{ "Event": { "analysis": "1", "date": "2017-10-24", "extends_uuid": "", "info": "[Threat Intel] Bad Rabbit: Not-Petya is back with improved ransomware", "protected": false, "publish_timestamp": "1772423881", "published": true, "threat_level_id": "2", "timestamp": "1772423860", "uuid": "5c808df0-e02a-402f-a8f5-e00cdfe8dede", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Cisco Talos Intelligence Group\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Civil Aviation\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Infrastructure\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Transport\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Petya\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Bad Rabbit, Diskcoder.D\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"NotPetya\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"EternalPetya\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#dff146", "local": false, "name": "IT-impact-ICS", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771889768", "to_ids": false, "type": "link", "uuid": "977eb433-92a3-43f3-a7b5-067a8f24a182", "value": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771889768", "to_ids": false, "type": "link", "uuid": "9310473b-b89a-46b9-b88e-2e1551638d74", "value": "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771889768", "to_ids": false, "type": "link", "uuid": "063cd87d-c26c-45f1-b2b2-5d7bd415104c", "value": "https://blog.talosintelligence.com/bad-rabbit/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771890381", "to_ids": true, "type": "ip-dst", "uuid": "64cf4b5d-d95c-41fe-aed3-491726185a1d", "value": "185.149.120.3", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Payment site", "deleted": false, "disable_correlation": false, "timestamp": "1772420254", "to_ids": true, "type": "url", "uuid": "d57bcc5a-fa8a-4998-a1b6-77921ef7690b", "value": "http://caforssztxqzf2nm.onion/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Inject URL", "deleted": false, "disable_correlation": false, "timestamp": "1771890424", "to_ids": true, "type": "url", "uuid": "c5472ae7-419d-424a-97a1-d2f7983b7fee", "value": "http://185.149.120.3/scholargoogle/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Distribution URL", "deleted": false, "disable_correlation": false, "timestamp": "1771890445", "to_ids": true, "type": "url", "uuid": "ecbdeaf1-2474-4931-8dcf-6d6f46fb2b68", "value": "http://1dnscontrol.com/flash_install.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772420252", "to_ids": true, "type": "url", "uuid": "57ff2065-f6ef-4fa5-948b-fff43073805e", "value": "http://argumentiru.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "54acede2-5ae7-4e32-9610-78f3dee72654", "value": "http://www.fontanka.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "b3bffb0c-f876-43bc-b270-c00db78b33da", "value": "http://grupovo.bg/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "1275795b-b442-4eb7-89ff-ef3d8c65c125", "value": "http://www.sinematurk.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "3acb428c-1bb7-474c-a7a3-70b9273b8c84", "value": "http://www.aica.co.jp/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "9322fc90-1a11-4c88-b520-a686c113ef23", "value": "http://spbvoditel.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423860", "to_ids": true, "type": "url", "uuid": "f63a1e32-3242-4457-8da1-e1db5119a8dd", "value": "http://argumenti.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "b929916a-de0f-4706-8ff8-9a469bd19e21", "value": "http://www.mediaport.ua/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "1ce6da6f-f2af-40be-be53-efb6069fbf0a", "value": "http://blog.fontanka.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "b0c3741a-df86-4110-a36d-f009134c96b1", "value": "http://an-crimea.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "991f937e-350d-46ce-82f1-02ed97b25360", "value": "http://www.t.ks.ua/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "03851c1d-50e8-41df-94e5-7109a68697bf", "value": "http://most-dnepr.info/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "e59a8a20-f8ef-43c8-b17b-30818c8d0b50", "value": "http://osvitaportal.com.ua/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "5d222205-4108-4656-8ccc-690d16877ed3", "value": "http://www.otbrana.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "a83db159-3759-421a-ac17-750634871fd4", "value": "http://calendar.fontanka.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "b649eff0-6f5c-4e4a-bc7a-0893ade9d347", "value": "http://www.grupovo.bg/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "3111872d-8185-4db5-9c9c-7bfbba49399c", "value": "http://www.pensionhotel.cz/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "425da8cf-33b6-4c8e-8a05-ff27570cd28c", "value": "http://www.online812.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "8ec30e98-4cb0-4636-a2a8-ada53a119c4f", "value": "http://www.imer.ro/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "1d5c5968-c168-4e6b-85a1-05b26e017a21", "value": "http://novayagazeta.spb.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "9c79ce63-00ee-43ef-ad98-db30e12d5d30", "value": "http://i24.com.ua/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "7d2ce43d-5609-4c1c-b867-656dfe6f10a3", "value": "http://bg.pensionhotel.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1772423268", "to_ids": true, "type": "url", "uuid": "5cc9bb45-e8cd-4e78-89b1-7376647dd3cb", "value": "http://ankerch-crimea.ru/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771890951", "to_ids": true, "type": "domain", "uuid": "2e64ecbb-9cf3-4940-bb05-78f3b959e3e9", "value": "1dnscontrol.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771890972", "to_ids": true, "type": "domain", "uuid": "cb6c9f1f-d594-4b7f-874e-d3bf600dcdaf", "value": "argumentiru.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771890994", "to_ids": true, "type": "domain", "uuid": "f0bac043-484b-4446-877a-6397aab6e792", "value": "fontanka.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771891016", "to_ids": true, "type": "domain", "uuid": "382549c9-77b7-4b80-8361-1fc95375054f", "value": "adblibri.ro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771891037", "to_ids": true, "type": "domain", "uuid": "17e0aa8f-dcc4-4dfb-ac3e-e80bf981c2df", "value": "spbvoditel.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771891059", "to_ids": true, "type": "domain", "uuid": "ef84d1c3-c63a-4b1a-8967-ed9823d25649", "value": "grupovo.bg", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771891080", "to_ids": true, "type": "hostname", "uuid": "b1a6e2c8-77f4-4843-9e13-1958366dfc50", "value": "www.sinematurk.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771891102", "to_ids": true, "type": "domain", "uuid": "0a63adaa-78f1-46cf-8058-185ee66d0adf", "value": "caforssztxqzf2nm.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771891123", "uuid": "0eafc1f8-5023-444b-b880-e0a9f6079e54", "Attribute": [ { "category": "Payload delivery", "comment": "Diskcoder", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771891123", "to_ids": true, "type": "md5", "uuid": "52833f66-ac48-4cc9-90e4-3f4328e15553", "value": "1d724f95c61f1055f0d02c2154bbccd3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Diskcoder", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771890370", "to_ids": true, "type": "sha1", "uuid": "ffa2c78e-597d-412c-9f0d-7fe0a410bbb1", "value": "79116fe99f2b421c52ef64097f0f39b815b20907", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Diskcoder", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771890370", "to_ids": true, "type": "sha256", "uuid": "66bb9403-a062-4422-8e83-8c35cd7b19cb", "value": "579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771890178", "to_ids": true, "type": "ssdeep", "uuid": "b26ca294-c065-4538-8469-0c7ab7be8f75", "value": "12288:GtDjvhNTc/cq4RKZZKfArRuSA80m+/6sXRnfPGp:IjTc/cq4RUZaArbInfPGp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771890178", "to_ids": false, "type": "size-in-bytes", "uuid": "07e23ee3-e29d-471d-b85a-e3bb033e7590", "value": "410760" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771890178", "to_ids": true, "type": "vhash", "uuid": "79567368-1fb7-47e8-9bda-ed6bfb9d1cae", "value": "145056656d6575534z42z5908043z37z10c1z55ze6z2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771890178", "to_ids": true, "type": "filename", "uuid": "91f25417-a490-42ab-9f3c-b1109a894a89", "value": "infpub.dat" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 07/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771890178", "to_ids": false, "type": "text", "uuid": "e2f0d0e9-352f-4b68-93ae-a70c595fbe11", "value": "Diskcoder\r\nType Description: Win32 DLL\nMicrosoft: Ransom:Win32/Tibbar.A\nVT Total Detection:62/72\nFirst Submission:2017-10-24T16:43:03.000000+00:00\nLast Submission:2025-12-11T02:21:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771891144", "uuid": "37a474f4-7728-49ca-acbc-52b77fad0127", "Attribute": [ { "category": "Payload delivery", "comment": "Lockscreen", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771891144", "to_ids": true, "type": "md5", "uuid": "5a02dc8c-37d7-4ef3-8c3a-f198794cd101", "value": "b14d8faf7f0cbcfad051cefe5f39645f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Lockscreen", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771890372", "to_ids": true, "type": "sha1", "uuid": "477df5db-709c-4de8-adbd-2a3269cefc5d", "value": "afeee8b4acff87bc469a6f0364a81ae5d60a2add", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Lockscreen", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771890372", "to_ids": true, "type": "sha256", "uuid": "0a5b215a-d6ac-4e5a-873d-7e5c296b9876", "value": "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771890200", "to_ids": true, "type": "ssdeep", "uuid": "f068faf4-3250-42ea-8341-2a7d84de89cc", "value": "3072:1keK/MwGT0834YW3pvyh8fcl/iL62iL6KK:Sn/MZd4YW3pvyxl/ini" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771890200", "to_ids": false, "type": "size-in-bytes", "uuid": "b9721e41-cb51-4aea-b2f2-2dcb11023c07", "value": "142848" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771890200", "to_ids": true, "type": "vhash", "uuid": "987ca5f1-4f8d-49bd-a44d-4fc756437aa2", "value": "015056655d156510f3z42z781z23z31z15z40019fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771890200", "to_ids": true, "type": "filename", "uuid": "9c7635f8-e6e0-458b-a73a-4da46c79a7e2", "value": "dispci.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 21/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771890200", "to_ids": false, "type": "text", "uuid": "094b98ee-4dac-4ef3-80fe-2a613e531067", "value": "Lockscreen\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win32/Tibbar.A\nVT Total Detection:66/72\nFirst Submission:2017-10-24T11:36:36.000000+00:00\nLast Submission:2025-04-17T01:05:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771891166", "uuid": "2eafc3fd-c49a-43a8-a3be-d79f38e889ac", "Attribute": [ { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771891166", "to_ids": true, "type": "md5", "uuid": "a0688228-6e57-4dbd-a633-af8d93b00e02", "value": "347ac3b6b791054de3e5720a7144a977", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771890373", "to_ids": true, "type": "sha1", "uuid": "4a2a78f1-be55-4f6f-90b1-4d9da9693a33", "value": "413eba3973a15c1a6429d9f170f3e8287f98c21c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771890373", "to_ids": true, "type": "sha256", "uuid": "e75e23dc-6dfa-41d0-b76d-b8cb0fe893e2", "value": "301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771890221", "to_ids": true, "type": "ssdeep", "uuid": "440a4e5d-8e2e-4bac-b56a-c77e90dc3e70", "value": "1536:QeRCKjey4TTGLeBYEUW1SIUDoCB449rHUV:KKjey4TTmeBZUGSIUDoCq49oV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771890221", "to_ids": false, "type": "size-in-bytes", "uuid": "88fbb83c-baeb-48d7-8de0-f14aadb88003", "value": "62328" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771890221", "to_ids": true, "type": "vhash", "uuid": "df32811e-c82b-47f8-a0ab-bbcc3b21a392", "value": "064056651d15151038z443z7dz11z2fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771890221", "to_ids": true, "type": "filename", "uuid": "28c90fd0-db62-433b-9a41-ce3b2144c582", "value": "A0B6.tmp" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 04/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771890221", "to_ids": false, "type": "text", "uuid": "346baa81-df4d-4715-b476-e7a3bd85fb78", "value": "Mimikatz\r\nType Description: Win32 EXE\nMicrosoft: HackTool:Win32/WDigest.A\nVT Total Detection:59/72\nFirst Submission:2017-10-24T20:35:59.000000+00:00\nLast Submission:2025-11-24T08:52:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771891187", "uuid": "633222bc-fcd9-40bc-bf05-b3403d80d93f", "Attribute": [ { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771891187", "to_ids": true, "type": "md5", "uuid": "84740e1c-d740-4215-9708-da6375d50715", "value": "37945c44a897aa42a66adcab68f560e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771890375", "to_ids": true, "type": "sha1", "uuid": "f12ea358-c042-471d-98fa-a424ce2dd861", "value": "16605a4a29a101208457c47ebfde788487be788d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771890375", "to_ids": true, "type": "sha256", "uuid": "e61abb79-11da-46aa-8c9d-cdae9bfbce3e", "value": "2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771890243", "to_ids": true, "type": "ssdeep", "uuid": "4ecee091-9788-4d9d-85d7-02933af9c29a", "value": "768:dEHVngZ2ZPD5GNxC+MglSGUH/Plaqh7m/Xn2iEDrPXQ6eatNMi2jXHUV:ii8PDwnlSGUH/PvafsIqo9rHUV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771890243", "to_ids": false, "type": "size-in-bytes", "uuid": "11354117-c2dd-4b59-a739-e9cc6c5de56b", "value": "53624" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771890243", "to_ids": true, "type": "vhash", "uuid": "e37d2c77-697f-4bc4-b579-29aa29b24104", "value": "054046655d155038z443z7dz11z2fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771890243", "to_ids": true, "type": "filename", "uuid": "23687d2a-dc31-4dd7-8c2e-a8f5200f0b08", "value": "BadRabbit_x86.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 15/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771890243", "to_ids": false, "type": "text", "uuid": "0d2cb3c3-85f9-48d0-b408-02dc129a7f1d", "value": "Mimikatz\r\nType Description: Win32 EXE\nMicrosoft: HackTool:Win32/WDigest.A\nVT Total Detection:55/72\nFirst Submission:2017-10-24T22:03:46.000000+00:00\nLast Submission:2024-08-02T18:41:18.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771891209", "uuid": "b83a5f49-8f40-4d57-940d-0ddf645c3e94", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771891209", "to_ids": true, "type": "md5", "uuid": "c48dbbc0-7df0-4ef5-86a3-ce4beefaa79c", "value": "fbbdc39af1139aebba4da004475e8839", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771890376", "to_ids": true, "type": "sha1", "uuid": "61bcf0ec-4bda-44b0-af17-c0cd96e4d090", "value": "de5c8d858e6e41da715dca1c019df0bfb92d32c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771890376", "to_ids": true, "type": "sha256", "uuid": "9db33c59-5373-457d-9dcb-b0c5e845cadd", "value": "630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771890265", "to_ids": true, "type": "ssdeep", "uuid": "5669d656-b4f7-4225-9c22-aa515f6cf0c3", "value": "12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771890265", "to_ids": false, "type": "size-in-bytes", "uuid": "179963c8-ff31-4e0c-9269-0ca6b55655ec", "value": "441899" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771890265", "to_ids": true, "type": "vhash", "uuid": "78e92981-2768-4c87-8d15-7471d4396608", "value": "045056657d15151az1304fz13z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771890265", "to_ids": true, "type": "filename", "uuid": "8304fe1e-5e98-4178-ba76-642251a3d42e", "value": "FlashUtil.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 13/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771890265", "to_ids": false, "type": "text", "uuid": "a822406e-5125-4fcd-875f-5c58ba68f0b2", "value": "Dropper\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win32/Tibbar!pz\nVT Total Detection:65/72\nFirst Submission:2017-10-24T08:41:55.000000+00:00\nLast Submission:2026-02-19T16:27:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771891230", "uuid": "39763b18-ddc6-4516-afc1-3cdfc01e1a0b", "Attribute": [ { "category": "Payload delivery", "comment": "JavaScript on compromised sites", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771891230", "to_ids": true, "type": "md5", "uuid": "8f4cd896-824b-4480-9497-1636f55d03f6", "value": "d0d55e34d37bc1905a665fcf62117f37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "JavaScript on compromised sites", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771890377", "to_ids": true, "type": "sha1", "uuid": "7de40a07-5686-4e5a-ba5a-689767ea09c6", "value": "4f61e154230a64902ae035434690bf2b96b4e018", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "JavaScript on compromised sites", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771890377", "to_ids": true, "type": "sha256", "uuid": "cebfd956-1926-49ff-b501-b0f8ba48bfe7", "value": "e6812296369c43092277eba933c04375a4f6148c928235766e1cb6636e8aed3c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771890287", "to_ids": true, "type": "ssdeep", "uuid": "a1a7e6ff-2b2f-4654-93c9-b0b9b2dc03b3", "value": "48:3eKEYazNpLxDmY8EZrfs3INwUcm49ZJU8ANcvQPDVVduEEcF6aYRKnZ9gfb4SUqz:OZ3E3IKk4NfAtLLd+nsnZ9g/ucB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771890287", "to_ids": false, "type": "size-in-bytes", "uuid": "bee75214-6275-4dde-ae24-efb3e4c4910f", "value": "3800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771890287", "to_ids": true, "type": "vhash", "uuid": "5d346f74-b48f-4eb3-9f18-8e839d82de33", "value": "a4c190680c3132617648d2518ff3cb3a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771890287", "to_ids": true, "type": "filename", "uuid": "55dae415-a065-4aae-a9c6-dc97b4cb4558", "value": ".bin" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 13/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771890287", "to_ids": false, "type": "text", "uuid": "c1243aaf-2aec-47cf-8fc8-787f28fdb6ef", "value": "JavaScript on compromised sites\r\nType Description: JavaScript\nMicrosoft: TrojanDownloader:JS/Tibbar.A\nVT Total Detection:26/62\nFirst Submission:2017-10-26T13:16:06.000000+00:00\nLast Submission:2018-10-04T21:31:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771891252", "uuid": "3575654a-b787-4bcd-b81a-700fa72526d5", "Attribute": [ { "category": "Payload delivery", "comment": "diskcryptor drv", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771891252", "to_ids": true, "type": "md5", "uuid": "82c8b67a-8ad0-40e9-9814-15b26e942a8d", "value": "b4e6d97dafd9224ed9a547d52c26ce02", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "diskcryptor drv", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771890378", "to_ids": true, "type": "sha1", "uuid": "ac7f03ae-23c0-4b10-81a2-5a017051e07e", "value": "59cd4907a438b8300a467cee1c6fc31135757039", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "diskcryptor drv", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771890378", "to_ids": true, "type": "sha256", "uuid": "4ce4fc7c-32dd-4906-8afd-4a1603affb81", "value": "682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771890308", "to_ids": true, "type": "ssdeep", "uuid": "f1f8fca0-3089-49c0-b868-95196c2ac296", "value": "3072:n0uIi6l1EzGXRcfTHzM2T8aWeCJScL1Qj9Jb8+5bSQMqqDLXZkunWdOA:n0uZYmN2NJScL1y9W++qqDLXNI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771890308", "to_ids": false, "type": "size-in-bytes", "uuid": "26aeac04-4d2c-465e-9741-86e8f6002439", "value": "181448" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771890308", "to_ids": true, "type": "vhash", "uuid": "2cfaacb2-49cf-4df8-9f65-3951ed5160b4", "value": "015066656d1e551569z86z7axz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771890308", "to_ids": true, "type": "filename", "uuid": "b3be3b9e-07e6-4eb0-b393-6b95c6e69cd6", "value": "dcrypt.sys" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 12/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771890308", "to_ids": false, "type": "text", "uuid": "8b5dc0ef-ba45-481b-96e2-04a1d7d59110", "value": "diskcryptor drv\r\nType Description: Win32 EXE\nFile distributed by: ['ntldr']\nData sources: ['National Software Reference Library (NSRL)']\nVerdict filename: ['dcrypt.sys']\nMicrosoft: None\nVT Total Detection:4/72\nFirst Submission:2014-07-10T01:06:25.000000+00:00\nLast Submission:2025-05-19T20:34:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771891273", "uuid": "87b9468a-5f30-4dec-8290-e7434ac4747c", "Attribute": [ { "category": "Payload delivery", "comment": "diskcryptor drv", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771891273", "to_ids": true, "type": "md5", "uuid": "45ab3d48-78e9-4047-a9eb-786c1d00cdce", "value": "edb72f4a46c39452d1a5414f7d26454a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "diskcryptor drv", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771890379", "to_ids": true, "type": "sha1", "uuid": "a3749738-39a9-4cea-86d1-473548c1a0b9", "value": "08f94684e83a27f2414f439975b7f8a6d61fc056", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "diskcryptor drv", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771890379", "to_ids": true, "type": "sha256", "uuid": "f561b50f-c721-4421-9de1-7eeed5b94c1e", "value": "0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771890331", "to_ids": true, "type": "ssdeep", "uuid": "31b52a27-fc74-4f91-8f5c-c69ee9470c44", "value": "3072:zCBsPmcx7BTn/irEsrDUxo2vYsWwYEJOXKVviEWuwlVBgzUMqqDLW+z3AHW5:8sPnBT/irETNWiJOXKVvKBgz3qqDL1zt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771890331", "to_ids": false, "type": "size-in-bytes", "uuid": "12b1774b-d678-48c3-9697-cbd596590bc2", "value": "210632" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771890331", "to_ids": true, "type": "vhash", "uuid": "44c74723-3524-48bb-ac21-1b44ea1cccc7", "value": "025076656d555e551519z16z74xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771890331", "to_ids": true, "type": "filename", "uuid": "5ac7735c-1b7f-4e26-80ca-85c4294c50d6", "value": "dcrypt.sys" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 29/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771890331", "to_ids": false, "type": "text", "uuid": "44748a27-df48-4d32-ab43-e6ddbda1d855", "value": "diskcryptor drv\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/72\nFirst Submission:2014-07-28T06:54:38.000000+00:00\nLast Submission:2025-04-18T00:35:58.000000+00:00" } ] } ] } }