{ "Event": { "analysis": "0", "date": "2019-05-03", "extends_uuid": "", "info": "ESET Turla LightNeuron Research", "publish_timestamp": "1557477502", "published": true, "threat_level_id": "4", "timestamp": "1607525139", "uuid": "5cccb246-0da0-4c93-a463-61fe0a016219", "Orgc": { "name": "ESET", "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" }, "Tag": [ { "colour": "#12e200", "local": "0", "name": "misp-galaxy:threat-actor=\"Turla Group\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell - T1086\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Automated Exfiltration - T1020\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Encrypted - T1022\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Obfuscation - T1001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scheduled Transfer - T1029\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Cryptographic Protocol - T1032\"", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919229", "to_ids": false, "type": "md5", "uuid": "6f5800ff-87e0-46fc-adac-807018e9d07f", "value": "9ed3438587e25073c17e82958010a3aa" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919226", "to_ids": false, "type": "sha1", "uuid": "64d9f4ac-632e-458b-af36-a2e6e1d2bd57", "value": "3c851e239fbf67a03e0dae8f63eee702b330db6c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919223", "to_ids": false, "type": "sha256", "uuid": "90bcabcb-b2fb-4e73-a1a1-88f8a9e186df", "value": "fec68a0fea0019c878c8a348976c0ec0b8ecf6e7c63fe99afabfff2b7e6d4b11" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919213", "to_ids": false, "type": "md5", "uuid": "4f4bdd4d-f0c4-4761-bed8-711f1b3b7744", "value": "2b14f9f3c758a2cf842a61aca6a3455d" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919202", "to_ids": false, "type": "sha1", "uuid": "25408199-95da-448d-a95f-a222dc7ba162", "value": "f9d52bb5a30b42fc2d1763be586cee8a57424732" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919196", "to_ids": false, "type": "sha256", "uuid": "66fa127c-7625-441a-b0ab-bc0b72403ca8", "value": "25facbc4265ca90f0508e77e97e1e6fcc7e46f6cca316b251b06d41232f6360c" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556918970", "to_ids": false, "type": "text", "uuid": "5df144ba-2702-4d5b-9070-a089c28fe905", "value": "MSIL/Turla.A" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919193", "to_ids": false, "type": "md5", "uuid": "4440b265-2377-474c-83f1-8c8f24348f57", "value": "5924eac8af1f3e3f1f825998bc59c062" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919189", "to_ids": false, "type": "sha1", "uuid": "17417300-6cef-4720-8772-b90887ce8cb9", "value": "0a9f10925af42df94925d07112f303d57392c908" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919187", "to_ids": false, "type": "sha256", "uuid": "24645bfe-0e15-4c57-806e-27b6dacb18e8", "value": "88c90c2b123a357423ab3241624cba49d57122ee3b8ff4130504090c174bb09d" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556918976", "to_ids": false, "type": "text", "uuid": "22e9a8ca-f758-440b-befe-f5cec1d249d0", "value": "Win64/Turla.CC" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919181", "to_ids": false, "type": "md5", "uuid": "eea9d060-4ae7-41f8-ac22-a4a0c15a31b5", "value": "c86e40e1fd2bd477a7f0cfed63fbca4a" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919184", "to_ids": false, "type": "sha1", "uuid": "09c6ef7c-ff1a-4b86-9d87-74b859bfbfae", "value": "76ee1802a6c920cbeb3a1053a4ec03c71b7e46f8" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919160", "to_ids": false, "type": "sha256", "uuid": "6af7a8c3-f17d-43fb-8c10-1602910bc038", "value": "92af9451d6809e035246869e53a56e1717224b28e8e96af4d80573264435d524" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919123", "to_ids": false, "type": "md5", "uuid": "edfdb3f9-c762-46d9-8597-29cc5f1fa50e", "value": "7519b8c8ed36ec0840112bf9581717a3" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919120", "to_ids": false, "type": "sha1", "uuid": "7111a10b-7725-4579-96b6-cf01f779b816", "value": "c1ff6804fdb8656ab08928d187837d28060a552f" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919117", "to_ids": false, "type": "sha256", "uuid": "0b557f56-389f-4c44-abf0-1d464922eb01", "value": "c730d1af146bc420a1dfbbc647e53133a95cc87e9e519f37a01a413410e16498" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919113", "to_ids": false, "type": "md5", "uuid": "606aa8cc-8fe7-4a35-8755-7804c04a19d3", "value": "32d92f9c125816c5ffd407577ad3ccc2" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919110", "to_ids": false, "type": "sha1", "uuid": "d8cc496a-4c78-4d26-8ded-e605b7f65179", "value": "ff28b53b55bc77a5b4626f9db856e67ac598c787" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919107", "to_ids": false, "type": "sha256", "uuid": "60abe762-ba0e-46a0-86a9-d9de3a6ef85e", "value": "d01745a8f454fbf173c8b410f279a84fd3b2dace379c1d67ba9b40c9813b200d" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919102", "to_ids": false, "type": "md5", "uuid": "21bf9cf9-356b-44cd-9b40-534f3d26ace6", "value": "e1fdde61d9db9d6875994e4a412987f7" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919097", "to_ids": false, "type": "sha1", "uuid": "1ce77aca-09f7-4e3b-b249-444b349dd34c", "value": "556674f08ecca84d19a8a756e3457dbf6aff4a1c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919094", "to_ids": false, "type": "sha256", "uuid": "efc3fcdc-9987-43a4-82b3-c6b51f28e9f4", "value": "ce01c8087368b7938175b217e9d4e2b50bbd3007d6f9b786d9b86a38a1acbc85" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919042", "to_ids": false, "type": "sha1", "uuid": "5cccb302-f18c-4e72-9744-65540a016219", "value": "a4d1a34fe5effd90ccb6897679586ddc07fbc5cd" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919055", "to_ids": false, "type": "md5", "uuid": "5cccb30f-1b18-476d-9558-5d380a016219", "value": "55319464e46e2c31d22b39b46d5477fb" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1556919083", "to_ids": false, "type": "sha256", "uuid": "5cccb32b-8110-48f1-a6a8-65560a016219", "value": "14f530e16e8c6dbac02f1bde53594f01b7edab9c45c4c371a3093120276ffaf1" }, { "category": "Artifacts dropped", "comment": "config file", "deleted": false, "disable_correlation": false, "timestamp": "1556919373", "to_ids": false, "type": "filename", "uuid": "5cccb441-3720-468d-88a1-5d3a0a016219", "value": "%tmp%\\winmail.dat" }, { "category": "Artifacts dropped", "comment": "log file", "deleted": false, "disable_correlation": false, "timestamp": "1556919361", "to_ids": false, "type": "filename", "uuid": "5cccb441-1e60-443e-919e-5d3a0a016219", "value": "%WINDIR%\\ServiceProfiles\\NetworkService\\appdata\\Local\\Temp\\msmocf.xml" }, { "category": "Artifacts dropped", "comment": "log file", "deleted": false, "disable_correlation": false, "timestamp": "1556919361", "to_ids": false, "type": "filename", "uuid": "5cccb441-f920-4f2e-95bf-5d3a0a016219", "value": "%WINDIR%\\ServiceProfiles\\NetworkService\\appdata\\Local\\Temp\\msmodl.dat" }, { "category": "Artifacts dropped", "comment": "log file", "deleted": false, "disable_correlation": false, "timestamp": "1556919361", "to_ids": false, "type": "filename", "uuid": "5cccb441-cff8-4af7-b7ad-5d3a0a016219", "value": "Windows\\814ad43-58ab-2cd3-3e68-b82a8f402fd0" }, { "category": "Artifacts dropped", "comment": "log file", "deleted": false, "disable_correlation": false, "timestamp": "1556919361", "to_ids": false, "type": "filename", "uuid": "5cccb441-9730-46ba-ac64-5d3a0a016219", "value": "Windows\\42cf8a1-6e20-8c24-d35f-82c46d8b70ba" }, { "category": "Artifacts dropped", "comment": "log file", "deleted": false, "disable_correlation": false, "timestamp": "1556919361", "to_ids": false, "type": "filename", "uuid": "5cccb441-5ae4-450a-9e04-5d3a0a016219", "value": "%WINDIR%\\serviceprofiles\\networkservice\\appdata\\Roaming\\Microsoft\\" }, { "category": "Artifacts dropped", "comment": "log file", "deleted": false, "disable_correlation": false, "timestamp": "1556919361", "to_ids": false, "type": "filename", "uuid": "5cccb441-253c-4882-85f1-5d3a0a016219", "value": "Windows\\36b1f4a-82b9-eb06-7c1e-90b4b2d5c27d" }, { "category": "Artifacts dropped", "comment": "log file", "deleted": false, "disable_correlation": false, "timestamp": "1556919361", "to_ids": false, "type": "filename", "uuid": "5cccb441-f7c8-4e1c-bfc9-5d3a0a016219", "value": "%WINDIR%\\ServiceProfiles\\NetworkService\\AppData\\Roaming\\Microsoft\\thumbcache_idx.db" }, { "category": "Artifacts dropped", "comment": "log file", "deleted": false, "disable_correlation": false, "timestamp": "1556919361", "to_ids": false, "type": "filename", "uuid": "5cccb441-b8c0-4633-904e-5d3a0a016219", "value": "%WINDIR%\\ServiceProfiles\\NetworkService\\AppData\\Roaming\\Microsoft\\Windows\\thumbcache_32.db" }, { "category": "External analysis", "comment": "White Paper", "deleted": false, "disable_correlation": false, "timestamp": "1556920513", "to_ids": false, "type": "url", "uuid": "5cccb8c1-67d4-43c3-b904-65540a016219", "value": "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" } ] } }