70602fad2cb6e1fe" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1570472117", "to_ids": false, "type": "size-in-bytes", "uuid": "5d9b80b5-e340-4e19-977b-47d30a2fe004", "value": "221184" } ] }, { "comment": "Trickbot Exe", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1570472258", "uuid": "5d9b8142-6bd0-484e-8a8f-43410a2fe004", "Attribute": [ { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "malware-sample", "timestamp": "1570472258", "to_ids": true, "type": "malware-sample", "uuid": "5d9b8142-9654-49da-af32-4ba80a2fe004", "value": ".exe|9240845226d22642cbe5e0d39205d869" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1570472258", "to_ids": false, "type": "filename", "uuid": "5d9b8142-56b8-49a7-8e90-426d0a2fe004", "value": ".exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1570472258", "to_ids": true, "type": "md5", "uuid": "5d9b8142-3a1c-4760-872c-436f0a2fe004", "value": "9240845226d22642cbe5e0d39205d869" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1570472258", "to_ids": true, "type": "sha1", "uuid": "5d9b8142-04e4-4ebe-8564-44590a2fe004", "value": "10dae0bced984456d3d7a2b059cd71a4762f1c5b" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1570472258", "to_ids": true, "type": "sha256", "uuid": "5d9b8142-b590-4445-81b3-4ffb0a2fe004", "value": "4cbe34dc9928a6b93786a69bea92b3df0e04fd67d116fc1746d817496314de9e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1570472258", "to_ids": false, "type": "size-in-bytes", "uuid": "5d9b8142-3e88-4463-b633-4ab80a2fe004", "value": "393309" } ] }, { "comment": "Trickbot artifact", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1570472290", "uuid": "5d9b8162-9658-45ba-897f-4cdd0a2fe004", "Attribute": [ { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "malware-sample", "timestamp": "1570472290", "to_ids": true, "type": "malware-sample", "uuid": "5d9b8162-fb20-4ad9-91da-45380a2fe004", "value": "settings.ini|03dfc482ccecbbbc16c5c208ae55d49a" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1570472290", "to_ids": false, "type": "filename", "uuid": "5d9b8162-0990-4049-848a-459d0a2fe004", "value": "settings.ini" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1570472290", "to_ids": true, "type": "md5", "uuid": "5d9b8162-b0bc-42c4-8bb8-4d660a2fe004", "value": "03dfc482ccecbbbc16c5c208ae55d49a" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1570472290", "to_ids": true, "type": "sha1", "uuid": "5d9b8162-cae0-41f9-8933-42050a2fe004", "value": "46b1ad83e2bbf22b08462656e979bca53afff6ba" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1570472290", "to_ids": true, "type": "sha256", "uuid": "5d9b8162-0efc-48c5-a090-42360a2fe004", "value": "e23033b26e459f6987fb65b9dd8a975a14c2ea9d903a720d4a67a32d43bff293" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1570472290", "to_ids": false, "type": "size-in-bytes", "uuid": "5d9b8162-9158-4838-8904-44830a2fe004", "value": "63950" } ] }, { "comment": "Exchange DB file from trickbot", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1570472314", "uuid": "5d9b817a-8320-4f3b-afee-43650a2fe004", "Attribute": [ { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "malware-sample", "timestamp": "1570472314", "to_ids": true, "type": "malware-sample", "uuid": "5d9b817a-6ea0-47b0-a1a3-47a00a2fe004", "value": "grabber_temp.INTEG.RAW|b65e8c666af6ff39c67552e0c98f55d5" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1570472314", "to_ids": false, "type": "filename", "uuid": "5d9b817a-53e4-4d92-9256-4c0c0a2fe004", "value": "grabber_temp.INTEG.RAW" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1570472314", "to_ids": true, "type": "md5", "uuid": "5d9b817a-44f0-4c37-95f3-46e60a2fe004", "value": "b65e8c666af6ff39c67552e0c98f55d5" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1570472314", "to_ids": true, "type": "sha1", "uuid": "5d9b817a-6698-4f70-97c0-4a940a2fe004", "value": "844ce6691b66a81237a592ec6bd2c59c8dbd52a0" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1570472314", "to_ids": true, "type": "sha256", "uuid": "5d9b817a-dedc-4ee0-85b5-46f60a2fe004", "value": "2826263cc5a3199167970f988c628c177ec45cee60618ae40e9fe84ec9167b73" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1570472314", "to_ids": false, "type": "size-in-bytes", "uuid": "5d9b817a-cc38-4f34-8da2-4e8d0a2fe004", "value": "138246" } ] }, { "comment": "Cobalt Strike C2 Server", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1570472706", "uuid": "5d9b8302-b1ec-49b1-8c31-46d50a2fe004", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1570472706", "to_ids": false, "type": "port", "uuid": "5d9b8302-1ecc-493a-b7fd-41d70a2fe004", "value": "443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1570472706", "to_ids": true, "type": "ip-dst", "uuid": "5d9b8302-fea8-4074-a5f1-4d020a2fe004", "value": "144.202.75.93" } ] }, { "comment": "Powershell Empire C2", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1570472771", "uuid": "5d9b8343-9d98-442f-b331-4a9a0a2fe004", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1570472771", "to_ids": false, "type": "port", "uuid": "5d9b8343-c774-4cf8-a1d1-4c930a2fe004", "value": "443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1570472771", "to_ids": true, "type": "ip-dst", "uuid": "5d9b8343-6770-4d3d-b8a0-42a60a2fe004", "value": "91.200.102.245" } ] } ] } }