MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-training/ransomware-exercice/2856.json

998 lines
534 KiB
JSON
Raw Normal View History

add: [exercices] added ransomware exercice from training 25 October 2023
2023-10-27 10:06:56 +02:00
{
"Event": {
"id": "3320",
"orgc_id": "1",
"org_id": "1",
"date": "2023-02-07",
"threat_level_id": "1",
"info": "Ransomware infection via e-mail from Andrew Ryan",
"published": false,
"uuid": "ebc0d51a-a08f-485d-ba5c-54d66c6f56be",
"attribute_count": "15",
"analysis": "0",
"timestamp": "1676648024",
"distribution": "0",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"event_creator_email": "training99@misp.test",
"Feed": [
{
"id": "1",
"name": "CIRCL OSINT Feed",
"url": "https://www.circl.lu/doc/misp/feed-osint",
"provider": "CIRCL",
"source_format": "misp",
"event_uuids": [
"5bbe09c9-9040-4415-bd25-45b7950d210f",
"584a6066-ea54-4894-8e9f-4d6f950d210f"
]
},
{
"id": "2",
"name": "The Botvrij.eu Data",
"url": "http://www.botvrij.eu/data/feed-osint",
"provider": "Botvrij.eu",
"source_format": "misp",
"event_uuids": [
"56ca35a0-0f20-4cca-8fc3-4cd69062e56a"
]
}
],
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
"local": true
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14",
"local": true
},
"Attribute": [],
"ShadowAttribute": [],
"RelatedEvent": [
{
"Event": {
"id": "3494",
"date": "2023-03-26",
"threat_level_id": "2",
"info": "Ransomware infection via e-mail",
"published": false,
"uuid": "e32186fe-905b-4d6a-bc1b-e8b9a26835f4",
"analysis": "1",
"timestamp": "1679658058",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3491",
"date": "2023-03-24",
"threat_level_id": "3",
"info": "Ramsomware infection via e-mail",
"published": false,
"uuid": "fd3cdeb6-8e4d-400f-9e81-19c153fe3551",
"analysis": "2",
"timestamp": "1679565003",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3526",
"date": "2023-03-24",
"threat_level_id": "3",
"info": "CryptoLocker Ransomware infection via e-mail",
"published": false,
"uuid": "26da51be-a8ad-4155-bd3e-e45189964d35",
"analysis": "1",
"timestamp": "1681714673",
"distribution": "1",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3356",
"date": "2023-02-08",
"threat_level_id": "1",
"info": "Ransomware infection via e-mail",
"published": false,
"uuid": "eb0e9670-2875-4480-9e62-44d41010a196",
"analysis": "0",
"timestamp": "1675875023",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3311",
"date": "2023-02-07",
"threat_level_id": "1",
"info": "D Ransomware Test circl, enisa, europol-incident",
"published": false,
"uuid": "8c1760ec-8c78-49ee-b5ab-13abaa8dab66",
"analysis": "0",
"timestamp": "1675784544",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3321",
"date": "2023-02-07",
"threat_level_id": "1",
"info": "Ransomware infection via e-mail Resources",
"published": false,
"uuid": "74dc5e3c-6d21-4fc4-bd4f-1b6dd5d7db97",
"analysis": "0",
"timestamp": "1675784506",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "2998",
"date": "2022-10-11",
"threat_level_id": "2",
"info": "Infection via spear-phishing email",
"published": false,
"uuid": "5d24702e-48f8-4327-9d23-39afe31222c3",
"analysis": "2",
"timestamp": "1665481896",
"distribution": "3",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "2975",
"date": "2022-09-27",
"threat_level_id": "2",
"info": "Ransomware infection via e-mail",
"published": false,
"uuid": "9e914849-6574-4be3-8fe1-f4dbea6bfe24",
"analysis": "0",
"timestamp": "1664269840",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "2976",
"date": "2022-09-27",
"threat_level_id": "1",
"info": "Ransomware infection via e-mail",
"published": false,
"uuid": "35061e3f-244b-42a8-b323-a06790daf8ce",
"analysis": "0",
"timestamp": "1664270556",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "2926",
"date": "2022-06-30",
"threat_level_id": "1",
"info": "Cryptolocker Ransomware Attached to Phishing Email - Training43",
"published": false,
"uuid": "9b35fd90-1408-4d00-b458-b346a5a7d276",
"analysis": "1",
"timestamp": "1656597684",
"distribution": "1",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "2973",
"date": "2022-03-25",
"threat_level_id": "1",
"info": "Ransomware Putty Andrew_Ryan e-mail",
"published": false,
"uuid": "1d8272d1-b96d-4a5e-a2ad-731c7685c19f",
"analysis": "0",
"timestamp": "1664270421",
"distribution": "0",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "2856",
"date": "2022-03-24",
"threat_level_id": "2",
"info": "CryptoLocker ransomware infection via e-mail",
"published": false,
"uuid": "cc8d930b-aa5f-40b8-a30e-dc86bfd83003",
"analysis": "2",
"timestamp": "1676967646",
"distribution": "3",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "2940",
"date": "2022-03-24",
"threat_level_id": "1",
"info": "Ransomware attached to the mail",
"published": false,
"uuid": "42ffa689-82bd-49ec-89bf-4ef1ea868c38",
"analysis": "1",
"timestamp": "1656604596",
"distribution": "1",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "2944",
"date": "2022-03-24",
"threat_level_id": "1",
"info": "Ransomware attack",
"published": false,
"uuid": "416b6e86-0db1-4329-bc05-a3f4a3097d42",
"analysis": "1",
"timestamp": "1656603858",
"distribution": "1",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
},
{
"Event": {
"id": "3477",
"date": "2022-03-24",
"threat_level_id": "3",
"info": "CryptoLocker Ransomware infection via e-mail",
"published": false,
"uuid": "b85c260a-5156-4e98-bbc5-d9cda025a9d0",
"analysis": "2",
"timestamp": "1683274401",
"distribution": "1",
"org_id": "1",
"orgc_id": "1",
"Org": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
},
"Orgc": {
"id": "1",
"name": "Training",
"uuid": "5d6d3b30-9db0-44b9-8869-7f56a5e38e14"
}
}
}
],
"Galaxy": [],
"Object": [
{
"id": "37496",
"name": "ftm-Person",
"meta-category": "followthemoney",
"description": "An individual",
"template_uuid": "070e1c5b-7f5a-4322-81ff-9d684172fe36",
"template_version": "1",
"event_id": "3320",
"uuid": "3a5740a6-1e37-4e60-a277-6877e48cbced",
"timestamp": "1675784810",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"first_seen": null,
"last_seen": null,
"ObjectReference": [],
"Attribute": [
{
"id": "586446",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "a315a07b-4e1c-4725-820a-66a0dc89c7a8",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675782902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37496",
"object_relation": "name",
"first_seen": null,
"last_seen": null,
"value": "Andrew Ryan",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "586447",
"type": "phone-number",
"category": "Person",
"to_ids": false,
"uuid": "5817d244-01b7-40e4-aed3-5a8f967bc6e8",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675782902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37496",
"object_relation": "phone",
"first_seen": null,
"last_seen": null,
"value": "18007667751",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "586448",
"type": "email-src",
"category": "Payload delivery",
"to_ids": true,
"uuid": "bf9f9eb4-1739-4d6a-ae6f-a20f9587298f",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675784810",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37496",
"object_relation": "email",
"first_seen": null,
"last_seen": null,
"value": "andrew_ryan@rindustries.rp",
"Galaxy": [],
"ShadowAttribute": [],
"Tag": [
{
"id": "325",
"name": "Payload",
"colour": "#cb57f8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
}
]
},
{
"id": "586449",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "206608cd-afd4-4fb9-b203-98f983669e6e",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675782902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "37496",
"object_relation": "firstName",
"first_seen": null,
"last_seen": null,
"value": "Andrew",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "586450",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "9b05e87a-5af2-49ab-976d-11c981adb734",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675782902",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "37496",
"object_relation": "lastName",
"first_seen": null,
"last_seen": null,
"value": "Ryan",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "586459",
"type": "phone-number",
"category": "Person",
"to_ids": false,
"uuid": "ac43548f-c952-4f24-b6ee-a8ed553c37f8",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675782927",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37496",
"object_relation": "phone",
"first_seen": null,
"last_seen": null,
"value": "19726436600",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "37517",
"name": "file",
"meta-category": "file",
"description": "File object describing a file with meta-information",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"event_id": "3320",
"uuid": "398c75f3-6f7b-457d-99b0-2c4da5a2009b",
"timestamp": "1675784783",
"distribution": "5",
"sharing_group_id": "0",
"comment": "Ransomware",
"deleted": false,
"first_seen": null,
"last_seen": null,
"ObjectReference": [],
"Attribute": [
{
"id": "586560",
"type": "malware-sample",
"category": "Payload delivery",
"to_ids": true,
"uuid": "8646991c-da5d-48da-b802-26d9c09400cc",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675784754",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37517",
"object_relation": "malware-sample",
"first_seen": null,
"last_seen": null,
"value": "cryptolocker.exe|f1a3e62de12faecee82bf4599cc1fdcd",
"Galaxy": [],
"data": "UEsDBBQACQAIAIJ7R1a8HXrWO8kFAOB2CwAgABwAZjFhM2U2MmRlMTJmYWVjZWU4MmJmNDU5OWNjMWZkY2RVVAkAAwRu4mMEbuJjdXgLAAEEIQAAAAQhAAAAGGMiGyFltFpFpg7Y3ZVt2mOeWGOPndD+ECPS1PoH8NTFsxUW9j+23Zm31IW8eZN3INZoMUw7mBIBHy7qv9D1llrWbVh8Hi2DmkkALCIO1LuwaZ6aeQZl6549jrXlUJtCbw+7E3PzdX2vE0d0MOkbPcE13/ZRBLEIDICDpinIt3XOfZm8zE4YJSdA56tBLRP5HjLSiItz+ZZygbt4HmYdB5W8W72O45UXcuX1fH8YxojAskN8trl+1PFTOmL6BvyZYRvNX2+Qy05idr6YPFFJ0iiew7TKyTAawdVM7W5BQNlCJo4UIIwcy+NxzHirzJwjudMw92qZ9KMpMiopmx9tBeNloDH41lDZY1j2iIFCflfSpHtw5Py5NDyDYf97bD+WWwOZkxcCb0oKkP6r6mkqXY2UehyUgSAzPeqCESZul5VSeZ/mohFGT5XaB5AlgxeZp+q4ZypACno0N6PCkGGNZ0m6I39clrsz6IftUYf/BCLftOllvrPcFdtoPvfPF9iqfnyI29QQLFCk3sDH/5cXWoith+ZB1APbwChPh+AkmQMw9V6llrrBRrmP0L3VsJYEip9ONuRGHMh5ZcpeQ1XH7MO8Bcg7LTy1YRRVhuVwCO+9ZUXVgBbHH9LQR87MI7hMfPAWGVazMPsIAId0/Ta0fOZImVKBnM18+ZWfq+N8T7HXWt8lHEz0SwfamZFZZix1jMze2ghTPSh7kwNBH6okW11k7NJGiwe8gFW4zWD/wxkyMAGotGxWgcLsFb+2JANTy0SuxZI91kBE1XKnq1UUmIV1ouc5N5UbIhH/Es58EJ8dUFdiPJlygTe/M0bzRYf0zTxyzxsCj2oduxQEpS+jiqrPRo1y0eB5fgFan68YhTQKuqF8bzHasXCQYV9f3/Vneh5231+NdlPC398iKY+6JlA2QCRH94Spgc3KPdM9uSDnb1cyIBmAjI0yFkK743WL9j8y5r1MmKAAdmTodfqkhMBaaiEzetpFbUsnwyihLPYP2R4D/qBO2OE8/Y1nq6O8j7gZfg4fNVB5VbVVEgOkRSskikR0tcQr71LOYGistMps7I53B+/2sYPlowKB1RZt7xd9tnBk4gxb4WDJC1VjK4/x0/Fjdu+NXVDFS3s81h7DvMe6t3vXODXH0WgrtXPvQgGGTwt57lt6sK4QBuWSHe587uARDnaduTKJI+mW9zUVsps+BEHIgq5i2VY/v5EDdQtyt7lNjtPyh6RnGn20KMSww+nrmG8qw4k2l5e/WlUprf1+4Xcn++zi1T9GbKsx/Dtvt0/547ycrlMxCd13/3rClfCcB3WSKK21vPHOITAMg9bQquhiUybn+Js55kUndtuMpsikkha1EeqfWjh7GUwAD/0z0FB4iKCTSPvQt0f05OWtiocXBvT6I6bZeVC/nj8f8gqmJ07MFqWO1IhATGohQGRcQzZOqOoLxADESaeH2qhFF37mQuXoYBM+xFdpk04iJfr97ZM9rV+J6CL+hhG1EKvJkbbjUvB3hqesHDRF9MqRJmgJVeuI1MNeENPQXrdmn+50sctwC6hnkTw04HALHLzUVNXHyHBBlr6SuqpwDm8/JYJO+yZU8Lig1zIaARVFkOgRxu7USlAfRSrNhHJvTz2EM54TCm5UUuHEtGKZcZZ0S+eC0n5c4EAC1wMx5xQTqrivrKb95LDkiegxgg98HyCn1YU65WNWQx8q6i21ud1pMbrMJUP7pSp71f+BKcM4QLxfkqXOlNPLxgjsqjuplhmuw9r/nSuSKUL/Kssdg2xW145p5lLWKLrPD/E5sHwkEjmPzqIv7yciAa7Qsttrw21siD9jX2McuHk2NbFmYWNzGWO9+LggH/6NPoOH9q+sD/5/efFcK0sBwDESP1EMEASw2fw2LOYIwVYPcbjOxlfjySYkls1o3Eie6TEd8gAOLEUQJd/2cPDxjnKoX57F0M3dmAocGBBKQgHHHuFhA3PSld78+xVCx03F9no7XquObfX2omFgmiFWuL8RdpsMts8Xewm5FDBAPaclZsIipujAM30MwXfW+qoKXTNTKKAWd1G+ag0ZIKFfW80HyBkEMS6va5fwj5Up0p355HOGr0K2ggrj4fqv6XPJXqPzgAZSudj1czyW3xHCxNXg6EOHuOaZEHxkqgA0AfmlD03qrWuxx2fV6vwqXB7EN+cGuve6iciLgvmavE9lAbktwbBle5LLQZFE2DmDdG3yN9cpXWlBL8WO5NSYPbp9H4FnK0r4rqU2P0B9O0faStDFVRAuAw5SYFV9sZcQ4SDBsf0KzpA0oQtSeo7NmGRFrTMRIP7ZM9wSt17AyrVyA8yvOObnPr5XzB4YIS/D5PFIhYXUK+BV/goPe1UUe8HxvBVswDV+szHpsXeSrvY+9oC3TTQHJPY1geh+09zu39ytpxU90GVhs+/3MXvjM2vl5a2xeLq5jUUW8bSH19fOAK+k63EU0UW3XAkUjarSA4/R2fQzMhtSLmZ9KQxtI3THjL/rCqkaxr0r3Lg6JUnDJXgI7HzToSfW+1o0oelwMeSrkSD/y6YborfWl/9ICUAvPcxDUdUMdSoeuLJ/UrbhK73QKi4YbgYII6AVUGzru9jRPbtwx2+xOQ5brYMnqsUtmhbRqNwKds9LEhCEp2eb6qXxUK7jdLx8GlPeU+WBoN31vmThi8HAhNoOfAmEhdD/x3VsBhMLY1R61WjbQfVuRtoRVsWZa+u8lkn1qxf2E9XQIqzt78AfqqLHJ5kEkSp3x13P84NSieGt4S+sW1DsgCLiBqtmeFb2He3PrPLdDGFyFFwHTpBUw6/rz5UILSeKRItbSOevOVBKu3WX4A8QzVsvsksRSZvy6AEDHxGSC4fNPFZN2mH2K4OYgQACnrx1URaVHvzhiGqDMJbxhjZhAibxkO+sOc2D63KdfYl38I8+HuOdxhqBSqy1WwKbXOKOazOQfFiZxma7e/0yrFIQ5QPovz+HrK22/H1nUptccJWp7fiUG4/cDGSyzl6rUu7h03UCpQcTFeuJTX1enAAuRui/RQPbXY9gNdZr+pq46fmGXkMJQF3brQLQU3zeAlTUTmXb1qSWCZS+COfZbhCdkCk6/DoiePS1xXKyDoXT2bvhFpHPi2fXoDMDy0q7+jheKlwRx16jewSL1LQDUUclGe8BTrcXu7r9WHy+tD47fPWZTxsietqs4dMYJi/zCJBCTJIHYKI8eWm6N9qjO9ky8Jh0iXYgIKXcKVYQfQyI1NY2leWoRXdAW6xMtogPo/HkI9hDyDUQ9pms3c1YF2R07zhwD4P4gWn0aaI6BuyosjF2y9dRi3607Zx8kWA35XsxgFUMIppkSCXCb7dwBOvxDj/b+aj/CsfmVSf+0nOa0Cyp3yAeBrgzpgROdBTk688D6qTGFu7MLh0f7Mx/+T6kFgC0YAcYlOaAOLNYEFzntnAiLLEgw4VL2gC7A6maEdhid3FZ2oqu0geMlSNyBezGWLPVx+iKFghJIHfkktS5769G2R6ExDH3O1NFmh/sPAYR09Wq+vAoEwjezc+FCM6icZe50pOMQv2vvOzshJ6LGdXEQ4LIs2NWe2K11d7JwgPzDdJiKC/I9bUxEW7cLtN5rm+CrPeO4d5pfkklLE7FUbup+Rmn87FTGso0cEWJ477xo5XwFoYc5X9E3XcMnQQ22QRJhsJX2GIy0tDFYtNeXJ7vvL3mG1VHj+AT0vIFK/XpwERD6ubhtlOrKCenuZ6aOaUt8mhnrJU7GDt42JtpuidHbrsU/zL6Q4sBly31XZBcAMJiwJD5i/rXA5y6ld/Pg56WaDn+nIAxmxlexhPC883Rno/Tdc/z5qiEh6wWTt7Hvwu3oKbHmE7pVVT67GA/209B2XQFyLQVllhKwLb0pQFNDLwgvn1aLgqTSLkEc6Q4vCeOMYkY7yI+fVVAG+w/m0J10yku8JbrB66CscNgIA
"ShadowAttribute": [],
"Tag": [
{
"id": "1243",
"name": "MALWARE",
"colour": "#d6f264",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
}
]
},
{
"id": "586561",
"type": "filename",
"category": "Payload delivery",
"to_ids": false,
"uuid": "78f02244-03e3-426f-aeed-9a1a4315349d",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675784783",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37517",
"object_relation": "filename",
"first_seen": null,
"last_seen": null,
"value": "cryptolocker.exe",
"Galaxy": [],
"ShadowAttribute": [],
"Tag": [
{
"id": "289",
"name": "malware_classification:payload-classification=\"dropper\"",
"colour": "#77d500",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
}
]
},
{
"id": "586562",
"type": "md5",
"category": "Payload delivery",
"to_ids": true,
"uuid": "e9d5ae93-323a-4613-b7fd-67e9c9b5cc1f",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675783684",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37517",
"object_relation": "md5",
"first_seen": null,
"last_seen": null,
"value": "f1a3e62de12faecee82bf4599cc1fdcd",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "586563",
"type": "sha1",
"category": "Payload delivery",
"to_ids": true,
"uuid": "282ae8e7-30c7-4e84-afd9-a7edffce08a2",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675783684",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37517",
"object_relation": "sha1",
"first_seen": null,
"last_seen": null,
"value": "d836f2ee449b74913d1efc615eeb459b65e4f791",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "586564",
"type": "sha256",
"category": "Payload delivery",
"to_ids": true,
"uuid": "39f1db69-6be1-4fa6-86c3-95f7b87659a8",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675783684",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37517",
"object_relation": "sha256",
"first_seen": null,
"last_seen": null,
"value": "d90401420908dbb4b3488a306467e8fffc57577ce9d5eee016578ff6a3ada12e",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "586565",
"type": "size-in-bytes",
"category": "Other",
"to_ids": false,
"uuid": "639afd02-ccc3-441e-b3ea-c75be281a825",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675783684",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "37517",
"object_relation": "size-in-bytes",
"first_seen": null,
"last_seen": null,
"value": "751328",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "37527",
"name": "domain-ip",
"meta-category": "network",
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "11",
"event_id": "3320",
"uuid": "0091e0c8-6bdc-40ee-b183-45ee90b8d040",
"timestamp": "1675784097",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"first_seen": null,
"last_seen": null,
"ObjectReference": [],
"Attribute": [
{
"id": "586601",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"uuid": "d1371861-7ef6-487d-adcb-b04827fe5b63",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675784097",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37527",
"object_relation": "ip",
"first_seen": null,
"last_seen": null,
"value": "81.177.170.166",
"Galaxy": [],
"ShadowAttribute": [],
"Tag": [
{
"id": "2287",
"name": "adversary:infrastructure-type=\"c2\"",
"colour": "#9e00ff",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
}
]
}
]
},
{
"id": "37557",
"name": "registry-key",
"meta-category": "file",
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
"template_version": "4",
"event_id": "3320",
"uuid": "3738def1-f6aa-4e05-abed-61d1224b1c17",
"timestamp": "1675784674",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"first_seen": null,
"last_seen": null,
"ObjectReference": [],
"Attribute": [
{
"id": "586724",
"type": "text",
"category": "Persistence mechanism",
"to_ids": false,
"uuid": "ac7faef0-f036-400b-94f8-d5473f8cadf2",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675784674",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37557",
"object_relation": "name",
"first_seen": null,
"last_seen": null,
"value": "Cryptolocker",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "586725",
"type": "regkey",
"category": "Persistence mechanism",
"to_ids": true,
"uuid": "01cb61e9-0e97-452a-bcf0-26451ca81c68",
"event_id": "3320",
"distribution": "5",
"timestamp": "1675784674",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "37557",
"object_relation": "key",
"first_seen": null,
"last_seen": null,
"value": "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"Galaxy": [],
"Feed": [
{
"id": "1",
"name": "CIRCL OSINT Feed",
"url": "https://www.circl.lu/doc/misp/feed-osint",
"provider": "CIRCL",
"source_format": "misp",
"event_uuids": [
"5bbe09c9-9040-4415-bd25-45b7950d210f",
"584a6066-ea54-4894-8e9f-4d6f950d210f"
]
},
{
"id": "2",
"name": "The Botvrij.eu Data",
"url": "http://www.botvrij.eu/data/feed-osint",
"provider": "Botvrij.eu",
"source_format": "misp",
"event_uuids": [
"56ca35a0-0f20-4cca-8fc3-4cd69062e56a"
]
}
],
"ShadowAttribute": []
}
]
}
],
"EventReport": [],
"CryptographicKey": [],
"Tag": [
{
"id": "132",
"name": "osint:lifetime=\"perpetual\"",
"colour": "#0071c3",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "467",
"name": "osint:certainty=\"50\"",
"colour": "#0087e8",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": "50",
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "1105",
"name": "workflow:state=\"draft\"",
"colour": "#e9007e",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "8",
"name": "tlp:amber",
"colour": "#FFC000",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null,
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
},
{
"id": "1738",
"name": "false-positive:risk=\"low\"",
"colour": "#33FF00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": "75",
"is_galaxy": false,
"is_custom_galaxy": false,
"local_only": false,
"local": 0,
"relationship_type": null
}
]
}
}