{ "Event": { "analysis": "0", "date": "2026-01-30", "extends_uuid": "", "info": "[Threat Intel] Energy Sector Incident Report - 29 December 2025", "protected": false, "publish_timestamp": "1777816508", "published": true, "threat_level_id": "1", "timestamp": "1776743414", "uuid": "fe0d7ff7-684f-46f5-a14d-7e6a7aa70de3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1b0068", "local": false, "name": "rectifyq:topic=\"cloud\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Command-Line Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Data Destruction\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Default Credentials\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Device Restart/Shutdown\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Exploitation of Remote Services\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"External Remote Services\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Graphical User Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of View\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Module Firmware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Network Connection Enumeration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote System Discovery\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Screen Capture\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"System Firmware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Valid Accounts\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Network Device Firewall - T1562.013\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Webhook - T1567.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Permissions Modification - T1222\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hide Infrastructure - T1665\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Storage Discovery - T1680\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Device Configuration Dump - T1602.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Software - T1219.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal or Forge Kerberos Tickets - T1558\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ENERGETIC BEAR\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"ArguePatch\"", "relationship_type": "" }, { "colour": "#670080", "local": false, "name": "ms-caro-malware:malware-platform=\"Linux\"", "relationship_type": "" }, { "colour": "#7f009f", "local": false, "name": "ms-caro-malware:malware-platform=\"WinNT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1769833289", "to_ids": false, "type": "link", "uuid": "64363281-72ce-44f3-b102-a36a95764c0c", "value": "https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/" }, { "category": "Payload delivery", "comment": "PowerShell distributing DynoWiper 8 No sample in VT\r\nLast check:31/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1769835966", "to_ids": true, "type": "sha256", "uuid": "2d437cf4-0d67-49f0-addb-fb0b0eae790d", "value": "8759e79cf3341406564635f3f08b2f333b0547c444735dba54ea6fce8539cf15", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowerShell distributing DynoWiper 8 No sample in VT\r\nLast check:31/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1769835968", "to_ids": true, "type": "sha256", "uuid": "41b5720e-2c61-4463-a971-a65788403a71", "value": "f4e9a3ddb83c53f5b7717af737ab0885abd2f1b89b2c676d3441a793f65ffaee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Probably original PowerShell distributing DynoWiper No sample in VT\r\nLast check:31/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1769835969", "to_ids": true, "type": "sha256", "uuid": "db7f1f22-1b1d-4404-aceb-148d9f7d78a0", "value": "68192ca0fde951d973eb41a07814f402f2b46e610889224bd54583d8a332a464", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN and Microsoft 365 logins. Used against multiple entities. Direct execution of DynoWiper. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1769835980", "to_ids": true, "type": "ip-dst", "uuid": "d1e70294-ed7b-4b5c-8c5d-03a6a8eb2cda", "value": "185.200.177.10", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Reverse proxy used for data exfiltration. Compromised server", "deleted": false, "disable_correlation": false, "timestamp": "1769836002", "to_ids": true, "type": "ip-dst", "uuid": "b1efc264-1e82-453d-af55-8e3cb57455ff", "value": "31.172.71.5", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Reverse proxy used for data exfiltration. Compromised server", "deleted": false, "disable_correlation": false, "timestamp": "1770121094", "to_ids": true, "type": "url", "uuid": "52901100-6765-4a10-ab28-32ee572bc0e9", "value": "https://31.172.71.5:50443/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Reverse proxy used for data exfiltration. Compromised server", "deleted": false, "disable_correlation": false, "timestamp": "1770121092", "to_ids": true, "type": "url", "uuid": "7626af61-cad0-4cbd-b048-fd0704d748c9", "value": "https://31.172.71.5:8008/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Reverse proxy used for data exfiltration. Compromised server", "deleted": false, "disable_correlation": false, "timestamp": "1770121091", "to_ids": true, "type": "url", "uuid": "7ca5af3f-705f-49ff-aac5-a7f6ebad5688", "value": "https://31.172.71.5:44445/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins. Used against multiple entities. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1769836086", "to_ids": true, "type": "ip-dst", "uuid": "590fcf69-5665-4418-a453-72c50d1a2faf", "value": "193.200.17.163", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins.", "deleted": false, "disable_correlation": false, "timestamp": "1769836107", "to_ids": true, "type": "ip-dst", "uuid": "dfebad5b-c800-43e1-b24e-f7db7a33d2ac", "value": "185.82.127.20", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins.", "deleted": false, "disable_correlation": false, "timestamp": "1769836128", "to_ids": true, "type": "ip-dst", "uuid": "8e42d146-36bd-4624-b9f9-3349b453299e", "value": "41.111.178.225", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN and O365 logins. Compromised server.", "deleted": false, "disable_correlation": false, "timestamp": "1769836149", "to_ids": true, "type": "ip-dst", "uuid": "ac7b2feb-ed47-4ed9-a5a8-b736f85b9b37", "value": "72.62.35.76", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins.", "deleted": false, "disable_correlation": false, "timestamp": "1769836172", "to_ids": true, "type": "ip-dst", "uuid": "d1117e01-d36c-4c69-b94c-a27dea361293", "value": "89.116.111.143", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins.", "deleted": false, "disable_correlation": false, "timestamp": "1769836193", "to_ids": true, "type": "ip-dst", "uuid": "4cff78a8-9558-4ad5-a905-6ca5ecf83702", "value": "194.61.121.178", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "VPN logins.", "deleted": false, "disable_correlation": false, "timestamp": "1769836214", "to_ids": true, "type": "ip-dst", "uuid": "2d71bb33-98d3-4e47-9008-23cb9c6ca3c7", "value": "159.69.50.242", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 50443", "deleted": false, "disable_correlation": false, "timestamp": "1769834018", "to_ids": true, "type": "ip-dst|port", "uuid": "cf6bccb3-cf7b-4437-81e5-2a2907854147", "value": "31.172.71.5|50443" }, { "category": "Network activity", "comment": "On port 8008", "deleted": false, "disable_correlation": false, "timestamp": "1769834018", "to_ids": true, "type": "ip-dst|port", "uuid": "7c26221c-5a27-43a7-bd52-5474b1fe15bc", "value": "31.172.71.5|8008" }, { "category": "Network activity", "comment": "On port 44445", "deleted": false, "disable_correlation": false, "timestamp": "1769834019", "to_ids": true, "type": "ip-dst|port", "uuid": "96cbe1fd-7483-4c41-8b96-1b8cc585bc06", "value": "31.172.71.5|44445" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1769834254", "uuid": "ac8d01b0-37b8-4b24-ae5f-120b3da42ff9", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1769834254", "to_ids": false, "type": "text", "uuid": "86dc8a1b-72c7-4946-840b-398b82bb5287", "value": "DynoWiper" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1769834254", "to_ids": false, "type": "comment", "uuid": "8d4f4186-11a0-4981-b897-46859fe15a80", "value": "DynoWiper" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1769834254", "to_ids": true, "type": "yara", "uuid": "43906260-1abe-4235-b6a7-8f891985f300", "value": "rule DynoWiper \r\n{ \r\nmeta:\r\n\tauthor = \"CERT Polska\" \r\n\tdate = \"2025-12-31\" \r\n\thash = \"4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6\" \r\n\thash = \"86596a5c5b05a8bfbd14876de7404702f7d0d61b\" \r\n\thash = \"69ede7e341fd26fa0577692b601d80cb44778d93\" \r\n\thash = \"0e7dba87909836896f8072d213fa2da9afae3633\" \r\nstrings:\r\n\t$a1 = \"$recycle.bin\" wide \r\n\t$a2 = \"program files(x86)\" wide \r\n\t$a3 = \"perflogs\" wide \r\n\t$a4 = \"windows\\x00\" wide \r\n\t$b1 = \"Error opening file: \" wide \r\ncondition:\r\n\tuint16(0) == 0x5A4D and filesize < 500KB and 4 of them \r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1770121065", "uuid": "d0577c2a-cf5a-427a-864a-6b38990cced4", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1769836236", "to_ids": true, "type": "md5", "uuid": "3a28c26d-6464-406d-9be4-7019f7153e77", "value": "ed98c116d49c959383451097ec65c203", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1769835961", "to_ids": true, "type": "sha1", "uuid": "527c818c-7219-4f24-974b-eaf56605fa55", "value": "0e7dba87909836896f8072d213fa2da9afae3633", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1769835961", "to_ids": true, "type": "sha256", "uuid": "6b617463-1b70-41e6-bb35-95a46fb3f783", "value": "65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1769834687", "to_ids": true, "type": "ssdeep", "uuid": "a83e2a26-ac83-4e79-a374-7af6713e725f", "value": "3072:fT4SpKtaWp+id2jJgc43l4l2tgQyRUJWXwVDhDq2:r4SMtaz0l1fHyaoghDR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1769834687", "to_ids": false, "type": "size-in-bytes", "uuid": "f33ae733-dd28-4663-b9c6-cc733bc4576b", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1769834687", "to_ids": true, "type": "vhash", "uuid": "96f3ad79-0583-44b1-9e47-ad226435ba0d", "value": "015056655d15556038z4enz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1769834687", "to_ids": true, "type": "filename", "uuid": "6f1cc7c5-da9a-4581-91a0-2d4bf2d17159", "value": "_65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c.exe" }, { "category": "Other", "comment": "Checked: 31/01/2026\nLast-scan\t: 31/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1769834687", "to_ids": false, "type": "text", "uuid": "87ffb37a-495f-407d-a725-867f82e078d9", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/TanglePeak.B!dha\nVT Total Detection:39/72\nFirst Submission:2026-01-30T10:35:46.000000+00:00\nLast Submission:2026-01-30T11:52:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1769836257", "uuid": "4a045bd1-2fc8-4688-9162-cf4cdf750dfd", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1769836257", "to_ids": true, "type": "md5", "uuid": "42143acd-e6bf-42f6-a033-f9903c407185", "value": "a727362416834fa63672b87820ff7f27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1769835962", "to_ids": true, "type": "sha1", "uuid": "203ffc0c-ee2b-49d9-980a-abe1ffca92a4", "value": "4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1769835962", "to_ids": true, "type": "sha256", "uuid": "1868fecd-70c7-4fad-a852-68a4856f742f", "value": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1769834709", "to_ids": true, "type": "ssdeep", "uuid": "56750036-9f16-4707-bd08-f2aac8f3658c", "value": "3072:fT4SpKtaWp+id2jJgc43l4l2tgQyRUJWXBVDhDq2:r4SMtaz0l1fHyaoThDR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1769834709", "to_ids": false, "type": "size-in-bytes", "uuid": "e906d90a-49ea-4c76-90b1-3adf6df12dba", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1769834709", "to_ids": true, "type": "vhash", "uuid": "d5341331-6115-40ca-8b58-b7d0d6c35d21", "value": "015056651d15556038z4enz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1769834709", "to_ids": true, "type": "filename", "uuid": "521156f9-c155-4bf8-9ecb-a15cf309260c", "value": "_835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5.exe" }, { "category": "Other", "comment": "Checked: 31/01/2026\nLast-scan\t: 31/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1769834709", "to_ids": false, "type": "text", "uuid": "c1c63307-5216-470a-85d0-b826190b24fc", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/TanglePeak.B!dha\nVT Total Detection:38/72\nFirst Submission:2026-01-30T10:35:33.000000+00:00\nLast Submission:2026-01-30T11:52:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1769836278", "uuid": "10fbd2f3-d844-4786-81d5-1bbb98bfb4bf", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1769836278", "to_ids": true, "type": "md5", "uuid": "d1c36fd7-b63a-4cdb-813e-902697eab69c", "value": "75fec5afb2deebab6dd9c16d9de35032", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1769835964", "to_ids": true, "type": "sha1", "uuid": "5ef4e54e-4cf3-4c5a-ae2d-0aa663783f23", "value": "86596a5c5b05a8bfbd14876de7404702f7d0d61b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1769835964", "to_ids": true, "type": "sha256", "uuid": "58ab1fce-9b08-40d6-bb73-07da6452a259", "value": "60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1769834731", "to_ids": true, "type": "ssdeep", "uuid": "8f660a57-01a3-46a7-b724-533dbb18b52a", "value": "1536:RI5x+cpS8+c48t3UjpGyAgGsu0X55l1tSsHGVIdWQe7AtaCxc2BGywukCbg+DjcX:R2Sz8tkNn9/Nc3mECxd8iD9yUS7vV8E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1769834731", "to_ids": false, "type": "size-in-bytes", "uuid": "4dce8073-485d-4ad9-b2bf-5d833d74bbd1", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1769834731", "to_ids": true, "type": "vhash", "uuid": "cd2ebf75-5ea5-41c6-a0cc-a2d57b964401", "value": "015056651d15556az4e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1769834731", "to_ids": true, "type": "filename", "uuid": "47fe6f8d-7406-4f76-bfda-d35969141ffc", "value": "zmi0nxuzu.exe" }, { "category": "Other", "comment": "Checked: 31/01/2026\nLast-scan\t: 31/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1769834731", "to_ids": false, "type": "text", "uuid": "0af6a59a-c0f6-49cd-b958-407f8a5f013d", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan.C!dha\nVT Total Detection:35/72\nFirst Submission:2026-01-30T10:36:02.000000+00:00\nLast Submission:2026-01-30T11:52:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1769836299", "uuid": "34bfc4b5-ebfb-449a-8055-15361c4bf906", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1769836299", "to_ids": true, "type": "md5", "uuid": "de5eafd0-f5a6-4312-97c9-6229f6df4495", "value": "c4379da51e8b9e86ec3de934f9373f4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1769835965", "to_ids": true, "type": "sha1", "uuid": "545de7a8-b211-4632-bb06-b4ee99f92738", "value": "69ede7e341fd26fa0577692b601d80cb44778d93", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1769835965", "to_ids": true, "type": "sha256", "uuid": "b514d67c-72ae-4ed7-b108-c1e760e5b567", "value": "d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1769834752", "to_ids": true, "type": "ssdeep", "uuid": "6f0a3061-90a1-434a-9a04-e07ee885f5bf", "value": "1536:AIlx+cpS8+c48t3UjpGyAgGsu0X55l1tSsHGVIdWQe7AtaCxc2BGywukCbg6DjcA:AaSz8tkNn9/Nc3mECxd8eD9yUS70V8E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1769834752", "to_ids": false, "type": "size-in-bytes", "uuid": "6d61be52-da2a-407d-a78a-70577ca961c0", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1769834752", "to_ids": true, "type": "vhash", "uuid": "797da985-b3a1-43b2-a796-f1ef44acfdf0", "value": "015056651d15556az4e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1769834752", "to_ids": true, "type": "filename", "uuid": "75c4cf9b-1633-4144-a169-2c11f33ccf6c", "value": "_d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160.exe" }, { "category": "Other", "comment": "Checked: 31/01/2026\nLast-scan\t: 30/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1769834752", "to_ids": false, "type": "text", "uuid": "43887e1e-1992-4b72-8f15-3578700ec339", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan.B!dha\nVT Total Detection:33/72\nFirst Submission:2026-01-30T10:35:54.000000+00:00\nLast Submission:2026-01-30T11:55:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1769836321", "uuid": "6bca0fd5-557a-49d1-8846-7267aaf65fef", "Attribute": [ { "category": "Payload delivery", "comment": "LazyWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1769836321", "to_ids": true, "type": "md5", "uuid": "b5517803-8cb5-41b3-a74f-8a6d4e98bb93", "value": "4cb091e1adf824f406a315a087fa75fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LazyWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1769835966", "to_ids": true, "type": "sha1", "uuid": "c22d4366-48a1-42b3-bbd2-8888e222f255", "value": "608a0b34ab3a1625cb88fcbc9a5e4be809519390", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LazyWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1769835966", "to_ids": true, "type": "sha256", "uuid": "91196745-a0ce-47ba-b2ba-e26bd85c4912", "value": "033cb31c081ff4292f82e528f5cb78a503816462daba8cc18a6c4531009602c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1769834774", "to_ids": true, "type": "ssdeep", "uuid": "7250f618-7f97-46b9-b8ce-f807be809aab", "value": "48:IOwoYdOURvRvYZ5UoOVRS2o1mN2Ca7zXcbHQLycevDvdzbFg9i3E6ElJ4BSJ8OBD:IvoUkaPoSdKzsbHQLycSDv9Fg9gHElJl" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1769834774", "to_ids": false, "type": "size-in-bytes", "uuid": "9655c69b-1481-4296-b37a-cc65b634a02d", "value": "2746" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1769834774", "to_ids": true, "type": "vhash", "uuid": "5cf8e221-44ee-4968-972e-77522c5b8b8e", "value": "8900d33b733d9e686549113331a96e52" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1769834774", "to_ids": true, "type": "filename", "uuid": "0cb168b5-2be0-4ff5-960f-6f70d1c65fd9", "value": "033cb31c081ff4292f82e528f5cb78a503816462daba8cc18a6c4531009602c2.ps1" }, { "category": "Other", "comment": "Checked: 31/01/2026\nLast-scan\t: 31/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1769834774", "to_ids": false, "type": "text", "uuid": "131852d8-f4bd-4b0c-bf22-aad1dbf0a4b5", "value": "LazyWiper\r\nType Description: Powershell\nMicrosoft: Trojan:PowerShell/FickleFrostbite!dha\nVT Total Detection:11/62\nFirst Submission:2026-01-30T10:36:20.000000+00:00\nLast Submission:2026-01-31T03:50:36.000000+00:00" } ] } ] } }