{ "Event": { "analysis": "1", "date": "2020-07-15", "extends_uuid": "", "info": "[Threat Intel] Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families", "protected": false, "publish_timestamp": "1772407719", "published": true, "threat_level_id": "2", "timestamp": "1772407716", "uuid": "26ed9c21-416c-41b9-8203-a9d0a39ed7eb", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"DoppelPaymer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"LockerGoga\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Maze\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"MegaCortex\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Nefilim\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Clop\"", "relationship_type": "" }, { "colour": "#f6810a", "local": false, "name": "ICS-capable", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772251655", "to_ids": false, "type": "link", "uuid": "9eaa8792-0f38-463f-889c-c34e166682c8", "value": "https://cloud.google.com/blog/topics/threat-intelligence/financially-motivated-actors-are-expanding-access-into-ot/" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772348300", "uuid": "299627a6-d2ea-442f-a280-c24392da53c3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772348300", "to_ids": true, "type": "md5", "uuid": "98a9d3e1-c6e6-4b77-ad5f-e323625da959", "value": "34187a34d0a3c5d63016c26346371b54", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772347453", "to_ids": true, "type": "sha1", "uuid": "44872d62-0dea-4d13-b2b4-551d04124d54", "value": "ce8209ff9828aa8cb095bd7d1589fc4d394c298c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772347453", "to_ids": true, "type": "sha256", "uuid": "23fb19a3-9dbb-4dd0-a9c6-159be7e90b61", "value": "5f815b8a8e77731c9ca2b3a07a27f880ef24d54e458d77bdabbbaf2269fe96c3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772347277", "to_ids": true, "type": "ssdeep", "uuid": "cc25b55d-46ae-4c68-b525-46e6b1ede9be", "value": "1536:oeCc9oRSgkJo+waYlrkXlNV5WYNNQFsCtN6dSfKDrAqP7Hxdv4AffR+zEZ33Om:oeC5ogkJo+waYlrkXlNV5WYNNQFsCtN8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772347277", "to_ids": false, "type": "size-in-bytes", "uuid": "8468385f-96bc-4036-8097-34209d6acc49", "value": "54994" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772347277", "to_ids": true, "type": "filename", "uuid": "def59c94-0dbb-4018-87fe-5d6452866da0", "value": "kill.bat" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 01/09/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772347277", "to_ids": false, "type": "text", "uuid": "bec50406-a645-4d24-b8dd-2e174f9f284b", "value": "Type Description: DOS batch file\nMicrosoft: Trojan:BAT/KillAV.SP!MTB\nVT Total Detection:28/62\nFirst Submission:2019-01-24T13:52:28.000000+00:00\nLast Submission:2019-02-28T17:03:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772348321", "uuid": "714a03e3-61b6-4b73-ae39-482a810777f3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772348321", "to_ids": true, "type": "md5", "uuid": "2184fe77-9b80-4399-8a26-03a16fea65e0", "value": "3b980d2af222ec909b948b6bbdd46319", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772347454", "to_ids": true, "type": "sha1", "uuid": "f476c403-d334-4a24-96ba-16b8011cacae", "value": "06e6e5305cf34511b58d77efbff4bc8edb398589", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772347454", "to_ids": true, "type": "sha256", "uuid": "279aa7ac-0399-4f3b-a9fb-788209249f1a", "value": "09ab880f3021ac2d05e09bebd567ddf5f6f7cfb396573efd819a056931f3b391", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772347299", "to_ids": true, "type": "ssdeep", "uuid": "3fa79db7-8047-4bbd-9896-a7270d09cbfb", "value": "3072:RWWK0dOfx4W7opufDv0cOZ+rcn4icwEyfGVfULd0sjojtNYm3OqjDb8BMVcKMssN:EVyW70uffHY4uN3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772347299", "to_ids": false, "type": "size-in-bytes", "uuid": "a3615602-eca8-4110-8503-5f5be9242f57", "value": "428544" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772347299", "to_ids": true, "type": "vhash", "uuid": "6130461e-ea89-4912-8142-5c6d7ad79e6d", "value": "045066655d1515556093z3010078hz1030011fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772347299", "to_ids": true, "type": "filename", "uuid": "cb250c41-51d8-4f01-a07e-818d01e2a6dc", "value": "400000.b8ee322526c7c61e4c7502625500a1ca718aa589bd3d129c46d21080a3e63725" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 05/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772347299", "to_ids": false, "type": "text", "uuid": "f02942d1-a7b8-4a0b-984a-0a05496d2e6b", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Clop.E\nVT Total Detection:57/72\nFirst Submission:2020-02-19T21:32:06.000000+00:00\nLast Submission:2020-02-19T21:32:06.000000+00:00" } ] } ] } }