{ "type": "bundle", "id": "bundle--911b9119-fe30-4cc0-8bcf-23af1f66bd9b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--09f708d8-af6c-4bdd-8b55-5c2a5e8c27ca", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--7c6c1378-ca5d-454a-9901-7a6df8a51922", "start_refs": [ "attack-action--7db3befa-8e5e-46c3-86af-ee1b84812499" ], "name": "Sony Malware", "description": "Attack flow on the malware believed to be behind the 2014 Sony breach.", "scope": "malware", "external_references": [ { "source_name": "ArsTechnica", "description": "Article", "url": "https://arstechnica.com/information-technology/2014/12/inside-the-wiper-malware-that-brought-sony-pictures-to-its-knees/" }, { "source_name": "Trend Micro", "description": "Analysis", "url": "https://web.archive.org/web/20220120083152/https://www.trendmicro.com/en_us/research/14/l/an-analysis-of-the-destructive-malware-behind-fbi-warnings.html" } ] }, { "type": "identity", "id": "identity--7c6c1378-ca5d-454a-9901-7a6df8a51922", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "name": "Lauren Parker", "contact_information": "lparker@mitre.org" }, { "type": "attack-action", "id": "attack-action--7db3befa-8e5e-46c3-86af-ee1b84812499", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Malware dropper installs on the compromised system through unknown means", "effect_refs": [ "attack-condition--082e47ca-0210-4d07-9558-f1acdaa8c22d" ] }, { "type": "attack-condition", "id": "attack-condition--082e47ca-0210-4d07-9558-f1acdaa8c22d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Malware contains XOR 0x67 encrypted user names and passwords in the overlay" }, { "type": "attack-action", "id": "attack-action--9daff210-f031-4171-8b2a-2a7be3b5e1f3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Path Interception by PATH Environment Variable", "description": "The malware created a network file share using %SystemRoot% environment variable (pointing to location of Windows system files, usually \\WINDOWS)", "effect_refs": [ "attack-condition--bf2abb51-2567-4167-b152-a10f53b7caea" ] }, { "type": "attack-condition", "id": "attack-condition--bf2abb51-2567-4167-b152-a10f53b7caea", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "The encrypted user names and passwords were used to to log into the shared network" }, { "type": "attack-action", "id": "attack-action--541eab7e-fb3a-4260-af07-6b00a7f43f12", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Privilege Escalation", "tactic_id": "TA0004", "tactic_ref": "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", "description": "The privileges of the newly created network share is elevated to unrestricted access", "effect_refs": [ "attack-condition--72e5f0da-591d-4027-8a3e-d3323156ae26" ] }, { "type": "attack-action", "id": "attack-action--d1a40010-d151-4afb-b3f1-318fa53e5f69", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Management Instrumentation", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "technique_id": "T1047", "technique_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", "description": "The malware uses WMI to communicate with other computers on the network and move laterally", "effect_refs": [ "attack-action--11b62428-5bbf-4de4-9fc1-9401be43ae95" ] }, { "type": "attack-condition", "id": "attack-condition--72e5f0da-591d-4027-8a3e-d3323156ae26", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "contains list of targeted hostnames" }, { "type": "attack-action", "id": "attack-action--11b62428-5bbf-4de4-9fc1-9401be43ae95", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Command and Control", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "description": "Communicates externally with a set of IP addresses located in Japan", "effect_refs": [ "attack-action--6f02e06f-b1d5-4d7b-89c1-078177a8841a" ] }, { "type": "attack-action", "id": "attack-action--6f02e06f-b1d5-4d7b-89c1-078177a8841a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "IIS Components", "description": "The dropper installs a file with the same name as Microsoft's Internet Information Server (IIS). The file is actually an internal web server that listens on port 80 and displays scrolling text and a JPEG message to victims", "effect_refs": [ "attack-action--28f1aff8-235d-4f40-8ea2-284b93d3d295" ] }, { "type": "infrastructure", "id": "infrastructure--52f939cf-f8ae-4538-b5e9-e919d4c41381", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "name": "iissrv.exe", "description": "listens on port 80", "infrastructure_types": [ "staging" ] }, { "type": "attack-action", "id": "attack-action--28f1aff8-235d-4f40-8ea2-284b93d3d295", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "malware drops additional malware called igfxtrayex.exe", "effect_refs": [ "attack-action--a9727af2-a940-4904-bbd0-eb4a5fe842b6" ] }, { "type": "attack-action", "id": "attack-action--a9727af2-a940-4904-bbd0-eb4a5fe842b6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Taint Shared Content", "tactic_id": "TA0008", "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", "technique_id": "T1080", "technique_ref": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "description": "igfxtrayex.exe makes 4 copies of itself on the compromised system", "effect_refs": [ "attack-action--7a6223a9-9b69-451e-86cc-bbb5e33bb7df" ] }, { "type": "attack-action", "id": "attack-action--7a6223a9-9b69-451e-86cc-bbb5e33bb7df", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Time Based Evasion", "description": "igfxtrayex.exe causes the system to sleep for 10 minutes", "effect_refs": [ "attack-action--e2bc6f78-67de-45f1-a9b5-75528f46b983" ] }, { "type": "attack-action", "id": "attack-action--e2bc6f78-67de-45f1-a9b5-75528f46b983", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Command Shell", "description": "igfxtrayex.exe uses command line to launch each copy of itself to trigger different parts of its code", "effect_refs": [ "attack-action--7c5dec3b-9e26-480c-839b-674df94a44d6", "attack-action--62d37dcf-cbe8-4374-a3f3-3fedb6fe750c", "attack-action--275e1018-3696-463d-a716-e8869c780f96" ] }, { "type": "attack-action", "id": "attack-action--7c5dec3b-9e26-480c-839b-674df94a44d6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Service Stop", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1489", "technique_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b", "description": "igfxtrayex.exe shuts down Microsoft Exchange Information Store service and makes email inaccessible", "effect_refs": [ "attack-operator--0457b37c-b5fb-4ddf-b3f5-d23a163d42e5" ] }, { "type": "attack-action", "id": "attack-action--62d37dcf-cbe8-4374-a3f3-3fedb6fe750c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Dismounts", "description": "dismounts Exchange's databases", "effect_refs": [ "attack-operator--0457b37c-b5fb-4ddf-b3f5-d23a163d42e5" ] }, { "type": "attack-action", "id": "attack-action--275e1018-3696-463d-a716-e8869c780f96", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data Destruction", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1485", "technique_ref": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "description": "deletes files in all fixed or remote (network) drives", "effect_refs": [ "attack-operator--0457b37c-b5fb-4ddf-b3f5-d23a163d42e5" ], "command_ref": "process--0a812bc9-4255-4a44-9aa0-35f7164c06d6" }, { "type": "attack-action", "id": "attack-action--eeb763dd-bd44-4b43-a596-a376bc6cbe42", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data Encoding", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1132", "technique_ref": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "description": "3 hard-coded IP addresses (Italy, Poland, and Thailand) for C2 communication", "effect_refs": [ "attack-action--40704e16-74cc-400c-90a1-d7a2ad846ff7" ] }, { "type": "tool", "id": "tool--c67a1904-b692-409f-8385-8818be1ab05d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "name": "taskhost{random 2 characters}.exe", "description": "Drops and executes the component Windows\\iissvr.exe", "tool_types": [ "exploitation" ] }, { "type": "tool", "id": "tool--33a90534-9263-4173-b7a2-1b7aaf236102", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "name": "taskhost{random 2 characters}.exe", "description": "Drops and executes Windows\\Temp\\usbdrv32.sys", "tool_types": [ "exploitation" ] }, { "type": "infrastructure", "id": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "name": "Hard-coded IPs", "description": "hard-coded IPs to the C2 network", "infrastructure_types": [ "command-and-control" ] }, { "type": "attack-operator", "id": "attack-operator--0457b37c-b5fb-4ddf-b3f5-d23a163d42e5", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--eeb763dd-bd44-4b43-a596-a376bc6cbe42" ] }, { "type": "attack-action", "id": "attack-action--40704e16-74cc-400c-90a1-d7a2ad846ff7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disk Content Wipe", "description": "Malware wipes a computer's hard drive by sector", "effect_refs": [ "attack-condition--5d22574a-047e-4587-a0c1-ddc4e1af9b5a" ] }, { "type": "tool", "id": "tool--1d1d48c6-ed66-4e8b-a205-d9ba1f2fa994", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "name": "EldoS", "description": "Commercial disk driver that allows changes to a hard drive while in user mode. The attackers used this tool to make physical changes to the computer's hard drive.", "tool_types": [ "exploitation" ] }, { "type": "attack-condition", "id": "attack-condition--5d22574a-047e-4587-a0c1-ddc4e1af9b5a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.753Z", "modified": "2026-06-11T23:57:51.753Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Hard drive successfully wiped" }, { "type": "attack-action", "id": "attack-action--8ee0bfdb-758c-4b1c-9163-52247b423516", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Defense Evasion", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "description": "Malware causes the computer to sleep for 2 hours.", "effect_refs": [ "attack-action--b72654fd-379d-414c-a956-4eaec2163dfd" ] }, { "type": "attack-action", "id": "attack-action--b72654fd-379d-414c-a956-4eaec2163dfd", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Shutdown/Reboot", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1529", "technique_ref": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc", "description": "Malware reboots computer", "effect_refs": [ "attack-action--d976d733-9035-494f-8c2c-a36e5857a00a" ] }, { "type": "attack-action", "id": "attack-action--d976d733-9035-494f-8c2c-a36e5857a00a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Internal Defacement", "description": "Malware displays a wallpaper on the computer background stating that the computer was hacked" }, { "type": "note", "id": "note--fb7ecf9c-cf0a-47ee-ac6e-c90336753c57", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "content": "There is low confidence that this attack could be attributed to North Korea.", "object_refs": [ "attack-action--7db3befa-8e5e-46c3-86af-ee1b84812499" ] }, { "type": "malware", "id": "malware--34c290cd-3098-4255-8f83-e89ca71465c1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "name": "diskpartmg16.exe", "description": "main installer", "malware_types": [ "dropper" ], "is_family": false, "capabilities": [ "escalates-privileges", "installs-other-components" ] }, { "type": "directory", "id": "directory--3699ee5a-049b-439b-8a45-9c53da00c840", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "path": "\\WINDOWS" }, { "type": "tool", "id": "tool--54cc0e87-a359-4491-a57a-15cbf1ec7baa", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "name": "WMI", "tool_types": [ "exploitation" ] }, { "type": "location", "id": "location--8b2fbd53-9a99-41b1-bd71-8a380785208c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "description": "location of IP addresses", "country": "Japan" }, { "type": "note", "id": "note--765049d9-277e-465d-8854-ca7e408ea604", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "content": "It is unknown if these IPs are potentially C2 activity.", "object_refs": [ "attack-action--11b62428-5bbf-4de4-9fc1-9401be43ae95" ] }, { "type": "note", "id": "note--49b2d941-2240-4342-a206-e669447d28e8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "content": "File displays text and JPEG about deleted files", "object_refs": [ "attack-action--6f02e06f-b1d5-4d7b-89c1-078177a8841a" ] }, { "type": "malware", "id": "malware--f5a087a8-f276-4604-9ff4-0546bb9b245e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "name": "igfxtrayex.exe", "malware_types": [ "dropper", "trojan" ], "is_family": false, "capabilities": [ "communicates-with-c2", "infects-files", "prevents-artifact-access", "compromises-system-availability" ] }, { "type": "note", "id": "note--9a87e9ac-7580-4c98-86b8-fdd0346ce32f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "content": "It is unconfirmed if this action was used as a defense evasion technique", "authors": [ "Lauren Parker" ], "object_refs": [ "attack-action--7a6223a9-9b69-451e-86cc-bbb5e33bb7df" ] }, { "type": "process", "id": "process--9332f5ea-fad9-4825-a61d-e6eaf1ee496a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "command_line": "taskhost{random 2 characters}.exe -m" }, { "type": "process", "id": "process--4888bed9-6849-477c-8a15-d8ef5d2dfdf2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "command_line": "taskhost{random 2 characters}.exe -w" }, { "type": "process", "id": "process--0a812bc9-4255-4a44-9aa0-35f7164c06d6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "command_line": "taskhost{random 2 characters}.exe -d" }, { "type": "location", "id": "location--af3557ed-c356-4e4c-b0a7-b96e5023eb4d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "description": "IP in Italy that recently belonged to a HideMyAss VPN exit point", "country": "Italy" }, { "type": "location", "id": "location--24065374-2f62-4d40-9e3b-607d7c0ef578", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "description": "IP in Poland that belonged to a Polish import-export business", "country": "Poland" }, { "type": "location", "id": "location--4c9f8ffc-8b24-4452-a1e3-b8a5c4961f6e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "description": "IP in Thailand belonging to a university", "country": "Thailand" }, { "type": "note", "id": "note--b0282493-e475-416b-8aca-2a15859ef10e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "content": "It is not confirmed that this is used as a defense evasion technique", "authors": [ "Lauren Parker" ], "object_refs": [ "attack-action--8ee0bfdb-758c-4b1c-9163-52247b423516" ] }, { "type": "relationship", "id": "relationship--8cd8aa10-425c-4055-a5b9-2838f438d7d4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--7db3befa-8e5e-46c3-86af-ee1b84812499", "target_ref": "malware--34c290cd-3098-4255-8f83-e89ca71465c1" }, { "type": "relationship", "id": "relationship--7363b9ea-ea11-4da1-a456-8f6228d01bc2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-condition--082e47ca-0210-4d07-9558-f1acdaa8c22d", "target_ref": "attack-action--9daff210-f031-4171-8b2a-2a7be3b5e1f3" }, { "type": "relationship", "id": "relationship--af3bbb57-48ac-4bcf-9cf0-733f12c08126", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--9daff210-f031-4171-8b2a-2a7be3b5e1f3", "target_ref": "directory--3699ee5a-049b-439b-8a45-9c53da00c840" }, { "type": "relationship", "id": "relationship--59454880-071c-4333-aa07-9de305c55fa0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-condition--bf2abb51-2567-4167-b152-a10f53b7caea", "target_ref": "attack-action--541eab7e-fb3a-4260-af07-6b00a7f43f12" }, { "type": "relationship", "id": "relationship--574d9791-2c75-4693-b6c8-9fde5b2f1209", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--d1a40010-d151-4afb-b3f1-318fa53e5f69", "target_ref": "tool--54cc0e87-a359-4491-a57a-15cbf1ec7baa" }, { "type": "relationship", "id": "relationship--ecde3b65-a089-429a-bc84-eae0ab2243a2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-condition--72e5f0da-591d-4027-8a3e-d3323156ae26", "target_ref": "attack-action--d1a40010-d151-4afb-b3f1-318fa53e5f69" }, { "type": "relationship", "id": "relationship--b170aedc-8a76-4420-9b52-6dcc84461811", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--11b62428-5bbf-4de4-9fc1-9401be43ae95", "target_ref": "location--8b2fbd53-9a99-41b1-bd71-8a380785208c" }, { "type": "relationship", "id": "relationship--e5bcdbdf-c448-4a6a-a3b7-1bd153f249cb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--6f02e06f-b1d5-4d7b-89c1-078177a8841a", "target_ref": "infrastructure--52f939cf-f8ae-4538-b5e9-e919d4c41381" }, { "type": "relationship", "id": "relationship--595f7595-1715-4926-a2b7-92d00ebf1f21", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--28f1aff8-235d-4f40-8ea2-284b93d3d295", "target_ref": "malware--f5a087a8-f276-4604-9ff4-0546bb9b245e" }, { "type": "relationship", "id": "relationship--f0f57faf-2192-4570-b39c-2c0927e9a561", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--e2bc6f78-67de-45f1-a9b5-75528f46b983", "target_ref": "tool--33a90534-9263-4173-b7a2-1b7aaf236102" }, { "type": "relationship", "id": "relationship--5db28151-370a-4d68-9c92-ec384b0dda8b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--e2bc6f78-67de-45f1-a9b5-75528f46b983", "target_ref": "tool--c67a1904-b692-409f-8385-8818be1ab05d" }, { "type": "relationship", "id": "relationship--26521164-602c-49d2-9c45-3e79f0e01fd6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--eeb763dd-bd44-4b43-a596-a376bc6cbe42", "target_ref": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d" }, { "type": "relationship", "id": "relationship--27a7eb95-8348-4eb5-997d-df4ebc25d259", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "tool--c67a1904-b692-409f-8385-8818be1ab05d", "target_ref": "process--4888bed9-6849-477c-8a15-d8ef5d2dfdf2" }, { "type": "relationship", "id": "relationship--cb6b22bf-5499-4ff4-b3a6-8e2e5b009b97", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "tool--33a90534-9263-4173-b7a2-1b7aaf236102", "target_ref": "process--9332f5ea-fad9-4825-a61d-e6eaf1ee496a" }, { "type": "relationship", "id": "relationship--76463ca6-d497-41df-85a9-6329a031479d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d", "target_ref": "location--4c9f8ffc-8b24-4452-a1e3-b8a5c4961f6e" }, { "type": "relationship", "id": "relationship--dce3aec9-444f-483b-bf77-5f5100df0259", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d", "target_ref": "location--24065374-2f62-4d40-9e3b-607d7c0ef578" }, { "type": "relationship", "id": "relationship--6930a51a-b635-4e3d-a677-443b645b1214", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d", "target_ref": "location--af3557ed-c356-4e4c-b0a7-b96e5023eb4d" }, { "type": "relationship", "id": "relationship--797fdeff-e864-4e2c-9a48-23d718553c72", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-action--40704e16-74cc-400c-90a1-d7a2ad846ff7", "target_ref": "tool--1d1d48c6-ed66-4e8b-a205-d9ba1f2fa994" }, { "type": "relationship", "id": "relationship--a9ba9144-8d90-49e4-9d76-a8c0465603fb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.754Z", "modified": "2026-06-11T23:57:51.754Z", "relationship_type": "related-to", "source_ref": "attack-condition--5d22574a-047e-4587-a0c1-ddc4e1af9b5a", "target_ref": "attack-action--8ee0bfdb-758c-4b1c-9163-52247b423516" } ] }