misp-circl-feed/feeds/circl/misp/5b9123c0-1480-4e09-877e-4783950d210f.json

{
  "Event": {
    "analysis": "0",
    "date": "2018-03-12",
    "extends_uuid": "",
    "info": "OSINT - Sigma Ransomware Being Distributed Using Fake Craigslist Malspam",
    "publish_timestamp": "1536755880",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1536755790",
    "uuid": "5b9123c0-1480-4e09-877e-4783950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#2c4f00",
        "local": false,
        "name": "malware_classification:malware-category=\"Ransomware\"",
        "relationship_type": ""
      },
      {
        "colour": "#00223b",
        "local": false,
        "name": "osint:source-type=\"blog-post\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:ransomware=\"Sigma Ransomware\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Link - T1192\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"User Execution - T1204\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\"",
        "relationship_type": ""
      },
      {
        "colour": "#026900",
        "local": false,
        "name": "monarc-threat:unauthorised-actions=\"corruption-of-data\"",
        "relationship_type": ""
      },
      {
        "colour": "#039900",
        "local": false,
        "name": "monarc-threat:compromise-of-information=\"malware-infection\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1536329213",
        "to_ids": false,
        "type": "text",
        "uuid": "5b912411-f738-46fc-b27c-4ada950d210f",
        "value": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.",
        "Tag": [
          {
            "colour": "#00223b",
            "local": false,
            "name": "osint:source-type=\"blog-post\"",
            "relationship_type": ""
          }
        ]
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1536329222",
        "to_ids": false,
        "type": "link",
        "uuid": "5b912433-50b0-4e96-8d7a-44b1950d210f",
        "value": "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/",
        "Tag": [
          {
            "colour": "#00223b",
            "local": false,
            "name": "osint:source-type=\"blog-post\"",
            "relationship_type": ""
          }
        ]
      },
      {
        "category": "Network activity",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1536240806",
        "to_ids": true,
        "type": "url",
        "uuid": "5b912ca6-7264-48c8-afca-40e4950d210f",
        "value": "http://185.121.139.229/"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1536326656",
        "to_ids": true,
        "type": "filename",
        "uuid": "5b927c00-c9c8-4780-84da-abc4950d210f",
        "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\taskwgr.exe"
      }
    ],
    "Object": [
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536240542",
        "uuid": "5b912b9e-67d4-45ad-b17d-4020950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1536240542",
            "to_ids": true,
            "type": "sha256",
            "uuid": "5b912b9e-a4d4-4f19-a85a-4b45950d210f",
            "value": "b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536240546",
            "to_ids": false,
            "type": "text",
            "uuid": "5b912ba2-604c-4c25-b80f-4c2c950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536755335",
        "uuid": "af63c140-7e55-4ae2-a261-9f126f0195ab",
        "ObjectReference": [
          {
            "comment": "",
            "object_uuid": "af63c140-7e55-4ae2-a261-9f126f0195ab",
            "referenced_uuid": "6241958e-2b1b-4ccf-8aa5-0aee9e179e50",
            "relationship_type": "analysed-with",
            "timestamp": "1536302901",
            "uuid": "5b921f35-0d6c-4a42-b336-495202de0b81"
          },
          {
            "comment": "",
            "object_uuid": "af63c140-7e55-4ae2-a261-9f126f0195ab",
            "referenced_uuid": "f04b2156-46a7-4ffe-a470-b0d0ac7ef70e",
            "relationship_type": "analysed-with",
            "timestamp": "1536755345",
            "uuid": "5b990691-7064-4bee-bcb8-494c02de0b81"
          }
        ],
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "md5",
            "timestamp": "1536302885",
            "to_ids": true,
            "type": "md5",
            "uuid": "1badb4a6-67f0-408a-9ba2-f60f41bb913c",
            "value": "9afa3302527608a30408958bc48019fc"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha1",
            "timestamp": "1536302888",
            "to_ids": true,
            "type": "sha1",
            "uuid": "3f8e1d75-74db-40bd-a845-6289bdb3dc91",
            "value": "0d34add7d61e26583dc54e7b89b6d4056d6bf201"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1536302891",
            "to_ids": true,
            "type": "sha256",
            "uuid": "2d4820de-1980-4c31-a0ff-8c0b43a9936d",
            "value": "b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "2",
        "timestamp": "1536302893",
        "uuid": "6241958e-2b1b-4ccf-8aa5-0aee9e179e50",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1536302893",
            "to_ids": false,
            "type": "datetime",
            "uuid": "8d5b54cd-1dfc-435b-8e19-cc4eda5b2288",
            "value": "2018-08-28T00:23:39"
          },
          {
            "category": "External analysis",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1536302896",
            "to_ids": false,
            "type": "link",
            "uuid": "18055e03-5add-4a61-9465-9afc972b1cb3",
            "value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1536302898",
            "to_ids": false,
            "type": "text",
            "uuid": "e911d120-fdf4-4110-8272-ddb11eedd9ec",
            "value": "45/67"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536325764",
        "uuid": "5b927884-8d5c-4a6c-af30-4daa950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536325764",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927884-8b74-453b-ae0f-439b950d210f",
            "value": "ReadMe.txt"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536325764",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927884-63d4-43d8-b2c8-4c68950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
        "meta-category": "file",
        "name": "registry-key",
        "template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
        "template_version": "4",
        "timestamp": "1536326106",
        "uuid": "5b9279c2-40a4-4823-840a-4c03950d210f",
        "Attribute": [
          {
            "category": "Persistence mechanism",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "key",
            "timestamp": "1536326106",
            "to_ids": true,
            "type": "regkey",
            "uuid": "5b9279c2-6a44-4133-bdbf-45ae950d210f",
            "value": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\chrome"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "root-keys",
            "timestamp": "1536326106",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9279c3-b8ec-445c-9f70-4c8b950d210f",
            "value": "HKCU"
          },
          {
            "category": "Persistence mechanism",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "data-type",
            "timestamp": "1536326106",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9279c3-c040-4ea5-bfe7-4955950d210f",
            "value": "REG_NONE"
          },
          {
            "category": "Persistence mechanism",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "name",
            "timestamp": "1536326692",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9279dc-e050-4a20-ac5e-adb4950d210f",
            "value": "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536326853",
        "uuid": "5b927cc5-d5ac-46df-ace4-4cf8950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536326853",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927cc5-28e4-4d21-8166-447d950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Data\\Tor\\geoip"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536326855",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927cc7-1e4c-44bc-94ff-4ee8950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536326952",
        "uuid": "5b927d28-edcc-445d-869b-42ae950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536326953",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927d29-a424-46ab-879c-4609950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Data\\Tor\\geoip6"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536326953",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927d29-1040-4836-878b-420c950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536326971",
        "uuid": "5b927d3b-9628-4e2f-83b3-4cb8950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536326971",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927d3b-e228-4ecc-b169-4369950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\test1.bmp"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536326973",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927d3d-8404-433c-9b99-4c2d950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536326986",
        "uuid": "5b927d4a-5334-448b-84e9-4545950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536326987",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927d4b-39a8-4fc7-a4b7-4a10950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libeay32.dll"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536326988",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927d4c-a078-414c-8f77-4b37950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327388",
        "uuid": "5b927edc-e5a4-47e1-86a6-4a0f950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327388",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927edc-12c8-4b11-bc21-4428950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent_core-2-0-5.dll"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327389",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927edd-56fc-4e14-8074-48f3950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327431",
        "uuid": "5b927f07-0ebc-45ea-9a4c-4791950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327432",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927f08-3ef8-43e9-9cbf-445c950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-certs"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327433",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927f09-3b80-48dc-9dad-49d2950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327449",
        "uuid": "5b927f19-af00-4e57-bc93-49e9950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327449",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927f19-4a0c-4abe-b57d-4727950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-microdesc-consensus"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327449",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927f19-d26c-48fd-9d16-45c8950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327501",
        "uuid": "5b927f4d-5914-4be0-bc7e-4da1950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327501",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927f4d-6a90-4640-9dc3-452b950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libssp-0.dll"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327504",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927f50-f734-4110-bc51-4193950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327518",
        "uuid": "5b927f5e-50ac-4596-b3cb-474b950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327518",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927f5e-1f80-41ab-a84f-4832950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\tor-gencert.exe"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327521",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927f61-2d78-4789-9d34-4ea6950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327531",
        "uuid": "5b927f6b-0430-4a52-b692-4dba950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327531",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927f6b-8f2c-4ee2-987d-436c950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\svchost.exe"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327532",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927f6c-0670-40ab-a060-4653950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327548",
        "uuid": "5b927f7c-32c8-4e30-b9d5-421f950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327548",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927f7c-13a0-4be5-a59e-4b2f950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\zlib1.dll"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327550",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927f7e-c258-4aa9-ba33-4c57950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327662",
        "uuid": "5b927fee-1590-49f2-a2f6-44ca950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327662",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b927fee-413c-4578-b4f7-4de2950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-microdescs.new"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327665",
            "to_ids": false,
            "type": "text",
            "uuid": "5b927ff1-1924-4851-b7be-4693950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327834",
        "uuid": "5b92809a-b468-47e6-a7c7-47c9950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327835",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b92809b-1a04-4ceb-be76-42b9950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent-2-0-5.dll"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327837",
            "to_ids": false,
            "type": "text",
            "uuid": "5b92809d-168c-47c1-852f-47b1950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327849",
        "uuid": "5b9280aa-969c-4c3e-ad03-4011950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327850",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b9280aa-23a0-4033-9e66-4ede950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\ssleay32.dll"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327850",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9280aa-5258-44fb-a115-4a6a950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327865",
        "uuid": "5b9280b9-be58-4c21-a4d2-49ca950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327865",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b9280b9-fb64-4f19-9d04-493d950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\tor\\state"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327866",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9280ba-fc78-464f-aaad-4a8e950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327876",
        "uuid": "5b9280c4-17b4-4114-8017-44e0950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327876",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b9280c4-4200-4f03-a557-4997950d210f",
            "value": "%UserProfile%\\Desktop\\ReadMe.html"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327879",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9280c7-bdb8-4b91-9edb-46df950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327888",
        "uuid": "5b9280d0-1874-4711-87ed-4299950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327888",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b9280d0-a204-43f9-b463-405d950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libgcc_s_sjlj-1.dll"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327889",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9280d1-a424-494c-93d6-4600950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327899",
        "uuid": "5b9280db-dfe0-41f0-9f42-44c7950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327899",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b9280db-0780-49ba-94b9-46c8950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent_extra-2-0-5.dll"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327900",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9280dc-001c-4fa5-a889-4301950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1536327914",
        "uuid": "5b9280ea-e38c-41f1-8453-47b9950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1536327914",
            "to_ids": true,
            "type": "filename",
            "uuid": "5b9280ea-0530-490d-bdf6-4b03950d210f",
            "value": "%UserProfile%\\AppData\\Roaming\\tor\\lock"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1536327917",
            "to_ids": false,
            "type": "text",
            "uuid": "5b9280ed-a180-4fc9-80c4-46f6950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "2",
        "timestamp": "1536755335",
        "uuid": "f04b2156-46a7-4ffe-a470-b0d0ac7ef70e",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1536755338",
            "to_ids": false,
            "type": "datetime",
            "uuid": "bff3beea-deb5-49b8-a2be-334a5603e8ac",
            "value": "2018-08-28T00:23:39"
          },
          {
            "category": "External analysis",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1536755342",
            "to_ids": false,
            "type": "link",
            "uuid": "505d7436-7769-4279-9d1a-b95934d0edc8",
            "value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1536755345",
            "to_ids": false,
            "type": "text",
            "uuid": "00c8704b-05af-405d-a5ce-13f8167612d4",
            "value": "45/67"
          }
        ]
      }
    ]
  }
}