{ "Event": { "analysis": "1", "date": "2025-12-29", "extends_uuid": "", "info": "[Threat Intel] Energy Sector Incident Report \u2013 29 December", "protected": false, "publish_timestamp": "1772423973", "published": true, "threat_level_id": "1", "timestamp": "1772423968", "uuid": "5e620a7a-323c-4529-9710-dced8c01a497", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Electric\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Network Device Firewall - T1562.013\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Webhook - T1567.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Permissions Modification - T1222\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hide Infrastructure - T1665\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Storage Discovery - T1680\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Device Configuration Dump - T1602.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Software - T1219.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal or Forge Kerberos Tickets - T1558\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Command-Line Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Data Destruction\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Default Credentials\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Device Restart/Shutdown\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"External Remote Services\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Graphical User Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of View\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Module Firmware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Network Connection Enumeration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote System Discovery\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Screen Capture\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"System Firmware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Valid Accounts\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f6810a", "local": false, "name": "ICS-capable", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772392087", "to_ids": false, "type": "link", "uuid": "297a9dfa-064c-4307-b841-966c535cf69f", "value": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" }, { "category": "Payload delivery", "comment": "PowerShell distributing DynoWiper No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394183", "to_ids": true, "type": "sha256", "uuid": "4c2e3168-76fb-4d1f-8ba9-307450d86447", "value": "8759e79cf3341406564635f3f08b2f333b0547c444735dba54ea6fce8539cf15", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowerShell distributing DynoWiper No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394184", "to_ids": true, "type": "sha256", "uuid": "18aef8a1-d4d8-4d05-95d5-0fbcf3794991", "value": "f4e9a3ddb83c53f5b7717af737ab0885abd2f1b89b2c676d3441a793f65ffaee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Probably original PowerShell distributing DynoWiper No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394185", "to_ids": true, "type": "sha256", "uuid": "73d3b808-20fe-4316-8666-079fbc6bbdc1", "value": "68192ca0fde951d973eb41a07814f402f2b46e610889224bd54583d8a332a464", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN and Microsoft 365 logins. Used against multiple entities. Direct execution of DynoWiper. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1772395044", "to_ids": true, "type": "ip-dst", "uuid": "bfe70696-94aa-4be9-aab9-382dcbf6f555", "value": "185.200.177.10", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Reverse proxy used for data exfiltration. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1772395065", "to_ids": true, "type": "ip-dst", "uuid": "a2688806-d903-4f85-9ff7-4948f026b82b", "value": "31.172.71.5", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Reverse proxy used for data exfiltration. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1772423968", "to_ids": true, "type": "url", "uuid": "5f5a259f-fa40-4ed3-a6ff-4de75912d7ac", "value": "http://31.172.71.5:50443/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Reverse proxy used for data exfiltration. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1772423968", "to_ids": true, "type": "url", "uuid": "a912d179-067c-44d5-a764-c28953345dc4", "value": "http://31.172.71.5:8008/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Reverse proxy used for data exfiltration. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1772423968", "to_ids": true, "type": "url", "uuid": "0ce20ca4-19f9-4f92-b3ac-284ca47ba4ef", "value": "http://31.172.71.5:44445/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins. Used against multiple entities. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1772395150", "to_ids": true, "type": "ip-dst", "uuid": "bc23766b-a58f-4941-9a32-ea5818109b73", "value": "193.200.17.163", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins", "deleted": false, "disable_correlation": false, "timestamp": "1772395171", "to_ids": true, "type": "ip-dst", "uuid": "173e78e4-1e40-4d1c-a7ce-cdd6ad76ffb2", "value": "185.82.127.20", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins", "deleted": false, "disable_correlation": false, "timestamp": "1772395192", "to_ids": true, "type": "ip-dst", "uuid": "f5cd18d3-5a16-431f-ae37-a1d36542dcdd", "value": "41.111.178.225", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN and O365 logins. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1772395213", "to_ids": true, "type": "ip-dst", "uuid": "e187401e-2dfa-4894-994a-f88c7909b963", "value": "72.62.35.76", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins.", "deleted": false, "disable_correlation": false, "timestamp": "1772395235", "to_ids": true, "type": "ip-dst", "uuid": "f15ae06e-a1b0-42be-9569-e198069f06d3", "value": "89.116.111.143", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins.", "deleted": false, "disable_correlation": false, "timestamp": "1772395256", "to_ids": true, "type": "ip-dst", "uuid": "9c7f1111-f871-40a4-a46a-0ff5c319022e", "value": "194.61.121.178", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins.", "deleted": false, "disable_correlation": false, "timestamp": "1772395277", "to_ids": true, "type": "ip-dst", "uuid": "895e0929-82e7-4d7a-9644-f9ba5d2f9009", "value": "159.69.50.242", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772392760", "to_ids": false, "type": "link", "uuid": "92012460-2eaa-40bb-9819-965b9c209f1b", "value": "https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772392254", "uuid": "e3a3bf17-b167-4025-ac8a-35d10723a813", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772392254", "to_ids": false, "type": "text", "uuid": "2a967204-7357-4d97-bdb9-e88e90316780", "value": "DynoWiper" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772392254", "to_ids": false, "type": "comment", "uuid": "4154720f-4610-46f1-9d78-2c1bbbafa3fe", "value": "DynoWiper" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772392254", "to_ids": true, "type": "yara", "uuid": "0d5faf1e-ac9c-4ea4-bbb3-24841e810f4f", "value": "rule DynoWiper\r\n{\r\nmeta:\r\nauthor = \"CERT Polska\"\r\ndate = \"2025-12-31\"\r\nhash = \"4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6\"\r\nhash = \"86596a5c5b05a8bfbd14876de7404702f7d0d61b\"\r\nhash = \"69ede7e341fd26fa0577692b601d80cb44778d93\"\r\nhash = \"0e7dba87909836896f8072d213fa2da9afae3633\"\r\nstrings:\r\n$a1 = \"$recycle.bin\" wide\r\n$a2 = \"program files(x86)\" wide\r\n$a3 = \"perflogs\" wide\r\n$a4 = \"windows\\x00\" wide\r\n$b1 = \"Error opening file: \" wide\r\ncondition:\r\nuint16(0) == 0x5A4D\r\nand\r\nfilesize < 500KB\r\nand\r\n4 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395299", "uuid": "7260e9ff-53f6-4eab-be0f-8c45d19bfd1a", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395299", "to_ids": true, "type": "md5", "uuid": "6b97d6bc-5990-4c70-835b-5438d7f0a82a", "value": "ed98c116d49c959383451097ec65c203", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394176", "to_ids": true, "type": "sha1", "uuid": "bee6bc3e-fb62-4796-a641-dd592b3e93f8", "value": "0e7dba87909836896f8072d213fa2da9afae3633", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394176", "to_ids": true, "type": "sha256", "uuid": "4595fd5f-27ab-4739-a08b-b6e3e0d3c8c4", "value": "65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393762", "to_ids": true, "type": "ssdeep", "uuid": "7e41621a-5be0-4d94-bd4f-ebc2afdbb5df", "value": "3072:fT4SpKtaWp+id2jJgc43l4l2tgQyRUJWXwVDhDq2:r4SMtaz0l1fHyaoghDR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393762", "to_ids": false, "type": "size-in-bytes", "uuid": "ee0307f0-6439-43d2-b922-f2cf7b3ebf6d", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393762", "to_ids": true, "type": "vhash", "uuid": "0535f839-b5bc-497a-92fa-d7167c1024e2", "value": "015056655d15556038z4enz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393762", "to_ids": true, "type": "filename", "uuid": "3e319fd1-afc0-41b9-8365-f31494731340", "value": "65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 28/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393762", "to_ids": false, "type": "text", "uuid": "1e0ea388-0305-4af0-8e0c-db5b64fcef77", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/TanglePeak.B!dha\nVT Total Detection:54/72\nFirst Submission:2026-01-30T10:35:46.000000+00:00\nLast Submission:2026-01-31T07:52:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395320", "uuid": "ae5ddc37-da11-4a29-978e-e7ec84f9a3f3", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395320", "to_ids": true, "type": "md5", "uuid": "5c235da2-9dff-4117-9b45-b56ea261ef5b", "value": "a727362416834fa63672b87820ff7f27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394177", "to_ids": true, "type": "sha1", "uuid": "e94e9cc9-dcc2-42ef-941b-944f9a56ba29", "value": "4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394177", "to_ids": true, "type": "sha256", "uuid": "5b506025-d4f5-4b30-a190-d03dbc7c072a", "value": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393784", "to_ids": true, "type": "ssdeep", "uuid": "1814d656-a431-4fe0-aa35-049c037ded26", "value": "3072:fT4SpKtaWp+id2jJgc43l4l2tgQyRUJWXBVDhDq2:r4SMtaz0l1fHyaoThDR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393784", "to_ids": false, "type": "size-in-bytes", "uuid": "6ca327b3-a42a-475b-bd62-a849471dbb53", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393784", "to_ids": true, "type": "vhash", "uuid": "19e036cc-6755-4a75-a0b0-805c6157808a", "value": "015056651d15556038z4enz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393784", "to_ids": true, "type": "filename", "uuid": "c62d3624-f38c-4d46-b35b-99ad2e33adaa", "value": "tmp57r4q6it" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393784", "to_ids": false, "type": "text", "uuid": "b04f2ce4-3668-457c-9342-3dca257f6c1d", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win32/DynoWiper!rfn\nVT Total Detection:51/72\nFirst Submission:2026-01-30T10:35:33.000000+00:00\nLast Submission:2026-02-23T02:28:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395341", "uuid": "fb0e67ea-0aec-4447-a890-d6857cd27163", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395341", "to_ids": true, "type": "md5", "uuid": "5c06615d-acb1-4b6a-a312-e424126e84ad", "value": "75fec5afb2deebab6dd9c16d9de35032", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394179", "to_ids": true, "type": "sha1", "uuid": "634c026c-51c8-44cf-921a-e708211be5f8", "value": "86596a5c5b05a8bfbd14876de7404702f7d0d61b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394179", "to_ids": true, "type": "sha256", "uuid": "1da7a189-df91-446c-8b3d-9ba11c96385f", "value": "60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393806", "to_ids": true, "type": "ssdeep", "uuid": "591c1dca-c797-4332-a1af-74806d5c099b", "value": "1536:RI5x+cpS8+c48t3UjpGyAgGsu0X55l1tSsHGVIdWQe7AtaCxc2BGywukCbg+DjcX:R2Sz8tkNn9/Nc3mECxd8iD9yUS7vV8E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393806", "to_ids": false, "type": "size-in-bytes", "uuid": "e0b70b96-8d2d-4170-8e36-816e6b413612", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393806", "to_ids": true, "type": "vhash", "uuid": "14a79189-4048-425c-87d1-49d5f6bcde7f", "value": "015056651d15556az4e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393806", "to_ids": true, "type": "filename", "uuid": "7b2c6db2-15a4-4265-9d54-8f6398cba877", "value": "60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393806", "to_ids": false, "type": "text", "uuid": "2df77e44-1829-490f-97ad-b8c15fc272b2", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan.C!dha\nVT Total Detection:52/72\nFirst Submission:2026-01-30T10:36:02.000000+00:00\nLast Submission:2026-01-31T07:38:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395363", "uuid": "bd9e4039-ee5d-4d34-9def-ad9c88225166", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395363", "to_ids": true, "type": "md5", "uuid": "1d62f78b-b257-4d16-babc-00da48cf0809", "value": "c4379da51e8b9e86ec3de934f9373f4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394180", "to_ids": true, "type": "sha1", "uuid": "1b769e74-abde-4073-88e9-b8d0b6f6860f", "value": "69ede7e341fd26fa0577692b601d80cb44778d93", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394180", "to_ids": true, "type": "sha256", "uuid": "107c1692-6bef-485f-afd9-2bb54e455333", "value": "d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393827", "to_ids": true, "type": "ssdeep", "uuid": "9e1715d4-c6a5-4533-87c3-efcc95a01b9a", "value": "1536:AIlx+cpS8+c48t3UjpGyAgGsu0X55l1tSsHGVIdWQe7AtaCxc2BGywukCbg6DjcA:AaSz8tkNn9/Nc3mECxd8eD9yUS70V8E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393827", "to_ids": false, "type": "size-in-bytes", "uuid": "8f742753-031e-45e2-a813-2fbdc3e5b808", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393827", "to_ids": true, "type": "vhash", "uuid": "d0074a11-7aa9-4928-967e-7f6a6cff30ea", "value": "015056651d15556az4e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393827", "to_ids": true, "type": "filename", "uuid": "472b04a3-4db3-4afe-9d1b-da89e6087929", "value": "d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 28/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393827", "to_ids": false, "type": "text", "uuid": "0800d032-cce8-485b-a4b8-3c1923205397", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan.B!dha\nVT Total Detection:53/72\nFirst Submission:2026-01-30T10:35:54.000000+00:00\nLast Submission:2026-02-07T16:25:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395385", "uuid": "d935f9a6-b83b-4ff2-88f3-018cd4d52e89", "Attribute": [ { "category": "Payload delivery", "comment": "LazyWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395385", "to_ids": true, "type": "md5", "uuid": "1ce74fa5-4902-40c8-b97b-6ec29fb1d432", "value": "4cb091e1adf824f406a315a087fa75fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LazyWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394181", "to_ids": true, "type": "sha1", "uuid": "8d6d4a95-d496-4174-a492-5a716fb70569", "value": "608a0b34ab3a1625cb88fcbc9a5e4be809519390", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LazyWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394181", "to_ids": true, "type": "sha256", "uuid": "f176dd41-c691-427f-9184-dfca3b662432", "value": "033cb31c081ff4292f82e528f5cb78a503816462daba8cc18a6c4531009602c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393849", "to_ids": true, "type": "ssdeep", "uuid": "0ff5be14-4407-44ae-b97e-709863c898de", "value": "48:IOwoYdOURvRvYZ5UoOVRS2o1mN2Ca7zXcbHQLycevDvdzbFg9i3E6ElJ4BSJ8OBD:IvoUkaPoSdKzsbHQLycSDv9Fg9gHElJl" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393849", "to_ids": false, "type": "size-in-bytes", "uuid": "ec7c29a2-a773-4187-baf5-a183bb5b5744", "value": "2746" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393849", "to_ids": true, "type": "vhash", "uuid": "2b976914-d124-4c29-b5f6-010615bc0aa0", "value": "8900d33b733d9e686549113331a96e52" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393849", "to_ids": true, "type": "filename", "uuid": "73d902cf-6506-4764-8f34-b842b9503c3b", "value": "x7pd8.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393849", "to_ids": false, "type": "text", "uuid": "b6432d3b-2d9e-4563-9bbb-598d6cb09262", "value": "LazyWiper\r\nType Description: Powershell\nMicrosoft: Trojan:PowerShell/FickleFrostbite!dha\nVT Total Detection:37/62\nFirst Submission:2026-01-30T10:36:20.000000+00:00\nLast Submission:2026-01-31T17:40:32.000000+00:00" } ] } ] } }