{ "Event": { "analysis": "2", "date": "2017-11-29", "extends_uuid": "", "info": "OSINT - Fake Windows Troubleshooting Support Scam Uploads Screenshots & Uses Paypal", "publish_timestamp": "1514467579", "published": true, "threat_level_id": "3", "timestamp": "1512356424", "uuid": "5a214d9a-ed50-4a33-8812-491a950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512132229", "to_ids": false, "type": "comment", "uuid": "5a214dd9-0f8c-48c0-b299-492c950d210f", "value": "A new tech support scam has been discovered that shows a fake BSOD, or Blue Screen of Death, on the infected computer and then displays an application that pretends to be a Troubleshooter for Windows. This Troubleshooter will then state that your computer cannot be fixed, blocks you from using Windows, and prompts you to purchase a program using PayPal to fix the \"detected problems\" and unlock the screen.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512132257", "to_ids": false, "type": "link", "uuid": "5a214e5a-cae4-4fb6-a72c-48cf950d210f", "value": "https://www.bleepingcomputer.com/news/security/fake-windows-troubleshooting-support-scam-uploads-screenshots-and-uses-paypal/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-1370-4213-9807-4856950d210f", "value": "http://hitechnovation.com/Extra/Downloads/BSOD.exe" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-86f0-404d-ae51-4953950d210f", "value": "http://hitechnovation.com/Extra/Downloads/csrvc.exe" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-c7c8-4ccb-9d52-47f3950d210f", "value": "http://hitechnovation.com/Extra/Downloads/adwizz.exe" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-bda0-43aa-adce-44b7950d210f", "value": "http://hitechnovation.com/Extra/Downloads/Troubleshoot.exe" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-d894-4f87-a651-4cd6950d210f", "value": "http://hitechnovation.com/extra/downloads/scshtrv.exe" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-0110-4c25-85c9-463e950d210f", "value": "http://hitechnovation.com/Extra/Downloads/Windows%20Chat%20Support.exe" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-bd6c-44c1-a51e-474a950d210f", "value": "http://hitechnovation.com/thankyou.txt" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-c154-48fb-8661-43f4950d210f", "value": "http://hitechnovation.com/Downloads/DList.txt" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-3130-47b9-8209-4a8e950d210f", "value": "http://freegeoip.net/xml" }, { "category": "Network activity", "comment": "Network Connections", "deleted": false, "disable_correlation": false, "timestamp": "1512134080", "to_ids": true, "type": "url", "uuid": "5a2155c0-75f0-431b-80eb-4edb950d210f", "value": "ftp://182.50.132.48" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134316", "to_ids": true, "type": "filename", "uuid": "5a2156ad-4e20-4ae2-a900-458d950d210f", "value": "%Temp%\\csrvc\\BSOD.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": true, "type": "filename", "uuid": "5a2156ad-4934-47c8-a301-4e1b950d210f", "value": "%Temp%\\csrvc\\csrvc.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": true, "type": "filename", "uuid": "5a2156ad-29bc-4081-9ea4-4c81950d210f", "value": "%Temp%\\csrvc\\csrvc.InstallLog" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": true, "type": "filename", "uuid": "5a2156ad-a598-4489-b7cd-48e7950d210f", "value": "%Temp%\\csrvc\\csrvc.InstallState" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": true, "type": "filename", "uuid": "5a2156ad-4650-47b2-b440-4897950d210f", "value": "%Temp%\\csrvc\\scshtrv.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": true, "type": "filename", "uuid": "5a2156ad-8f00-4a67-ace8-4d4a950d210f", "value": "%Temp%\\csrvc\\Troubleshoot.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": true, "type": "filename", "uuid": "5a2156ad-bb74-4e42-bacb-4036950d210f", "value": "%PROGRAMFILES%\\adwizz\\adwizz.exe" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": false, "type": "regkey", "uuid": "5a2156ad-1f7c-4ed1-be78-40b9950d210f", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\adwizz" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": false, "type": "regkey", "uuid": "5a2156ad-36d0-4ff2-8200-4368950d210f", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\csrvc" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1512134317", "to_ids": false, "type": "regkey", "uuid": "5a2156ad-d080-4b04-998e-4bce950d210f", "value": "HKLM\\SYSTEM\\CurrentControlSet\\services\\csrvc" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "5", "timestamp": "1512132838", "uuid": "5a2150e6-d8d0-41aa-878e-4f9d950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1512132838", "to_ids": true, "type": "filename", "uuid": "5a2150e6-604c-4781-8b44-4021950d210f", "value": "adwizz.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1512132838", "to_ids": true, "type": "sha256", "uuid": "5a2150e6-a08c-43ec-bdd6-4c0b950d210f", "value": "5becf86e5ad1703345fa243458f6a3b6189619f87e67ffab6bc874d6bdf7c03f" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "5", "timestamp": "1512132981", "uuid": "5a215175-0b44-43ae-88c8-f375950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1512132981", "to_ids": true, "type": "filename", "uuid": "5a215175-2d34-42d7-8aa4-f375950d210f", "value": "BSOD.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1512132981", "to_ids": true, "type": "sha256", "uuid": "5a215175-e998-47d6-8d5a-f375950d210f", "value": "9a95f7e477cede36981a6a1e01a849d9c6aeac3985ee3a492cf4136bb6dab69c" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "5", "timestamp": "1512133098", "uuid": "5a2151ea-d8fc-41fd-bf32-4369950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1512133098", "to_ids": true, "type": "filename", "uuid": "5a2151ea-0424-42b0-a35d-4338950d210f", "value": "csrvc.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1512133098", "to_ids": true, "type": "sha256", "uuid": "5a2151ea-e8c4-435a-a412-4b8a950d210f", "value": "1b1e48f2ee9940c1965c00ee1226fd7c3b9ee9c179ba29b9aeb586c6211cb223" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "5", "timestamp": "1512133362", "uuid": "5a2152f2-f344-43b3-af64-4d98950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1512133363", "to_ids": true, "type": "filename", "uuid": "5a2152f3-1fe0-440f-b99a-4535950d210f", "value": "scshtrv.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1512133363", "to_ids": true, "type": "sha256", "uuid": "5a2152f3-73e8-4808-b345-4b23950d210f", "value": "0cc8ad791dc4061ce1f492d651ed2a9baeed02413c5940240bf47bb023f509ef" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "5", "timestamp": "1512134048", "uuid": "5a2155a0-5950-434e-b70e-4a1b950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1512134048", "to_ids": true, "type": "filename", "uuid": "5a2155a0-2fac-417a-bbd9-4724950d210f", "value": "Troubleshoot.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1512134048", "to_ids": true, "type": "sha256", "uuid": "5a2155a0-e864-48d6-8473-40dd950d210f", "value": "f34185d5124690815f089b06cc1629a3d1a42cd7d51aee602823c98e03116a98" } ] } ] } }