{ "type": "bundle", "id": "bundle--5cccb246-0da0-4c93-a463-61fe0a016219", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2020-12-09T14:45:39.000Z", "modified": "2020-12-09T14:45:39.000Z", "name": "ESET", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5cccb246-0da0-4c93-a463-61fe0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2020-12-09T14:45:39.000Z", "modified": "2020-12-09T14:45:39.000Z", "name": "ESET Turla LightNeuron Research", "published": "2019-05-10T08:38:22Z", "object_refs": [ "observed-data--6f5800ff-87e0-46fc-adac-807018e9d07f", "file--6f5800ff-87e0-46fc-adac-807018e9d07f", "observed-data--64d9f4ac-632e-458b-af36-a2e6e1d2bd57", "file--64d9f4ac-632e-458b-af36-a2e6e1d2bd57", "observed-data--90bcabcb-b2fb-4e73-a1a1-88f8a9e186df", "file--90bcabcb-b2fb-4e73-a1a1-88f8a9e186df", "observed-data--4f4bdd4d-f0c4-4761-bed8-711f1b3b7744", "file--4f4bdd4d-f0c4-4761-bed8-711f1b3b7744", "observed-data--25408199-95da-448d-a95f-a222dc7ba162", "file--25408199-95da-448d-a95f-a222dc7ba162", "observed-data--66fa127c-7625-441a-b0ab-bc0b72403ca8", "file--66fa127c-7625-441a-b0ab-bc0b72403ca8", "x-misp-attribute--5df144ba-2702-4d5b-9070-a089c28fe905", "observed-data--4440b265-2377-474c-83f1-8c8f24348f57", "file--4440b265-2377-474c-83f1-8c8f24348f57", "observed-data--17417300-6cef-4720-8772-b90887ce8cb9", "file--17417300-6cef-4720-8772-b90887ce8cb9", "observed-data--24645bfe-0e15-4c57-806e-27b6dacb18e8", "file--24645bfe-0e15-4c57-806e-27b6dacb18e8", "x-misp-attribute--22e9a8ca-f758-440b-befe-f5cec1d249d0", "observed-data--eea9d060-4ae7-41f8-ac22-a4a0c15a31b5", "file--eea9d060-4ae7-41f8-ac22-a4a0c15a31b5", "observed-data--09c6ef7c-ff1a-4b86-9d87-74b859bfbfae", "file--09c6ef7c-ff1a-4b86-9d87-74b859bfbfae", "observed-data--6af7a8c3-f17d-43fb-8c10-1602910bc038", "file--6af7a8c3-f17d-43fb-8c10-1602910bc038", "observed-data--edfdb3f9-c762-46d9-8597-29cc5f1fa50e", "file--edfdb3f9-c762-46d9-8597-29cc5f1fa50e", "observed-data--7111a10b-7725-4579-96b6-cf01f779b816", "file--7111a10b-7725-4579-96b6-cf01f779b816", "observed-data--0b557f56-389f-4c44-abf0-1d464922eb01", "file--0b557f56-389f-4c44-abf0-1d464922eb01", "observed-data--606aa8cc-8fe7-4a35-8755-7804c04a19d3", "file--606aa8cc-8fe7-4a35-8755-7804c04a19d3", "observed-data--d8cc496a-4c78-4d26-8ded-e605b7f65179", "file--d8cc496a-4c78-4d26-8ded-e605b7f65179", "observed-data--60abe762-ba0e-46a0-86a9-d9de3a6ef85e", "file--60abe762-ba0e-46a0-86a9-d9de3a6ef85e", "observed-data--21bf9cf9-356b-44cd-9b40-534f3d26ace6", "file--21bf9cf9-356b-44cd-9b40-534f3d26ace6", "observed-data--1ce77aca-09f7-4e3b-b249-444b349dd34c", "file--1ce77aca-09f7-4e3b-b249-444b349dd34c", "observed-data--efc3fcdc-9987-43a4-82b3-c6b51f28e9f4", "file--efc3fcdc-9987-43a4-82b3-c6b51f28e9f4", "observed-data--5cccb302-f18c-4e72-9744-65540a016219", "file--5cccb302-f18c-4e72-9744-65540a016219", "observed-data--5cccb30f-1b18-476d-9558-5d380a016219", "file--5cccb30f-1b18-476d-9558-5d380a016219", "observed-data--5cccb32b-8110-48f1-a6a8-65560a016219", "file--5cccb32b-8110-48f1-a6a8-65560a016219", "observed-data--5cccb441-3720-468d-88a1-5d3a0a016219", "file--5cccb441-3720-468d-88a1-5d3a0a016219", "observed-data--5cccb441-1e60-443e-919e-5d3a0a016219", "file--5cccb441-1e60-443e-919e-5d3a0a016219", "observed-data--5cccb441-f920-4f2e-95bf-5d3a0a016219", "file--5cccb441-f920-4f2e-95bf-5d3a0a016219", "observed-data--5cccb441-cff8-4af7-b7ad-5d3a0a016219", "file--5cccb441-cff8-4af7-b7ad-5d3a0a016219", "observed-data--5cccb441-9730-46ba-ac64-5d3a0a016219", "file--5cccb441-9730-46ba-ac64-5d3a0a016219", "observed-data--5cccb441-5ae4-450a-9e04-5d3a0a016219", "file--5cccb441-5ae4-450a-9e04-5d3a0a016219", "observed-data--5cccb441-253c-4882-85f1-5d3a0a016219", "file--5cccb441-253c-4882-85f1-5d3a0a016219", "observed-data--5cccb441-f7c8-4e1c-bfc9-5d3a0a016219", "file--5cccb441-f7c8-4e1c-bfc9-5d3a0a016219", "observed-data--5cccb441-b8c0-4633-904e-5d3a0a016219", "file--5cccb441-b8c0-4633-904e-5d3a0a016219", "observed-data--5cccb8c1-67d4-43c3-b904-65540a016219", "url--5cccb8c1-67d4-43c3-b904-65540a016219" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:threat-actor=\"Turla Group\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell - T1086\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Valid Accounts - T1078\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Automated Collection - T1119\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Network Configuration Discovery - T1016\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Automated Exfiltration - T1020\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Encrypted - T1022\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Local System - T1005\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Email Collection - T1114\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Obfuscation - T1001\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scheduled Transfer - T1029\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Application Layer Protocol - T1071\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Cryptographic Protocol - T1032\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--6f5800ff-87e0-46fc-adac-807018e9d07f", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:49.000Z", "modified": "2019-05-03T21:33:49.000Z", "first_observed": "2019-05-03T21:33:49Z", "last_observed": "2019-05-03T21:33:49Z", "number_observed": 1, "object_refs": [ "file--6f5800ff-87e0-46fc-adac-807018e9d07f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--6f5800ff-87e0-46fc-adac-807018e9d07f", "hashes": { "MD5": "9ed3438587e25073c17e82958010a3aa" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--64d9f4ac-632e-458b-af36-a2e6e1d2bd57", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:46.000Z", "modified": "2019-05-03T21:33:46.000Z", "first_observed": "2019-05-03T21:33:46Z", "last_observed": "2019-05-03T21:33:46Z", "number_observed": 1, "object_refs": [ "file--64d9f4ac-632e-458b-af36-a2e6e1d2bd57" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--64d9f4ac-632e-458b-af36-a2e6e1d2bd57", "hashes": { "SHA-1": "3c851e239fbf67a03e0dae8f63eee702b330db6c" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--90bcabcb-b2fb-4e73-a1a1-88f8a9e186df", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:43.000Z", "modified": "2019-05-03T21:33:43.000Z", "first_observed": "2019-05-03T21:33:43Z", "last_observed": "2019-05-03T21:33:43Z", "number_observed": 1, "object_refs": [ "file--90bcabcb-b2fb-4e73-a1a1-88f8a9e186df" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--90bcabcb-b2fb-4e73-a1a1-88f8a9e186df", "hashes": { "SHA-256": "fec68a0fea0019c878c8a348976c0ec0b8ecf6e7c63fe99afabfff2b7e6d4b11" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--4f4bdd4d-f0c4-4761-bed8-711f1b3b7744", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:33.000Z", "modified": "2019-05-03T21:33:33.000Z", "first_observed": "2019-05-03T21:33:33Z", "last_observed": "2019-05-03T21:33:33Z", "number_observed": 1, "object_refs": [ "file--4f4bdd4d-f0c4-4761-bed8-711f1b3b7744" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--4f4bdd4d-f0c4-4761-bed8-711f1b3b7744", "hashes": { "MD5": "2b14f9f3c758a2cf842a61aca6a3455d" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--25408199-95da-448d-a95f-a222dc7ba162", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:22.000Z", "modified": "2019-05-03T21:33:22.000Z", "first_observed": "2019-05-03T21:33:22Z", "last_observed": "2019-05-03T21:33:22Z", "number_observed": 1, "object_refs": [ "file--25408199-95da-448d-a95f-a222dc7ba162" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--25408199-95da-448d-a95f-a222dc7ba162", "hashes": { "SHA-1": "f9d52bb5a30b42fc2d1763be586cee8a57424732" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--66fa127c-7625-441a-b0ab-bc0b72403ca8", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:16.000Z", "modified": "2019-05-03T21:33:16.000Z", "first_observed": "2019-05-03T21:33:16Z", "last_observed": "2019-05-03T21:33:16Z", "number_observed": 1, "object_refs": [ "file--66fa127c-7625-441a-b0ab-bc0b72403ca8" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--66fa127c-7625-441a-b0ab-bc0b72403ca8", "hashes": { "SHA-256": "25facbc4265ca90f0508e77e97e1e6fcc7e46f6cca316b251b06d41232f6360c" } }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5df144ba-2702-4d5b-9070-a089c28fe905", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:29:30.000Z", "modified": "2019-05-03T21:29:30.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "MSIL/Turla.A" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--4440b265-2377-474c-83f1-8c8f24348f57", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:13.000Z", "modified": "2019-05-03T21:33:13.000Z", "first_observed": "2019-05-03T21:33:13Z", "last_observed": "2019-05-03T21:33:13Z", "number_observed": 1, "object_refs": [ "file--4440b265-2377-474c-83f1-8c8f24348f57" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--4440b265-2377-474c-83f1-8c8f24348f57", "hashes": { "MD5": "5924eac8af1f3e3f1f825998bc59c062" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--17417300-6cef-4720-8772-b90887ce8cb9", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:09.000Z", "modified": "2019-05-03T21:33:09.000Z", "first_observed": "2019-05-03T21:33:09Z", "last_observed": "2019-05-03T21:33:09Z", "number_observed": 1, "object_refs": [ "file--17417300-6cef-4720-8772-b90887ce8cb9" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--17417300-6cef-4720-8772-b90887ce8cb9", "hashes": { "SHA-1": "0a9f10925af42df94925d07112f303d57392c908" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--24645bfe-0e15-4c57-806e-27b6dacb18e8", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:07.000Z", "modified": "2019-05-03T21:33:07.000Z", "first_observed": "2019-05-03T21:33:07Z", "last_observed": "2019-05-03T21:33:07Z", "number_observed": 1, "object_refs": [ "file--24645bfe-0e15-4c57-806e-27b6dacb18e8" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--24645bfe-0e15-4c57-806e-27b6dacb18e8", "hashes": { "SHA-256": "88c90c2b123a357423ab3241624cba49d57122ee3b8ff4130504090c174bb09d" } }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--22e9a8ca-f758-440b-befe-f5cec1d249d0", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:29:36.000Z", "modified": "2019-05-03T21:29:36.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Win64/Turla.CC" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--eea9d060-4ae7-41f8-ac22-a4a0c15a31b5", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:01.000Z", "modified": "2019-05-03T21:33:01.000Z", "first_observed": "2019-05-03T21:33:01Z", "last_observed": "2019-05-03T21:33:01Z", "number_observed": 1, "object_refs": [ "file--eea9d060-4ae7-41f8-ac22-a4a0c15a31b5" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--eea9d060-4ae7-41f8-ac22-a4a0c15a31b5", "hashes": { "MD5": "c86e40e1fd2bd477a7f0cfed63fbca4a" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--09c6ef7c-ff1a-4b86-9d87-74b859bfbfae", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:33:04.000Z", "modified": "2019-05-03T21:33:04.000Z", "first_observed": "2019-05-03T21:33:04Z", "last_observed": "2019-05-03T21:33:04Z", "number_observed": 1, "object_refs": [ "file--09c6ef7c-ff1a-4b86-9d87-74b859bfbfae" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--09c6ef7c-ff1a-4b86-9d87-74b859bfbfae", "hashes": { "SHA-1": "76ee1802a6c920cbeb3a1053a4ec03c71b7e46f8" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--6af7a8c3-f17d-43fb-8c10-1602910bc038", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:32:40.000Z", "modified": "2019-05-03T21:32:40.000Z", "first_observed": "2019-05-03T21:32:40Z", "last_observed": "2019-05-03T21:32:40Z", "number_observed": 1, "object_refs": [ "file--6af7a8c3-f17d-43fb-8c10-1602910bc038" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--6af7a8c3-f17d-43fb-8c10-1602910bc038", "hashes": { "SHA-256": "92af9451d6809e035246869e53a56e1717224b28e8e96af4d80573264435d524" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--edfdb3f9-c762-46d9-8597-29cc5f1fa50e", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:32:03.000Z", "modified": "2019-05-03T21:32:03.000Z", "first_observed": "2019-05-03T21:32:03Z", "last_observed": "2019-05-03T21:32:03Z", "number_observed": 1, "object_refs": [ "file--edfdb3f9-c762-46d9-8597-29cc5f1fa50e" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--edfdb3f9-c762-46d9-8597-29cc5f1fa50e", "hashes": { "MD5": "7519b8c8ed36ec0840112bf9581717a3" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--7111a10b-7725-4579-96b6-cf01f779b816", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:32:00.000Z", "modified": "2019-05-03T21:32:00.000Z", "first_observed": "2019-05-03T21:32:00Z", "last_observed": "2019-05-03T21:32:00Z", "number_observed": 1, "object_refs": [ "file--7111a10b-7725-4579-96b6-cf01f779b816" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--7111a10b-7725-4579-96b6-cf01f779b816", "hashes": { "SHA-1": "c1ff6804fdb8656ab08928d187837d28060a552f" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--0b557f56-389f-4c44-abf0-1d464922eb01", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:31:57.000Z", "modified": "2019-05-03T21:31:57.000Z", "first_observed": "2019-05-03T21:31:57Z", "last_observed": "2019-05-03T21:31:57Z", "number_observed": 1, "object_refs": [ "file--0b557f56-389f-4c44-abf0-1d464922eb01" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--0b557f56-389f-4c44-abf0-1d464922eb01", "hashes": { "SHA-256": "c730d1af146bc420a1dfbbc647e53133a95cc87e9e519f37a01a413410e16498" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--606aa8cc-8fe7-4a35-8755-7804c04a19d3", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:31:53.000Z", "modified": "2019-05-03T21:31:53.000Z", "first_observed": "2019-05-03T21:31:53Z", "last_observed": "2019-05-03T21:31:53Z", "number_observed": 1, "object_refs": [ "file--606aa8cc-8fe7-4a35-8755-7804c04a19d3" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--606aa8cc-8fe7-4a35-8755-7804c04a19d3", "hashes": { "MD5": "32d92f9c125816c5ffd407577ad3ccc2" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--d8cc496a-4c78-4d26-8ded-e605b7f65179", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:31:50.000Z", "modified": "2019-05-03T21:31:50.000Z", "first_observed": "2019-05-03T21:31:50Z", "last_observed": "2019-05-03T21:31:50Z", "number_observed": 1, "object_refs": [ "file--d8cc496a-4c78-4d26-8ded-e605b7f65179" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--d8cc496a-4c78-4d26-8ded-e605b7f65179", "hashes": { "SHA-1": "ff28b53b55bc77a5b4626f9db856e67ac598c787" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--60abe762-ba0e-46a0-86a9-d9de3a6ef85e", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:31:47.000Z", "modified": "2019-05-03T21:31:47.000Z", "first_observed": "2019-05-03T21:31:47Z", "last_observed": "2019-05-03T21:31:47Z", "number_observed": 1, "object_refs": [ "file--60abe762-ba0e-46a0-86a9-d9de3a6ef85e" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--60abe762-ba0e-46a0-86a9-d9de3a6ef85e", "hashes": { "SHA-256": "d01745a8f454fbf173c8b410f279a84fd3b2dace379c1d67ba9b40c9813b200d" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--21bf9cf9-356b-44cd-9b40-534f3d26ace6", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:31:42.000Z", "modified": "2019-05-03T21:31:42.000Z", "first_observed": "2019-05-03T21:31:42Z", "last_observed": "2019-05-03T21:31:42Z", "number_observed": 1, "object_refs": [ "file--21bf9cf9-356b-44cd-9b40-534f3d26ace6" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--21bf9cf9-356b-44cd-9b40-534f3d26ace6", "hashes": { "MD5": "e1fdde61d9db9d6875994e4a412987f7" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--1ce77aca-09f7-4e3b-b249-444b349dd34c", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:31:37.000Z", "modified": "2019-05-03T21:31:37.000Z", "first_observed": "2019-05-03T21:31:37Z", "last_observed": "2019-05-03T21:31:37Z", "number_observed": 1, "object_refs": [ "file--1ce77aca-09f7-4e3b-b249-444b349dd34c" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--1ce77aca-09f7-4e3b-b249-444b349dd34c", "hashes": { "SHA-1": "556674f08ecca84d19a8a756e3457dbf6aff4a1c" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--efc3fcdc-9987-43a4-82b3-c6b51f28e9f4", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:31:34.000Z", "modified": "2019-05-03T21:31:34.000Z", "first_observed": "2019-05-03T21:31:34Z", "last_observed": "2019-05-03T21:31:34Z", "number_observed": 1, "object_refs": [ "file--efc3fcdc-9987-43a4-82b3-c6b51f28e9f4" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--efc3fcdc-9987-43a4-82b3-c6b51f28e9f4", "hashes": { "SHA-256": "ce01c8087368b7938175b217e9d4e2b50bbd3007d6f9b786d9b86a38a1acbc85" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb302-f18c-4e72-9744-65540a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:30:42.000Z", "modified": "2019-05-03T21:30:42.000Z", "first_observed": "2019-05-03T21:30:42Z", "last_observed": "2019-05-03T21:30:42Z", "number_observed": 1, "object_refs": [ "file--5cccb302-f18c-4e72-9744-65540a016219" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb302-f18c-4e72-9744-65540a016219", "hashes": { "SHA-1": "a4d1a34fe5effd90ccb6897679586ddc07fbc5cd" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb30f-1b18-476d-9558-5d380a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:30:55.000Z", "modified": "2019-05-03T21:30:55.000Z", "first_observed": "2019-05-03T21:30:55Z", "last_observed": "2019-05-03T21:30:55Z", "number_observed": 1, "object_refs": [ "file--5cccb30f-1b18-476d-9558-5d380a016219" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb30f-1b18-476d-9558-5d380a016219", "hashes": { "MD5": "55319464e46e2c31d22b39b46d5477fb" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb32b-8110-48f1-a6a8-65560a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:31:23.000Z", "modified": "2019-05-03T21:31:23.000Z", "first_observed": "2019-05-03T21:31:23Z", "last_observed": "2019-05-03T21:31:23Z", "number_observed": 1, "object_refs": [ "file--5cccb32b-8110-48f1-a6a8-65560a016219" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb32b-8110-48f1-a6a8-65560a016219", "hashes": { "SHA-256": "14f530e16e8c6dbac02f1bde53594f01b7edab9c45c4c371a3093120276ffaf1" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-3720-468d-88a1-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:13.000Z", "modified": "2019-05-03T21:36:13.000Z", "first_observed": "2019-05-03T21:36:13Z", "last_observed": "2019-05-03T21:36:13Z", "number_observed": 1, "object_refs": [ "file--5cccb441-3720-468d-88a1-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-3720-468d-88a1-5d3a0a016219", "name": "%tmp%\\winmail.dat" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-1e60-443e-919e-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:01.000Z", "modified": "2019-05-03T21:36:01.000Z", "first_observed": "2019-05-03T21:36:01Z", "last_observed": "2019-05-03T21:36:01Z", "number_observed": 1, "object_refs": [ "file--5cccb441-1e60-443e-919e-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-1e60-443e-919e-5d3a0a016219", "name": "%WINDIR%\\ServiceProfiles\\NetworkService\\appdata\\Local\\Temp\\msmocf.xml" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-f920-4f2e-95bf-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:01.000Z", "modified": "2019-05-03T21:36:01.000Z", "first_observed": "2019-05-03T21:36:01Z", "last_observed": "2019-05-03T21:36:01Z", "number_observed": 1, "object_refs": [ "file--5cccb441-f920-4f2e-95bf-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-f920-4f2e-95bf-5d3a0a016219", "name": "%WINDIR%\\ServiceProfiles\\NetworkService\\appdata\\Local\\Temp\\msmodl.dat" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-cff8-4af7-b7ad-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:01.000Z", "modified": "2019-05-03T21:36:01.000Z", "first_observed": "2019-05-03T21:36:01Z", "last_observed": "2019-05-03T21:36:01Z", "number_observed": 1, "object_refs": [ "file--5cccb441-cff8-4af7-b7ad-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-cff8-4af7-b7ad-5d3a0a016219", "name": "Windows\\814ad43-58ab-2cd3-3e68-b82a8f402fd0" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-9730-46ba-ac64-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:01.000Z", "modified": "2019-05-03T21:36:01.000Z", "first_observed": "2019-05-03T21:36:01Z", "last_observed": "2019-05-03T21:36:01Z", "number_observed": 1, "object_refs": [ "file--5cccb441-9730-46ba-ac64-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-9730-46ba-ac64-5d3a0a016219", "name": "Windows\\42cf8a1-6e20-8c24-d35f-82c46d8b70ba" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-5ae4-450a-9e04-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:01.000Z", "modified": "2019-05-03T21:36:01.000Z", "first_observed": "2019-05-03T21:36:01Z", "last_observed": "2019-05-03T21:36:01Z", "number_observed": 1, "object_refs": [ "file--5cccb441-5ae4-450a-9e04-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-5ae4-450a-9e04-5d3a0a016219", "name": "%WINDIR%\\serviceprofiles\\networkservice\\appdata\\Roaming\\Microsoft\\" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-253c-4882-85f1-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:01.000Z", "modified": "2019-05-03T21:36:01.000Z", "first_observed": "2019-05-03T21:36:01Z", "last_observed": "2019-05-03T21:36:01Z", "number_observed": 1, "object_refs": [ "file--5cccb441-253c-4882-85f1-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-253c-4882-85f1-5d3a0a016219", "name": "Windows\\36b1f4a-82b9-eb06-7c1e-90b4b2d5c27d" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-f7c8-4e1c-bfc9-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:01.000Z", "modified": "2019-05-03T21:36:01.000Z", "first_observed": "2019-05-03T21:36:01Z", "last_observed": "2019-05-03T21:36:01Z", "number_observed": 1, "object_refs": [ "file--5cccb441-f7c8-4e1c-bfc9-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-f7c8-4e1c-bfc9-5d3a0a016219", "name": "%WINDIR%\\ServiceProfiles\\NetworkService\\AppData\\Roaming\\Microsoft\\thumbcache_idx.db" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb441-b8c0-4633-904e-5d3a0a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:36:01.000Z", "modified": "2019-05-03T21:36:01.000Z", "first_observed": "2019-05-03T21:36:01Z", "last_observed": "2019-05-03T21:36:01Z", "number_observed": 1, "object_refs": [ "file--5cccb441-b8c0-4633-904e-5d3a0a016219" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5cccb441-b8c0-4633-904e-5d3a0a016219", "name": "%WINDIR%\\ServiceProfiles\\NetworkService\\AppData\\Roaming\\Microsoft\\Windows\\thumbcache_32.db" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cccb8c1-67d4-43c3-b904-65540a016219", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "created": "2019-05-03T21:55:13.000Z", "modified": "2019-05-03T21:55:13.000Z", "first_observed": "2019-05-03T21:55:13Z", "last_observed": "2019-05-03T21:55:13Z", "number_observed": 1, "object_refs": [ "url--5cccb8c1-67d4-43c3-b904-65540a016219" ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cccb8c1-67d4-43c3-b904-65540a016219", "value": "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }