diff --git a/killchains/Attack-Flow/Groups-Malware/Seedworm/Basic_exfiltration_via_C2/Seedworm via Microsoft Teams.afb b/killchains/Attack-Flow/Groups-Malware/Seedworm/Basic_exfiltration_via_C2/Seedworm via Microsoft Teams.afb new file mode 100644 index 0000000..b1766c4 --- /dev/null +++ b/killchains/Attack-Flow/Groups-Malware/Seedworm/Basic_exfiltration_via_C2/Seedworm via Microsoft Teams.afb @@ -0,0 +1,2183 @@ +{ + "schema": "attack_flow_v2", + "theme": "dark_theme", + "objects": [ + { + "id": "flow", + "instance": "7569688e-2af1-4fab-bdb9-fd140ef6b17e", + "properties": [ + [ + "name", + "Seedworm via Microsoft Teams" + ], + [ + "description", + "In late February 2026, escalating geopolitical tensions in the Middle East culminated in coordinated military actions involving the United States and Israel, followed by retaliatory missile and drone activity from Iran. In the weeks that followed, the CyberProof Threat Intelligence team observed a corresponding increase in Iranian-linked cyber activity, with several campaigns emerging in early March 2026.\n\nOne such campaign is attributed to the Iranian advanced persistent threat (APT) group commonly tracked as Seedworm. This blog details an intrusion investigated by CyberProof’s MDR and Advanced Threat Hunting teams, highlighting Seedworm’s continued reliance on targeted social engineering combined with custom malware tooling to gain and maintain access in enterprise environments. " + ], + [ + "author", + [ + [ + "name", + "Trout Software" + ], + [ + "identity_class", + "organization" + ], + [ + "contact_information", + null + ] + ] + ], + [ + "scope", + "threat-actor" + ], + [ + "classification", + [ + [ + "marking", + null + ], + [ + "group", + null + ] + ] + ], + [ + "external_references", + [] + ], + [ + "created", + { + "time": "2026-04-23T16:00:21.063+02:00", + "zone": "Europe/Paris" + } + ] + ], + "objects": [ + "e8d4dfaa-e781-48ca-b838-bee393c3990c", + "3bbf342a-d11f-449e-ae96-6837b07c9702", + "b757e333-b63c-46f3-8c12-680c228be9a6", + "29375e35-cad3-4243-b59b-8b53f29a62b3", + "18511fcc-f33d-449c-800e-77332cd042fd", + "cf4ae5ee-d6f1-4d42-b279-7dfd15e55ab1", + "bea871dd-8a41-47f4-bcd6-3ef96f1b0226", + "6a91b1e5-ffdf-4ce2-b008-3127856a8874", + "8da7fd1f-a490-4109-a4e9-368c46bd8518", + "cd0a9abc-e13e-4ef4-b362-72c16ee12060", + "774e7bce-418c-4a11-bb05-7ee3724c6014", + "995fbcf0-5e01-4d62-9d7c-f7365674ccc4", + "55b96293-e347-45b9-9841-7c955bceed93", + "c1b3d052-a2c5-4eba-8418-711b4961b03d", + "9ee9f489-7bd7-426c-a491-faa208f77e4d", + "734b6c47-2e37-47ab-9911-b2a53c0195c0", + "bb01c7fe-2f0c-4b4a-9efa-8a36e89b880f", + "0e92e872-5052-4cfa-9f9f-72cc2ec12815", + "3fd92e6d-5e20-4e3a-b0b8-9b69c912de93", + "aa474db1-aee4-47fa-98c5-b63375650b3e", + "aa6263b3-1d83-4824-b7c6-20d233089bbc", + "bf3e2d9e-c467-466c-8797-5c734764a334", + "03ad1caf-ab1b-466d-8f04-37d982ef4fcf", + "af0cc956-a31d-4c94-93f9-7c6c33d462e4", + "99cc0716-3aff-4451-9fdd-58ca29e45685", + "aac04353-a4fc-4ae8-a7ea-e3d57c7176e6", + "ecab2c1d-3445-4468-a9fe-15a7e19f1d55", + "3f2ff7a4-3e37-4c3c-8385-ac652c6ce340", + "888ff1a5-cd05-45c2-abf6-491324f32884" + ] + }, + { + "id": "dynamic_line", + "instance": "e8d4dfaa-e781-48ca-b838-bee393c3990c", + "source": "4a27d1c6-7465-44ac-b2f0-5a21fd37aa46", + "target": "ec9fd0fb-96a4-4184-8fda-e91d2f23595c", + "handles": [ + "22f68876-6ee3-41f6-9f05-f8dfe66b030e" + ] + }, + { + "id": "generic_latch", + "instance": "4a27d1c6-7465-44ac-b2f0-5a21fd37aa46" + }, + { + "id": "generic_latch", + "instance": "ec9fd0fb-96a4-4184-8fda-e91d2f23595c" + }, + { + "id": "generic_handle", + "instance": "22f68876-6ee3-41f6-9f05-f8dfe66b030e" + }, + { + "id": "dynamic_line", + "instance": "3bbf342a-d11f-449e-ae96-6837b07c9702", + "source": "b0fe7aea-1b63-45d0-b7be-fe394eb0c9d8", + "target": "ff56bfcc-d24a-46ed-83c1-e59749844514", + "handles": [ + "2fa9b605-ebf7-453b-9b0a-abd8fb7deae8" + ] + }, + { + "id": "generic_latch", + "instance": "b0fe7aea-1b63-45d0-b7be-fe394eb0c9d8" + }, + { + "id": "generic_latch", + "instance": "ff56bfcc-d24a-46ed-83c1-e59749844514" + }, + { + "id": "generic_handle", + "instance": "2fa9b605-ebf7-453b-9b0a-abd8fb7deae8" + }, + { + "id": "dynamic_line", + "instance": "b757e333-b63c-46f3-8c12-680c228be9a6", + "source": "9365ef18-bee2-4de3-bbc5-9575746199f8", + "target": "bf2f8207-127f-40da-9537-182dc745099b", + "handles": [ + "89fd2406-0712-4ba4-ba4f-804c403be950" + ] + }, + { + "id": "generic_latch", + "instance": "9365ef18-bee2-4de3-bbc5-9575746199f8" + }, + { + "id": "generic_latch", + "instance": "bf2f8207-127f-40da-9537-182dc745099b" + }, + { + "id": "generic_handle", + "instance": "89fd2406-0712-4ba4-ba4f-804c403be950" + }, + { + "id": "dynamic_line", + "instance": "29375e35-cad3-4243-b59b-8b53f29a62b3", + "source": "c0e81049-53a6-4c7a-b62c-0d9148a27195", + "target": "3cc2f345-ac24-4bbf-bf88-bc2ae898e52d", + "handles": [ + "73920444-d7cd-4b9a-bac9-b8644ab65220" + ] + }, + { + "id": "generic_latch", + "instance": "c0e81049-53a6-4c7a-b62c-0d9148a27195" + }, + { + "id": "generic_latch", + "instance": "3cc2f345-ac24-4bbf-bf88-bc2ae898e52d" + }, + { + "id": "generic_handle", + "instance": "73920444-d7cd-4b9a-bac9-b8644ab65220" + }, + { + "id": "dynamic_line", + "instance": "18511fcc-f33d-449c-800e-77332cd042fd", + "source": "a27573f5-401e-459b-b01b-a5ce9fd627aa", + "target": "cefe1400-0a4f-45dd-8a66-8d2bc61213b1", + "handles": [ + "2c3dddd2-46b2-45a6-9079-0d6b311e2fde" + ] + }, + { + "id": "generic_latch", + "instance": "a27573f5-401e-459b-b01b-a5ce9fd627aa" + }, + { + "id": "generic_latch", + "instance": "cefe1400-0a4f-45dd-8a66-8d2bc61213b1" + }, + { + "id": "generic_handle", + "instance": "2c3dddd2-46b2-45a6-9079-0d6b311e2fde" + }, + { + "id": "dynamic_line", + "instance": "cf4ae5ee-d6f1-4d42-b279-7dfd15e55ab1", + "source": "3691ec44-d762-41b6-93d7-47f183394f43", + "target": "20588270-98a2-4af0-8f87-d9cbb48eb004", + "handles": [ + "8a7e9092-451a-4345-9be2-73819786abea" + ] + }, + { + "id": "generic_latch", + "instance": "3691ec44-d762-41b6-93d7-47f183394f43" + }, + { + "id": "generic_latch", + "instance": "20588270-98a2-4af0-8f87-d9cbb48eb004" + }, + { + "id": "generic_handle", + "instance": "8a7e9092-451a-4345-9be2-73819786abea" + }, + { + "id": "dynamic_line", + "instance": "bea871dd-8a41-47f4-bcd6-3ef96f1b0226", + "source": "0e5d9c51-e049-4490-bffb-6c59c92e8176", + "target": "e455a2c3-d88e-4639-b781-633f29499522", + "handles": [ + "d107be99-0734-4a5c-b9ae-c0f077953585" + ] + }, + { + "id": "generic_latch", + "instance": "0e5d9c51-e049-4490-bffb-6c59c92e8176" + }, + { + "id": "generic_latch", + "instance": "e455a2c3-d88e-4639-b781-633f29499522" + }, + { + "id": "generic_handle", + "instance": "d107be99-0734-4a5c-b9ae-c0f077953585" + }, + { + "id": "dynamic_line", + "instance": "6a91b1e5-ffdf-4ce2-b008-3127856a8874", + "source": "bf134ca9-ae01-48bf-aec4-e7e2a16b4502", + "target": "4bf8be93-a64c-4fff-8d57-12823382d8af", + "handles": [ + "0faa384b-ee89-4716-b107-797749ccbe3d" + ] + }, + { + "id": "generic_latch", + "instance": "bf134ca9-ae01-48bf-aec4-e7e2a16b4502" + }, + { + "id": "generic_latch", + "instance": "4bf8be93-a64c-4fff-8d57-12823382d8af" + }, + { + "id": "generic_handle", + "instance": "0faa384b-ee89-4716-b107-797749ccbe3d" + }, + { + "id": "dynamic_line", + "instance": "8da7fd1f-a490-4109-a4e9-368c46bd8518", + "source": "f4ef5bda-9246-49c7-99f6-3a725a49272e", + "target": "09623386-28d2-4c72-971e-4b6256e80c30", + "handles": [ + "3f9eeadd-a920-4ae1-80ab-f994fba22d88" + ] + }, + { + "id": "generic_latch", + "instance": "f4ef5bda-9246-49c7-99f6-3a725a49272e" + }, + { + "id": "generic_latch", + "instance": "09623386-28d2-4c72-971e-4b6256e80c30" + }, + { + "id": "generic_handle", + "instance": "3f9eeadd-a920-4ae1-80ab-f994fba22d88" + }, + { + "id": "dynamic_line", + "instance": "cd0a9abc-e13e-4ef4-b362-72c16ee12060", + "source": "7d9da83f-9e3e-4d76-a567-5c70ee84320b", + "target": "594300f3-5f86-49da-98fc-ddc7cfd9daa9", + "handles": [ + "37dd63c1-818f-4170-b61f-391bc308a2f3" + ] + }, + { + "id": "generic_latch", + "instance": "7d9da83f-9e3e-4d76-a567-5c70ee84320b" + }, + { + "id": "generic_latch", + "instance": "594300f3-5f86-49da-98fc-ddc7cfd9daa9" + }, + { + "id": "generic_handle", + "instance": "37dd63c1-818f-4170-b61f-391bc308a2f3" + }, + { + "id": "dynamic_line", + "instance": "774e7bce-418c-4a11-bb05-7ee3724c6014", + "source": "05324864-f7a2-4410-b9e6-3b683f5c47f5", + "target": "f574b7a7-0742-4862-a85d-3bdf0a8b89ad", + "handles": [ + "58324381-dc9a-401f-8499-fcf78d58dd41" + ] + }, + { + "id": "generic_latch", + "instance": "05324864-f7a2-4410-b9e6-3b683f5c47f5" + }, + { + "id": "generic_latch", + "instance": "f574b7a7-0742-4862-a85d-3bdf0a8b89ad" + }, + { + "id": "generic_handle", + "instance": "58324381-dc9a-401f-8499-fcf78d58dd41" + }, + { + "id": "dynamic_line", + "instance": "995fbcf0-5e01-4d62-9d7c-f7365674ccc4", + "source": "345f3fe5-d720-40a2-a396-c415c465d22e", + "target": "0a53c1a2-a22f-47cc-b5c0-86a4a7c3b174", + "handles": [ + "c70ec2ba-3c46-4929-9b11-c2e395a6bd21" + ] + }, + { + "id": "generic_latch", + "instance": "345f3fe5-d720-40a2-a396-c415c465d22e" + }, + { + "id": "generic_latch", + "instance": "0a53c1a2-a22f-47cc-b5c0-86a4a7c3b174" + }, + { + "id": "generic_handle", + "instance": "c70ec2ba-3c46-4929-9b11-c2e395a6bd21" + }, + { + "id": "dynamic_line", + "instance": "55b96293-e347-45b9-9841-7c955bceed93", + "source": "74737fa4-6de4-4789-a3c9-ca25f88eb586", + "target": "d4d3607e-8d76-42b5-ad00-19c2106f4948", + "handles": [ + "d499e87a-5b13-479e-9bce-6b89b7b209f9" + ] + }, + { + "id": "generic_latch", + "instance": "74737fa4-6de4-4789-a3c9-ca25f88eb586" + }, + { + "id": "generic_latch", + "instance": "d4d3607e-8d76-42b5-ad00-19c2106f4948" + }, + { + "id": "generic_handle", + "instance": "d499e87a-5b13-479e-9bce-6b89b7b209f9" + }, + { + "id": "dynamic_line", + "instance": "c1b3d052-a2c5-4eba-8418-711b4961b03d", + "source": "e6e42d00-e3cf-490d-a17e-7d4eab3d051e", + "target": "920fc7ee-c67b-4148-aaa5-ac76a7d47846", + "handles": [ + "d7a0038d-599f-421a-8641-b2cbaf7b7d5f" + ] + }, + { + "id": "generic_latch", + "instance": "e6e42d00-e3cf-490d-a17e-7d4eab3d051e" + }, + { + "id": "generic_latch", + "instance": "920fc7ee-c67b-4148-aaa5-ac76a7d47846" + }, + { + "id": "generic_handle", + "instance": "d7a0038d-599f-421a-8641-b2cbaf7b7d5f" + }, + { + "id": "action", + "instance": "9ee9f489-7bd7-426c-a491-faa208f77e4d", + "properties": [ + [ + "name", + "Spearphishing via Service" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0001" + ], + [ + "technique", + "T1566.003" + ] + ] + ], + [ + "description", + "The intrusion began with a carefully crafted social engineering where the attacker reached out to the victim as an external users via Microsoft teams. " + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "899cde6d-ac65-4ead-9922-d658266e85e0", + "30": "089095b7-8684-4c7d-bbee-e12bcd91a806", + "60": "f01d36ce-5aa4-4b32-b88f-f0d14ba6e4e9", + "90": "86f1a2ef-b52d-4a07-9275-415967545540", + "120": "5e45bfb1-8d70-453c-bb87-43603bfbb8b8", + "150": "aa7590fc-8462-43d4-bda9-6d733e1c4a97", + "180": "f1e17caa-e606-4c0c-a43f-6b37dc86eecd", + "210": "c226d6ca-e84a-47fd-a393-4ec1e58b708b", + "240": "6a137af0-f536-4153-aefb-899e4c12deed", + "270": "f2fc3d3c-7c80-4ddb-92cc-920f782ca43f", + "300": "3f783ec8-5dc1-439d-b36b-9b1a89086764", + "330": "424d08c5-4b50-4d9c-afef-cd40217f7730" + } + }, + { + "id": "horizontal_anchor", + "instance": "899cde6d-ac65-4ead-9922-d658266e85e0", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "089095b7-8684-4c7d-bbee-e12bcd91a806", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "f01d36ce-5aa4-4b32-b88f-f0d14ba6e4e9", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "86f1a2ef-b52d-4a07-9275-415967545540", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "5e45bfb1-8d70-453c-bb87-43603bfbb8b8", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "aa7590fc-8462-43d4-bda9-6d733e1c4a97", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "f1e17caa-e606-4c0c-a43f-6b37dc86eecd", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "c226d6ca-e84a-47fd-a393-4ec1e58b708b", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "6a137af0-f536-4153-aefb-899e4c12deed", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "f2fc3d3c-7c80-4ddb-92cc-920f782ca43f", + "latches": [ + "4a27d1c6-7465-44ac-b2f0-5a21fd37aa46" + ] + }, + { + "id": "vertical_anchor", + "instance": "3f783ec8-5dc1-439d-b36b-9b1a89086764", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "424d08c5-4b50-4d9c-afef-cd40217f7730", + "latches": [] + }, + { + "id": "asset", + "instance": "734b6c47-2e37-47ab-9911-b2a53c0195c0", + "properties": [ + [ + "name", + "Microsoft Teams" + ], + [ + "description", + null + ] + ], + "anchors": { + "0": "6484c78b-88b2-4769-913b-27b4a864dc6b", + "30": "8e117fad-f795-4007-8ec7-b8e992f2d03f", + "60": "bf4835df-d257-4cac-bf9b-7afc96c07faf", + "90": "020c4a0c-2bed-4340-bb7d-24ed72201796", + "120": "088602af-525c-41c3-bfa3-b6f9a8275d94", + "150": "879ec493-5d29-41bd-8cd0-9fcd4c0ea03d", + "180": "12a1b4df-a80e-4b8b-9d94-494fed904cfd", + "210": "59411110-9f79-422d-926c-60d21b516d9e", + "240": "5453da71-e75d-4103-b501-f668610109ce", + "270": "53230d40-4e1e-434b-be32-2b95da083e5b", + "300": "da32495d-f92e-42ca-a3a4-1a71130d282e", + "330": "dfcdae85-b78a-469d-a858-463e37b284a2" + } + }, + { + "id": "horizontal_anchor", + "instance": "6484c78b-88b2-4769-913b-27b4a864dc6b", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "8e117fad-f795-4007-8ec7-b8e992f2d03f", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "bf4835df-d257-4cac-bf9b-7afc96c07faf", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "020c4a0c-2bed-4340-bb7d-24ed72201796", + "latches": [ + "bf2f8207-127f-40da-9537-182dc745099b" + ] + }, + { + "id": "vertical_anchor", + "instance": "088602af-525c-41c3-bfa3-b6f9a8275d94", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "879ec493-5d29-41bd-8cd0-9fcd4c0ea03d", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "12a1b4df-a80e-4b8b-9d94-494fed904cfd", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "59411110-9f79-422d-926c-60d21b516d9e", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "5453da71-e75d-4103-b501-f668610109ce", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "53230d40-4e1e-434b-be32-2b95da083e5b", + "latches": [ + "b0fe7aea-1b63-45d0-b7be-fe394eb0c9d8" + ] + }, + { + "id": "vertical_anchor", + "instance": "da32495d-f92e-42ca-a3a4-1a71130d282e", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "dfcdae85-b78a-469d-a858-463e37b284a2", + "latches": [] + }, + { + "id": "action", + "instance": "bb01c7fe-2f0c-4b4a-9efa-8a36e89b880f", + "properties": [ + [ + "name", + "Malicious File" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0002" + ], + [ + "technique", + "T1204.002" + ] + ] + ], + [ + "description", + "Through this interaction, the user was convinced to execute a malicious installer named update_ms.msi, masquerading as a Windows update package. This MSI served as the initial dropper for a custom backdoor referred to as Dindoor. " + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "8d33bb80-d437-4dc1-a0c0-ffee9a2f132e", + "30": "7e357109-0e2f-45e7-9501-cfe9f376d67e", + "60": "cbbbeaca-0d24-4e7e-9446-ff574a85427a", + "90": "c4f71fc5-bd40-4d31-bf59-86fad0e212f5", + "120": "fea9f872-0868-4fd2-a81e-f5e5066c281b", + "150": "b22f689b-3484-4f53-8253-eebe339c1c4e", + "180": "ad74c6cf-cac6-4b08-b15a-9ce2686e6edf", + "210": "f4a60852-11b2-43ce-b61e-2646844a6b3f", + "240": "19481d34-85d9-4311-b5dc-25e4ca09ad71", + "270": "a3505353-0ea5-40b8-bcf7-a031991b7b19", + "300": "f8af4a12-b438-4f6f-886e-aeaad4f2aa4f", + "330": "e4228f8a-da14-4ef3-ab29-34eb607f32cc" + } + }, + { + "id": "horizontal_anchor", + "instance": "8d33bb80-d437-4dc1-a0c0-ffee9a2f132e", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "7e357109-0e2f-45e7-9501-cfe9f376d67e", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "cbbbeaca-0d24-4e7e-9446-ff574a85427a", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "c4f71fc5-bd40-4d31-bf59-86fad0e212f5", + "latches": [ + "ff56bfcc-d24a-46ed-83c1-e59749844514" + ] + }, + { + "id": "vertical_anchor", + "instance": "fea9f872-0868-4fd2-a81e-f5e5066c281b", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "b22f689b-3484-4f53-8253-eebe339c1c4e", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "ad74c6cf-cac6-4b08-b15a-9ce2686e6edf", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "f4a60852-11b2-43ce-b61e-2646844a6b3f", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "19481d34-85d9-4311-b5dc-25e4ca09ad71", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "a3505353-0ea5-40b8-bcf7-a031991b7b19", + "latches": [ + "c0e81049-53a6-4c7a-b62c-0d9148a27195" + ] + }, + { + "id": "vertical_anchor", + "instance": "f8af4a12-b438-4f6f-886e-aeaad4f2aa4f", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "e4228f8a-da14-4ef3-ab29-34eb607f32cc", + "latches": [] + }, + { + "id": "action", + "instance": "0e92e872-5052-4cfa-9f9f-72cc2ec12815", + "properties": [ + [ + "name", + "Masquerade Account Name" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0005" + ], + [ + "technique", + "T1036.010" + ] + ] + ], + [ + "description", + "The external actor, impersonating IT support using the name Sarah Wilson (sarahwilson@seqhelpsitdevsupportops[.]onmicrosoft.com), contacted the user claiming that another employee had been compromised and requesting assistance." + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "8a4c7a06-8083-4651-b9ee-7f4a2392ce79", + "30": "cb33a334-a563-4400-9a5f-57c7c0a3e5c1", + "60": "4e496329-1bd1-4348-aead-dd79e03832e0", + "90": "5887873b-b645-47c3-8038-da9fd2642c89", + "120": "4c963a32-0f5f-4ca7-8359-d5bf8d19654c", + "150": "946d3c71-3d77-4acd-a3ce-29e0ce2c4541", + "180": "3c47ad5f-717c-48ec-82a5-830eb310a694", + "210": "66a1573e-f7a9-4214-8efa-5c5b20366dfe", + "240": "8100d99d-d1e5-4309-85fb-7083a392dc72", + "270": "24bfff13-11f7-4a88-8b39-f40a460d3730", + "300": "d5fc5ecf-8e27-4b74-9991-f1b10802e23e", + "330": "ed7f6168-cb25-46fc-af75-29d35cdaf218" + } + }, + { + "id": "horizontal_anchor", + "instance": "8a4c7a06-8083-4651-b9ee-7f4a2392ce79", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "cb33a334-a563-4400-9a5f-57c7c0a3e5c1", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "4e496329-1bd1-4348-aead-dd79e03832e0", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "5887873b-b645-47c3-8038-da9fd2642c89", + "latches": [ + "ec9fd0fb-96a4-4184-8fda-e91d2f23595c" + ] + }, + { + "id": "vertical_anchor", + "instance": "4c963a32-0f5f-4ca7-8359-d5bf8d19654c", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "946d3c71-3d77-4acd-a3ce-29e0ce2c4541", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "3c47ad5f-717c-48ec-82a5-830eb310a694", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "66a1573e-f7a9-4214-8efa-5c5b20366dfe", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "8100d99d-d1e5-4309-85fb-7083a392dc72", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "24bfff13-11f7-4a88-8b39-f40a460d3730", + "latches": [ + "9365ef18-bee2-4de3-bbc5-9575746199f8" + ] + }, + { + "id": "vertical_anchor", + "instance": "d5fc5ecf-8e27-4b74-9991-f1b10802e23e", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "ed7f6168-cb25-46fc-af75-29d35cdaf218", + "latches": [] + }, + { + "id": "action", + "instance": "3fd92e6d-5e20-4e3a-b0b8-9b69c912de93", + "properties": [ + [ + "name", + "Visual Basic" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0002" + ], + [ + "technique", + "T1059.005" + ] + ] + ], + [ + "description", + "One dropped component was Falcon_module63.vbs, indicating VBScript use." + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "cbfd1918-4104-496a-a1af-5a2659fdc366", + "30": "26f5fee5-d38f-412d-bdee-ee5fa39261b8", + "60": "2142d739-bf6b-4d18-8b4a-2fdd114924ee", + "90": "c96a333b-111e-4120-8abc-103bd20da832", + "120": "f3825fda-b7b4-4b9a-b16f-0350dd551fcf", + "150": "56b49188-8df1-40f8-bd60-03b32e3b6f8b", + "180": "a7c18a42-8ad4-4a62-87fe-dc763a9459c3", + "210": "3e376c60-1487-4ae2-a299-a63b2f353210", + "240": "29976f5f-f38a-4a08-a6cc-30b54b3df3fe", + "270": "6c805f3d-0707-4724-86dc-52bf2caf586c", + "300": "f05c1885-468c-4873-800b-da5841384110", + "330": "fc70a316-bec1-440e-a246-a3ed830e30ba" + } + }, + { + "id": "horizontal_anchor", + "instance": "cbfd1918-4104-496a-a1af-5a2659fdc366", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "26f5fee5-d38f-412d-bdee-ee5fa39261b8", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "2142d739-bf6b-4d18-8b4a-2fdd114924ee", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "c96a333b-111e-4120-8abc-103bd20da832", + "latches": [ + "3cc2f345-ac24-4bbf-bf88-bc2ae898e52d" + ] + }, + { + "id": "vertical_anchor", + "instance": "f3825fda-b7b4-4b9a-b16f-0350dd551fcf", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "56b49188-8df1-40f8-bd60-03b32e3b6f8b", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "a7c18a42-8ad4-4a62-87fe-dc763a9459c3", + "latches": [ + "a27573f5-401e-459b-b01b-a5ce9fd627aa" + ] + }, + { + "id": "horizontal_anchor", + "instance": "3e376c60-1487-4ae2-a299-a63b2f353210", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "29976f5f-f38a-4a08-a6cc-30b54b3df3fe", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "6c805f3d-0707-4724-86dc-52bf2caf586c", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "f05c1885-468c-4873-800b-da5841384110", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "fc70a316-bec1-440e-a246-a3ed830e30ba", + "latches": [] + }, + { + "id": "action", + "instance": "aa474db1-aee4-47fa-98c5-b63375650b3e", + "properties": [ + [ + "name", + "PowerShell" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0002" + ], + [ + "technique", + "T1059.001" + ] + ] + ], + [ + "description", + "Another dropped component was tango13.ps1, and the article says that script retrieved additional payloads." + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "c637233b-57a5-45e6-98eb-e1479265468d", + "30": "13c58b96-2800-4281-bcf8-ba46e89ab21a", + "60": "cf9c0ca0-cb0c-4db8-a5a8-b33b37db724e", + "90": "7cf620a5-5057-4620-ac25-5d773c652ef0", + "120": "6dd30dce-17da-48dd-ab0b-6e3d29f12a4d", + "150": "4f594fc1-cfd9-46d0-b53a-1758509a37c0", + "180": "1fc1bffe-abc3-47c0-8e75-c01d02841ac6", + "210": "ddf3ef9a-8cfe-4279-bdf6-feae730ca24f", + "240": "5861c7e8-0257-4c56-9d31-d512d9ea021d", + "270": "5c9c1d16-eec1-43e6-a632-0155267c69b3", + "300": "b762c11c-431b-4f31-ac92-b75a3af826c0", + "330": "87c29a01-aec5-4b31-8d5f-a8e01d4a613d" + } + }, + { + "id": "horizontal_anchor", + "instance": "c637233b-57a5-45e6-98eb-e1479265468d", + "latches": [ + "cefe1400-0a4f-45dd-8a66-8d2bc61213b1" + ] + }, + { + "id": "horizontal_anchor", + "instance": "13c58b96-2800-4281-bcf8-ba46e89ab21a", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "cf9c0ca0-cb0c-4db8-a5a8-b33b37db724e", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "7cf620a5-5057-4620-ac25-5d773c652ef0", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "6dd30dce-17da-48dd-ab0b-6e3d29f12a4d", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "4f594fc1-cfd9-46d0-b53a-1758509a37c0", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "1fc1bffe-abc3-47c0-8e75-c01d02841ac6", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "ddf3ef9a-8cfe-4279-bdf6-feae730ca24f", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "5861c7e8-0257-4c56-9d31-d512d9ea021d", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "5c9c1d16-eec1-43e6-a632-0155267c69b3", + "latches": [ + "3691ec44-d762-41b6-93d7-47f183394f43" + ] + }, + { + "id": "vertical_anchor", + "instance": "b762c11c-431b-4f31-ac92-b75a3af826c0", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "87c29a01-aec5-4b31-8d5f-a8e01d4a613d", + "latches": [] + }, + { + "id": "action", + "instance": "aa6263b3-1d83-4824-b7c6-20d233089bbc", + "properties": [ + [ + "name", + "Command and Scripting Interpreter" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0002" + ], + [ + "technique", + "T1059" + ] + ] + ], + [ + "description", + "The attacker used deno.exe to run an obfuscated Base64 payload." + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "67bdab82-9728-4f0a-891a-e2b2e49c9731", + "30": "77c149af-c206-4227-8133-32768f9adf09", + "60": "668e16b3-f8cf-41a9-9ce1-84f55996776d", + "90": "5a488fb7-480f-4e4d-83cd-afc7cb0da02a", + "120": "c792587c-62e0-4328-908b-6e99301ed28b", + "150": "43b6a2d3-6dd1-415c-a2b1-81b3e1d9c671", + "180": "4e656558-dc4c-47b6-bf9b-a15ea3da4976", + "210": "9a22910c-1394-414c-9ce4-4117a5b21db6", + "240": "212bd8b8-76f4-41c9-a4be-1d5d327ccaec", + "270": "7cf87542-1e01-4843-8cba-4ba09bcebbd3", + "300": "4cc2467c-891d-4298-bdf4-be81c3415251", + "330": "9322a30b-56ce-4dcd-8e40-ff0551ad7730" + } + }, + { + "id": "horizontal_anchor", + "instance": "67bdab82-9728-4f0a-891a-e2b2e49c9731", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "77c149af-c206-4227-8133-32768f9adf09", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "668e16b3-f8cf-41a9-9ce1-84f55996776d", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "5a488fb7-480f-4e4d-83cd-afc7cb0da02a", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "c792587c-62e0-4328-908b-6e99301ed28b", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "43b6a2d3-6dd1-415c-a2b1-81b3e1d9c671", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "4e656558-dc4c-47b6-bf9b-a15ea3da4976", + "latches": [ + "20588270-98a2-4af0-8f87-d9cbb48eb004" + ] + }, + { + "id": "horizontal_anchor", + "instance": "9a22910c-1394-414c-9ce4-4117a5b21db6", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "212bd8b8-76f4-41c9-a4be-1d5d327ccaec", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "7cf87542-1e01-4843-8cba-4ba09bcebbd3", + "latches": [ + "bf134ca9-ae01-48bf-aec4-e7e2a16b4502" + ] + }, + { + "id": "vertical_anchor", + "instance": "4cc2467c-891d-4298-bdf4-be81c3415251", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "9322a30b-56ce-4dcd-8e40-ff0551ad7730", + "latches": [] + }, + { + "id": "action", + "instance": "bf3e2d9e-c467-466c-8797-5c734764a334", + "properties": [ + [ + "name", + "Encrypted/Encoded File" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0005" + ], + [ + "technique", + "T1027.013" + ] + ] + ], + [ + "description", + "Execute a highly obfuscated, Base64‑encoded payload" + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "21b3f8c2-0be8-49ea-8312-29600a520afd", + "30": "68e290c0-2b2c-4bb1-8bed-f6e1d1b0b954", + "60": "ac9914ec-4731-4af5-a0e7-8c7e95f5d09d", + "90": "f636655e-82eb-4f41-a8b9-b0b0bc9f3ea1", + "120": "9b5bc0a8-e41c-4be2-afa6-d1a89aab45ae", + "150": "8ca8c534-c071-4f33-8032-b7b85f4f8b15", + "180": "9bd3fb7c-be5d-4a03-ae69-03dfc4ff4629", + "210": "5cc7f462-13cf-4a01-8f3a-1d79f05642b3", + "240": "e0d955bd-70fd-4005-909d-e790cb47e48c", + "270": "8b71a92a-2aa5-4473-8e6d-2505a82ab9c1", + "300": "c3f1da05-1238-4408-a2f2-eadc66b98b7d", + "330": "fb6819e4-9fa0-424d-8b4e-b9da7d8a787c" + } + }, + { + "id": "horizontal_anchor", + "instance": "21b3f8c2-0be8-49ea-8312-29600a520afd", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "68e290c0-2b2c-4bb1-8bed-f6e1d1b0b954", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "ac9914ec-4731-4af5-a0e7-8c7e95f5d09d", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "f636655e-82eb-4f41-a8b9-b0b0bc9f3ea1", + "latches": [ + "4bf8be93-a64c-4fff-8d57-12823382d8af" + ] + }, + { + "id": "vertical_anchor", + "instance": "9b5bc0a8-e41c-4be2-afa6-d1a89aab45ae", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "8ca8c534-c071-4f33-8032-b7b85f4f8b15", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "9bd3fb7c-be5d-4a03-ae69-03dfc4ff4629", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "5cc7f462-13cf-4a01-8f3a-1d79f05642b3", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "e0d955bd-70fd-4005-909d-e790cb47e48c", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "8b71a92a-2aa5-4473-8e6d-2505a82ab9c1", + "latches": [ + "0e5d9c51-e049-4490-bffb-6c59c92e8176" + ] + }, + { + "id": "vertical_anchor", + "instance": "c3f1da05-1238-4408-a2f2-eadc66b98b7d", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "fb6819e4-9fa0-424d-8b4e-b9da7d8a787c", + "latches": [] + }, + { + "id": "action", + "instance": "03ad1caf-ab1b-466d-8f04-37d982ef4fcf", + "properties": [ + [ + "name", + "Masquerading" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0005" + ], + [ + "technique", + "T1036" + ] + ] + ], + [ + "description", + "the persistence key was named “Realtek HD Audio Universal Service” to resemble a legitimate component." + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "31cf4ab0-6bdf-4f6c-a0ae-0343d477f2f9", + "30": "a9492db7-2f0e-4517-bc60-26ce5b73efff", + "60": "08bcc436-f969-4d24-afce-9771b97e56ef", + "90": "d69a83a8-2ac6-4507-9a15-b9fab098a65c", + "120": "781d1758-1bec-4781-bf43-fc6f01c12d63", + "150": "19d4383e-c16f-498c-8ac7-6294f8369a22", + "180": "d2b96b3c-2d90-4868-8b2f-55c97e364087", + "210": "ad2a4533-2992-4260-901e-de15d386f9f3", + "240": "5471e567-672c-48cb-981f-15050273fe6a", + "270": "80cf3d24-d845-47d2-9778-c87b5e936771", + "300": "a381f053-01e0-4704-b7a7-b6ab63be629d", + "330": "9d58b05a-1470-4fbb-af0a-65eacdce21f9" + } + }, + { + "id": "horizontal_anchor", + "instance": "31cf4ab0-6bdf-4f6c-a0ae-0343d477f2f9", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "a9492db7-2f0e-4517-bc60-26ce5b73efff", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "08bcc436-f969-4d24-afce-9771b97e56ef", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "d69a83a8-2ac6-4507-9a15-b9fab098a65c", + "latches": [ + "e455a2c3-d88e-4639-b781-633f29499522" + ] + }, + { + "id": "vertical_anchor", + "instance": "781d1758-1bec-4781-bf43-fc6f01c12d63", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "19d4383e-c16f-498c-8ac7-6294f8369a22", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "d2b96b3c-2d90-4868-8b2f-55c97e364087", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "ad2a4533-2992-4260-901e-de15d386f9f3", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "5471e567-672c-48cb-981f-15050273fe6a", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "80cf3d24-d845-47d2-9778-c87b5e936771", + "latches": [ + "f4ef5bda-9246-49c7-99f6-3a725a49272e" + ] + }, + { + "id": "vertical_anchor", + "instance": "a381f053-01e0-4704-b7a7-b6ab63be629d", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "9d58b05a-1470-4fbb-af0a-65eacdce21f9", + "latches": [] + }, + { + "id": "action", + "instance": "af0cc956-a31d-4c94-93f9-7c6c33d462e4", + "properties": [ + [ + "name", + "Registry Run Keys / Startup Folder" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0003" + ], + [ + "technique", + "T1547.001" + ] + ] + ], + [ + "description", + "the persistence key was named “Realtek HD Audio Universal Service” to resemble a legitimate component." + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "45e6e079-3c05-4845-af0a-c31ad184cb7c", + "30": "ea799e6f-fea0-4c4e-92d7-6b0fcfb42806", + "60": "355447dd-f370-4233-bc91-cf700ee9896f", + "90": "9b3a753a-6582-45cf-ab9f-8ab121026463", + "120": "10e73f26-274a-4ece-902d-551569a44eab", + "150": "49fa7f88-8f97-4db3-922b-6296f9ced80b", + "180": "b14a1cbe-0f94-4162-bd72-bc4c46606166", + "210": "ca3b76fd-b3cd-4e6f-9ae6-44de446c12ea", + "240": "7d87c62f-ccae-41bc-aa25-60faea7b0aa5", + "270": "341f0a57-d530-4ba3-abf5-a37931892192", + "300": "e885106d-57e7-45e4-9f28-1834520470a2", + "330": "8568c33a-bf4f-4c6b-b5b9-8873fb8bef7b" + } + }, + { + "id": "horizontal_anchor", + "instance": "45e6e079-3c05-4845-af0a-c31ad184cb7c", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "ea799e6f-fea0-4c4e-92d7-6b0fcfb42806", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "355447dd-f370-4233-bc91-cf700ee9896f", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "9b3a753a-6582-45cf-ab9f-8ab121026463", + "latches": [ + "09623386-28d2-4c72-971e-4b6256e80c30" + ] + }, + { + "id": "vertical_anchor", + "instance": "10e73f26-274a-4ece-902d-551569a44eab", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "49fa7f88-8f97-4db3-922b-6296f9ced80b", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "b14a1cbe-0f94-4162-bd72-bc4c46606166", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "ca3b76fd-b3cd-4e6f-9ae6-44de446c12ea", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "7d87c62f-ccae-41bc-aa25-60faea7b0aa5", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "341f0a57-d530-4ba3-abf5-a37931892192", + "latches": [ + "7d9da83f-9e3e-4d76-a567-5c70ee84320b" + ] + }, + { + "id": "vertical_anchor", + "instance": "e885106d-57e7-45e4-9f28-1834520470a2", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "8568c33a-bf4f-4c6b-b5b9-8873fb8bef7b", + "latches": [] + }, + { + "id": "action", + "instance": "99cc0716-3aff-4451-9fdd-58ca29e45685", + "properties": [ + [ + "name", + "Ingress Tool Transfer" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0011" + ], + [ + "technique", + "T1105" + ] + ] + ], + [ + "description", + "The dropped PowerShell script, tango13.ps1, was responsible for retrieving additional payloads from the following servers," + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "26acd272-fd5a-43e8-ba99-063c52f42b5b", + "30": "b6398ce6-2002-4758-9fec-e97e4de83377", + "60": "e491fb73-cd35-44b4-9305-9d9c7af6907f", + "90": "8691d8cc-94ad-434e-948c-b3a52aa8fb34", + "120": "b3c4203a-1c87-4331-85a6-9aaa1cc2cd1d", + "150": "d75c2061-cd1d-48c4-9b0e-2fdd711cfd0c", + "180": "160351a5-7bd6-4804-bbe6-cf95c6bee865", + "210": "c96a1aff-1e8e-4f3d-afe2-6ee5fad08a22", + "240": "b1784f66-546a-4b61-80e5-332b39b41997", + "270": "db9a88ca-ab4d-4097-b439-9100ec93614d", + "300": "15d47831-2ffe-4657-8cc2-d9b3d93758f3", + "330": "df2e5cd5-9b50-4acb-83be-fac3bad6b722" + } + }, + { + "id": "horizontal_anchor", + "instance": "26acd272-fd5a-43e8-ba99-063c52f42b5b", + "latches": [ + "345f3fe5-d720-40a2-a396-c415c465d22e" + ] + }, + { + "id": "horizontal_anchor", + "instance": "b6398ce6-2002-4758-9fec-e97e4de83377", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "e491fb73-cd35-44b4-9305-9d9c7af6907f", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "8691d8cc-94ad-434e-948c-b3a52aa8fb34", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "b3c4203a-1c87-4331-85a6-9aaa1cc2cd1d", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "d75c2061-cd1d-48c4-9b0e-2fdd711cfd0c", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "160351a5-7bd6-4804-bbe6-cf95c6bee865", + "latches": [ + "f574b7a7-0742-4862-a85d-3bdf0a8b89ad" + ] + }, + { + "id": "horizontal_anchor", + "instance": "c96a1aff-1e8e-4f3d-afe2-6ee5fad08a22", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "b1784f66-546a-4b61-80e5-332b39b41997", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "db9a88ca-ab4d-4097-b439-9100ec93614d", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "15d47831-2ffe-4657-8cc2-d9b3d93758f3", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "df2e5cd5-9b50-4acb-83be-fac3bad6b722", + "latches": [] + }, + { + "id": "action", + "instance": "aac04353-a4fc-4ae8-a7ea-e3d57c7176e6", + "properties": [ + [ + "name", + "Web Protocols" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0011" + ], + [ + "technique", + "T1071.001" + ] + ] + ], + [ + "description", + "Network traffic analysis showed deno.exe issuing GET and POST requests with the user agent Deno/2.6.9, which enabled researchers to identify additional related samples with overlapping timelines in early March 2026.\n\nC2 communications" + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "651673ce-7cb9-4534-b6ff-8f6de0b12b40", + "30": "61c82020-df23-4a43-b9ab-1868c14ca63e", + "60": "caeba415-1993-45d4-8634-17a5b2f451cd", + "90": "52816882-47c0-4ca4-9e4e-dc8fc3cf875c", + "120": "42a26063-84a1-4297-907e-e2ed94742681", + "150": "5b6c3b26-9114-43eb-b165-154342390126", + "180": "ce2f8d7b-fb71-42be-a34f-51fb78f30737", + "210": "7d7bae0f-c72c-4fd8-bba9-f26fcd0dd5e2", + "240": "c3af483a-0a2f-49f9-aafa-1c19fbb7750d", + "270": "0eebf981-cf43-4332-b13d-6e37141be7a9", + "300": "78eccfda-ca12-42f6-b206-f41c91f30308", + "330": "b41c1d74-6c5b-4d74-bc23-529935d0e911" + } + }, + { + "id": "horizontal_anchor", + "instance": "651673ce-7cb9-4534-b6ff-8f6de0b12b40", + "latches": [ + "05324864-f7a2-4410-b9e6-3b683f5c47f5" + ] + }, + { + "id": "horizontal_anchor", + "instance": "61c82020-df23-4a43-b9ab-1868c14ca63e", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "caeba415-1993-45d4-8634-17a5b2f451cd", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "52816882-47c0-4ca4-9e4e-dc8fc3cf875c", + "latches": [ + "594300f3-5f86-49da-98fc-ddc7cfd9daa9" + ] + }, + { + "id": "vertical_anchor", + "instance": "42a26063-84a1-4297-907e-e2ed94742681", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "5b6c3b26-9114-43eb-b165-154342390126", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "ce2f8d7b-fb71-42be-a34f-51fb78f30737", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "7d7bae0f-c72c-4fd8-bba9-f26fcd0dd5e2", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "c3af483a-0a2f-49f9-aafa-1c19fbb7750d", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "0eebf981-cf43-4332-b13d-6e37141be7a9", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "78eccfda-ca12-42f6-b206-f41c91f30308", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "b41c1d74-6c5b-4d74-bc23-529935d0e911", + "latches": [] + }, + { + "id": "action", + "instance": "ecab2c1d-3445-4468-a9fe-15a7e19f1d55", + "properties": [ + [ + "name", + "System Owner/User Discovery" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0007" + ], + [ + "technique", + "T1033" + ] + ] + ], + [ + "description", + "The malware exfiltrated the username" + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "b5b94fed-5452-4f67-b570-8ae0404c30ae", + "30": "afd4df63-71fb-47c1-b3b2-5931d95817ad", + "60": "83f2e649-b135-452a-b4bb-c3627d632377", + "90": "80689c69-cef3-411f-a85c-d095e98e83d0", + "120": "a650ab0a-a04f-4aa8-ae0b-ec30e5a7969c", + "150": "17bbef3a-23ac-425b-98da-c58571efb941", + "180": "2057589e-192f-4055-8f3f-39882ef379a9", + "210": "c5e3ec8e-34b5-48ea-94d3-4a755ebeb86b", + "240": "4250ca72-cdc8-4564-a731-697062d1d820", + "270": "abc07ea3-b3fe-42d3-8c6a-bac9b8f58964", + "300": "f091e430-6151-493e-93c0-b5952dbbdaa1", + "330": "3694f92d-b462-4b6e-9dc6-38e88232d9ab" + } + }, + { + "id": "horizontal_anchor", + "instance": "b5b94fed-5452-4f67-b570-8ae0404c30ae", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "afd4df63-71fb-47c1-b3b2-5931d95817ad", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "83f2e649-b135-452a-b4bb-c3627d632377", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "80689c69-cef3-411f-a85c-d095e98e83d0", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "a650ab0a-a04f-4aa8-ae0b-ec30e5a7969c", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "17bbef3a-23ac-425b-98da-c58571efb941", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "2057589e-192f-4055-8f3f-39882ef379a9", + "latches": [ + "0a53c1a2-a22f-47cc-b5c0-86a4a7c3b174" + ] + }, + { + "id": "horizontal_anchor", + "instance": "c5e3ec8e-34b5-48ea-94d3-4a755ebeb86b", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "4250ca72-cdc8-4564-a731-697062d1d820", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "abc07ea3-b3fe-42d3-8c6a-bac9b8f58964", + "latches": [ + "74737fa4-6de4-4789-a3c9-ca25f88eb586" + ] + }, + { + "id": "vertical_anchor", + "instance": "f091e430-6151-493e-93c0-b5952dbbdaa1", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "3694f92d-b462-4b6e-9dc6-38e88232d9ab", + "latches": [] + }, + { + "id": "action", + "instance": "3f2ff7a4-3e37-4c3c-8385-ac652c6ce340", + "properties": [ + [ + "name", + "System Information Discovery" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0007" + ], + [ + "technique", + "T1082" + ] + ] + ], + [ + "description", + "it also exfiltrated hostname and OS details" + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "6274647e-f5ac-4649-8385-5751458ecb55", + "30": "faee6e9d-be6d-4bac-acc6-1c443267fc4e", + "60": "3b329a87-f25b-4ae8-92b8-a3173b4bf755", + "90": "cae12c64-a06f-4e33-ad74-789e416b20ec", + "120": "837fe1c3-9db6-44a4-af3e-dd2432c6bd5d", + "150": "c3323076-c50c-421a-ac4d-a38e04973990", + "180": "b7e9855f-d8a1-4a3e-a4bf-7659682bf187", + "210": "d007c2b4-421b-48e1-9dfd-d354d12beed0", + "240": "dcf6b454-82be-4acb-84de-950c6aabffd4", + "270": "08330bda-ca56-4aeb-8866-10e81c62056b", + "300": "df3c4585-5e71-4121-b0ff-ca581f6fd9d6", + "330": "5a967b70-3224-4d3c-a14e-d6945ac6a2a8" + } + }, + { + "id": "horizontal_anchor", + "instance": "6274647e-f5ac-4649-8385-5751458ecb55", + "latches": [ + "d4d3607e-8d76-42b5-ad00-19c2106f4948" + ] + }, + { + "id": "horizontal_anchor", + "instance": "faee6e9d-be6d-4bac-acc6-1c443267fc4e", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "3b329a87-f25b-4ae8-92b8-a3173b4bf755", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "cae12c64-a06f-4e33-ad74-789e416b20ec", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "837fe1c3-9db6-44a4-af3e-dd2432c6bd5d", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "c3323076-c50c-421a-ac4d-a38e04973990", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "b7e9855f-d8a1-4a3e-a4bf-7659682bf187", + "latches": [ + "e6e42d00-e3cf-490d-a17e-7d4eab3d051e" + ] + }, + { + "id": "horizontal_anchor", + "instance": "d007c2b4-421b-48e1-9dfd-d354d12beed0", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "dcf6b454-82be-4acb-84de-950c6aabffd4", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "08330bda-ca56-4aeb-8866-10e81c62056b", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "df3c4585-5e71-4121-b0ff-ca581f6fd9d6", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "5a967b70-3224-4d3c-a14e-d6945ac6a2a8", + "latches": [] + }, + { + "id": "action", + "instance": "888ff1a5-cd05-45c2-abf6-491324f32884", + "properties": [ + [ + "name", + "Exfiltration Over C2 Channel" + ], + [ + "ttp", + [ + [ + "tactic", + "TA0010" + ], + [ + "technique", + "T1041" + ] + ] + ], + [ + "description", + "Exfiltrating informations taken " + ], + [ + "confidence", + null + ], + [ + "execution_start", + null + ], + [ + "execution_end", + null + ] + ], + "anchors": { + "0": "4752292e-ee96-4b49-af6c-4482120585b1", + "30": "5b810f04-ec80-4f4a-a576-0d8e96860b71", + "60": "788f5c44-32c7-47d0-9be6-c6cec2c91148", + "90": "d26ee6ca-2ddf-4616-a635-3459185be1d5", + "120": "d6e3f8a0-ae89-4349-857d-9668ced5e04c", + "150": "d15f39de-95c3-4ffc-b4e7-55742f7323c6", + "180": "898cb9e7-d74c-44e5-95af-8e49014b7115", + "210": "c57cb2dc-d282-4b50-878d-ddbb6ac84819", + "240": "c4dcacc4-17b2-4ac1-8af3-baa7ac25a414", + "270": "d0498885-ee53-4fd2-8193-fbef34973dca", + "300": "c67e40f8-9fbe-4d5a-9a51-6329be3685b1", + "330": "c09729a2-cb9c-48de-b12b-7ffe938b75f7" + } + }, + { + "id": "horizontal_anchor", + "instance": "4752292e-ee96-4b49-af6c-4482120585b1", + "latches": [ + "920fc7ee-c67b-4148-aaa5-ac76a7d47846" + ] + }, + { + "id": "horizontal_anchor", + "instance": "5b810f04-ec80-4f4a-a576-0d8e96860b71", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "788f5c44-32c7-47d0-9be6-c6cec2c91148", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "d26ee6ca-2ddf-4616-a635-3459185be1d5", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "d6e3f8a0-ae89-4349-857d-9668ced5e04c", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "d15f39de-95c3-4ffc-b4e7-55742f7323c6", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "898cb9e7-d74c-44e5-95af-8e49014b7115", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "c57cb2dc-d282-4b50-878d-ddbb6ac84819", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "c4dcacc4-17b2-4ac1-8af3-baa7ac25a414", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "d0498885-ee53-4fd2-8193-fbef34973dca", + "latches": [] + }, + { + "id": "vertical_anchor", + "instance": "c67e40f8-9fbe-4d5a-9a51-6329be3685b1", + "latches": [] + }, + { + "id": "horizontal_anchor", + "instance": "c09729a2-cb9c-48de-b12b-7ffe938b75f7", + "latches": [] + } + ], + "layout": { + "9ee9f489-7bd7-426c-a491-faa208f77e4d": [ + -180, + -360 + ], + "734b6c47-2e37-47ab-9911-b2a53c0195c0": [ + -35, + 95 + ], + "bb01c7fe-2f0c-4b4a-9efa-8a36e89b880f": [ + 155, + 375 + ], + "0e92e872-5052-4cfa-9f9f-72cc2ec12815": [ + 230, + -190 + ], + "3fd92e6d-5e20-4e3a-b0b8-9b69c912de93": [ + 525, + 730 + ], + "aa474db1-aee4-47fa-98c5-b63375650b3e": [ + -30, + 815 + ], + "aa6263b3-1d83-4824-b7c6-20d233089bbc": [ + 395, + 1095 + ], + "bf3e2d9e-c467-466c-8797-5c734764a334": [ + 110, + 1445 + ], + "03ad1caf-ab1b-466d-8f04-37d982ef4fcf": [ + 435, + 1800 + ], + "af0cc956-a31d-4c94-93f9-7c6c33d462e4": [ + 210, + 2145 + ], + "99cc0716-3aff-4451-9fdd-58ca29e45685": [ + 860, + 2595 + ], + "aac04353-a4fc-4ae8-a7ea-e3d57c7176e6": [ + 370, + 2585 + ], + "ecab2c1d-3445-4468-a9fe-15a7e19f1d55": [ + 1375, + 2885 + ], + "3f2ff7a4-3e37-4c3c-8385-ac652c6ce340": [ + 930, + 3090 + ], + "888ff1a5-cd05-45c2-abf6-491324f32884": [ + 340, + 3160 + ] + }, + "camera": { + "x": 368, + "y": 2963, + "k": 0.5952753361919485 + } +} \ No newline at end of file diff --git a/killchains/Attack-Flow/Groups-Malware/Seedworm/Basic_exfiltration_via_C2/Seedworm via Microsoft Teams.png b/killchains/Attack-Flow/Groups-Malware/Seedworm/Basic_exfiltration_via_C2/Seedworm via Microsoft Teams.png new file mode 100644 index 0000000..708ae98 Binary files /dev/null and b/killchains/Attack-Flow/Groups-Malware/Seedworm/Basic_exfiltration_via_C2/Seedworm via Microsoft Teams.png differ