{ "Event": { "analysis": "0", "date": "2018-03-12", "extends_uuid": "", "info": "OSINT - Sigma Ransomware Being Distributed Using Fake Craigslist Malspam", "publish_timestamp": "1536755880", "published": true, "threat_level_id": "3", "timestamp": "1536755790", "uuid": "5b9123c0-1480-4e09-877e-4783950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#2c4f00", "name": "malware_classification:malware-category=\"Ransomware\"" }, { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#0088cc", "name": "misp-galaxy:ransomware=\"Sigma Ransomware\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Link - T1192\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"User Execution - T1204\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\"" }, { "colour": "#026900", "name": "monarc-threat:unauthorised-actions=\"corruption-of-data\"" }, { "colour": "#039900", "name": "monarc-threat:compromise-of-information=\"malware-infection\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1536329213", "to_ids": false, "type": "text", "uuid": "5b912411-f738-46fc-b27c-4ada950d210f", "value": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1536329222", "to_ids": false, "type": "link", "uuid": "5b912433-50b0-4e96-8d7a-44b1950d210f", "value": "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1536240806", "to_ids": true, "type": "url", "uuid": "5b912ca6-7264-48c8-afca-40e4950d210f", "value": "http://185.121.139.229/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1536326656", "to_ids": true, "type": "filename", "uuid": "5b927c00-c9c8-4780-84da-abc4950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\taskwgr.exe" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536240542", "uuid": "5b912b9e-67d4-45ad-b17d-4020950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1536240542", "to_ids": true, "type": "sha256", "uuid": "5b912b9e-a4d4-4f19-a85a-4b45950d210f", "value": "b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536240546", "to_ids": false, "type": "text", "uuid": "5b912ba2-604c-4c25-b80f-4c2c950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536755335", "uuid": "af63c140-7e55-4ae2-a261-9f126f0195ab", "ObjectReference": [ { "comment": "", "object_uuid": "af63c140-7e55-4ae2-a261-9f126f0195ab", "referenced_uuid": "6241958e-2b1b-4ccf-8aa5-0aee9e179e50", "relationship_type": "analysed-with", "timestamp": "1536302901", "uuid": "5b921f35-0d6c-4a42-b336-495202de0b81" }, { "comment": "", "object_uuid": "af63c140-7e55-4ae2-a261-9f126f0195ab", "referenced_uuid": "f04b2156-46a7-4ffe-a470-b0d0ac7ef70e", "relationship_type": "analysed-with", "timestamp": "1536755345", "uuid": "5b990691-7064-4bee-bcb8-494c02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1536302885", "to_ids": true, "type": "md5", "uuid": "1badb4a6-67f0-408a-9ba2-f60f41bb913c", "value": "9afa3302527608a30408958bc48019fc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1536302888", "to_ids": true, "type": "sha1", "uuid": "3f8e1d75-74db-40bd-a845-6289bdb3dc91", "value": "0d34add7d61e26583dc54e7b89b6d4056d6bf201" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1536302891", "to_ids": true, "type": "sha256", "uuid": "2d4820de-1980-4c31-a0ff-8c0b43a9936d", "value": "b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1536302893", "uuid": "6241958e-2b1b-4ccf-8aa5-0aee9e179e50", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1536302893", "to_ids": false, "type": "datetime", "uuid": "8d5b54cd-1dfc-435b-8e19-cc4eda5b2288", "value": "2018-08-28T00:23:39" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1536302896", "to_ids": false, "type": "link", "uuid": "18055e03-5add-4a61-9465-9afc972b1cb3", "value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1536302898", "to_ids": false, "type": "text", "uuid": "e911d120-fdf4-4110-8272-ddb11eedd9ec", "value": "45/67" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536325764", "uuid": "5b927884-8d5c-4a6c-af30-4daa950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536325764", "to_ids": true, "type": "filename", "uuid": "5b927884-8b74-453b-ae0f-439b950d210f", "value": "ReadMe.txt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536325764", "to_ids": false, "type": "text", "uuid": "5b927884-63d4-43d8-b2c8-4c68950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "meta-category": "file", "name": "registry-key", "template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", "template_version": "4", "timestamp": "1536326106", "uuid": "5b9279c2-40a4-4823-840a-4c03950d210f", "Attribute": [ { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key", "timestamp": "1536326106", "to_ids": true, "type": "regkey", "uuid": "5b9279c2-6a44-4133-bdbf-45ae950d210f", "value": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\chrome" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "root-keys", "timestamp": "1536326106", "to_ids": false, "type": "text", "uuid": "5b9279c3-b8ec-445c-9f70-4c8b950d210f", "value": "HKCU" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "data-type", "timestamp": "1536326106", "to_ids": false, "type": "text", "uuid": "5b9279c3-c040-4ea5-bfe7-4955950d210f", "value": "REG_NONE" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "name", "timestamp": "1536326692", "to_ids": false, "type": "text", "uuid": "5b9279dc-e050-4a20-ac5e-adb4950d210f", "value": "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536326853", "uuid": "5b927cc5-d5ac-46df-ace4-4cf8950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536326853", "to_ids": true, "type": "filename", "uuid": "5b927cc5-28e4-4d21-8166-447d950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Data\\Tor\\geoip" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536326855", "to_ids": false, "type": "text", "uuid": "5b927cc7-1e4c-44bc-94ff-4ee8950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536326952", "uuid": "5b927d28-edcc-445d-869b-42ae950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536326953", "to_ids": true, "type": "filename", "uuid": "5b927d29-a424-46ab-879c-4609950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Data\\Tor\\geoip6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536326953", "to_ids": false, "type": "text", "uuid": "5b927d29-1040-4836-878b-420c950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536326971", "uuid": "5b927d3b-9628-4e2f-83b3-4cb8950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536326971", "to_ids": true, "type": "filename", "uuid": "5b927d3b-e228-4ecc-b169-4369950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\test1.bmp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536326973", "to_ids": false, "type": "text", "uuid": "5b927d3d-8404-433c-9b99-4c2d950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536326986", "uuid": "5b927d4a-5334-448b-84e9-4545950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536326987", "to_ids": true, "type": "filename", "uuid": "5b927d4b-39a8-4fc7-a4b7-4a10950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libeay32.dll" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536326988", "to_ids": false, "type": "text", "uuid": "5b927d4c-a078-414c-8f77-4b37950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327388", "uuid": "5b927edc-e5a4-47e1-86a6-4a0f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327388", "to_ids": true, "type": "filename", "uuid": "5b927edc-12c8-4b11-bc21-4428950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent_core-2-0-5.dll" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327389", "to_ids": false, "type": "text", "uuid": "5b927edd-56fc-4e14-8074-48f3950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327431", "uuid": "5b927f07-0ebc-45ea-9a4c-4791950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327432", "to_ids": true, "type": "filename", "uuid": "5b927f08-3ef8-43e9-9cbf-445c950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-certs" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327433", "to_ids": false, "type": "text", "uuid": "5b927f09-3b80-48dc-9dad-49d2950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327449", "uuid": "5b927f19-af00-4e57-bc93-49e9950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327449", "to_ids": true, "type": "filename", "uuid": "5b927f19-4a0c-4abe-b57d-4727950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-microdesc-consensus" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327449", "to_ids": false, "type": "text", "uuid": "5b927f19-d26c-48fd-9d16-45c8950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327501", "uuid": "5b927f4d-5914-4be0-bc7e-4da1950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327501", "to_ids": true, "type": "filename", "uuid": "5b927f4d-6a90-4640-9dc3-452b950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libssp-0.dll" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327504", "to_ids": false, "type": "text", "uuid": "5b927f50-f734-4110-bc51-4193950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327518", "uuid": "5b927f5e-50ac-4596-b3cb-474b950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327518", "to_ids": true, "type": "filename", "uuid": "5b927f5e-1f80-41ab-a84f-4832950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\tor-gencert.exe" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327521", "to_ids": false, "type": "text", "uuid": "5b927f61-2d78-4789-9d34-4ea6950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327531", "uuid": "5b927f6b-0430-4a52-b692-4dba950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327531", "to_ids": true, "type": "filename", "uuid": "5b927f6b-8f2c-4ee2-987d-436c950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\svchost.exe" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327532", "to_ids": false, "type": "text", "uuid": "5b927f6c-0670-40ab-a060-4653950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327548", "uuid": "5b927f7c-32c8-4e30-b9d5-421f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327548", "to_ids": true, "type": "filename", "uuid": "5b927f7c-13a0-4be5-a59e-4b2f950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\zlib1.dll" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327550", "to_ids": false, "type": "text", "uuid": "5b927f7e-c258-4aa9-ba33-4c57950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327662", "uuid": "5b927fee-1590-49f2-a2f6-44ca950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327662", "to_ids": true, "type": "filename", "uuid": "5b927fee-413c-4578-b4f7-4de2950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-microdescs.new" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327665", "to_ids": false, "type": "text", "uuid": "5b927ff1-1924-4851-b7be-4693950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327834", "uuid": "5b92809a-b468-47e6-a7c7-47c9950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327835", "to_ids": true, "type": "filename", "uuid": "5b92809b-1a04-4ceb-be76-42b9950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent-2-0-5.dll" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327837", "to_ids": false, "type": "text", "uuid": "5b92809d-168c-47c1-852f-47b1950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327849", "uuid": "5b9280aa-969c-4c3e-ad03-4011950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327850", "to_ids": true, "type": "filename", "uuid": "5b9280aa-23a0-4033-9e66-4ede950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\ssleay32.dll" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327850", "to_ids": false, "type": "text", "uuid": "5b9280aa-5258-44fb-a115-4a6a950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327865", "uuid": "5b9280b9-be58-4c21-a4d2-49ca950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327865", "to_ids": true, "type": "filename", "uuid": "5b9280b9-fb64-4f19-9d04-493d950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\state" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327866", "to_ids": false, "type": "text", "uuid": "5b9280ba-fc78-464f-aaad-4a8e950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327876", "uuid": "5b9280c4-17b4-4114-8017-44e0950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327876", "to_ids": true, "type": "filename", "uuid": "5b9280c4-4200-4f03-a557-4997950d210f", "value": "%UserProfile%\\Desktop\\ReadMe.html" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327879", "to_ids": false, "type": "text", "uuid": "5b9280c7-bdb8-4b91-9edb-46df950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327888", "uuid": "5b9280d0-1874-4711-87ed-4299950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327888", "to_ids": true, "type": "filename", "uuid": "5b9280d0-a204-43f9-b463-405d950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libgcc_s_sjlj-1.dll" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327889", "to_ids": false, "type": "text", "uuid": "5b9280d1-a424-494c-93d6-4600950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327899", "uuid": "5b9280db-dfe0-41f0-9f42-44c7950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327899", "to_ids": true, "type": "filename", "uuid": "5b9280db-0780-49ba-94b9-46c8950d210f", "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent_extra-2-0-5.dll" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327900", "to_ids": false, "type": "text", "uuid": "5b9280dc-001c-4fa5-a889-4301950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1536327914", "uuid": "5b9280ea-e38c-41f1-8453-47b9950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1536327914", "to_ids": true, "type": "filename", "uuid": "5b9280ea-0530-490d-bdf6-4b03950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\lock" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536327917", "to_ids": false, "type": "text", "uuid": "5b9280ed-a180-4fc9-80c4-46f6950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1536755335", "uuid": "f04b2156-46a7-4ffe-a470-b0d0ac7ef70e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1536755338", "to_ids": false, "type": "datetime", "uuid": "bff3beea-deb5-49b8-a2be-334a5603e8ac", "value": "2018-08-28T00:23:39" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1536755342", "to_ids": false, "type": "link", "uuid": "505d7436-7769-4279-9d1a-b95934d0edc8", "value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1536755345", "to_ids": false, "type": "text", "uuid": "00c8704b-05af-405d-a5ce-13f8167612d4", "value": "45/67" } ] } ] } }