General

  • Target

    $sxr-cmd.exe

  • Size

    163KB

  • Sample

    241031-cqrwdaxenl

  • MD5

    ad739cf69f6437ce3d5a59ff684a32d6

  • SHA1

    31629cacc22142d146c10f0147b7cc784c6268ca

  • SHA256

    236e138954c9bce0ccd53f98247728e7c979df19d604a4e6f98f34ddb28fc3de

  • SHA512

    f1c23fc0fd8c275db05e4f75d3c08bec7eed99424218589ce93a673087b670f166247f13b208eed5ac6e553ca98523df0c602034742cd24995779a4905dc0334

  • SSDEEP

    3072:jQpsYu4jPpKh3aKHQijbK1kkRsztZaFFZJPr5Xzn7RPV8PdbbZDXIa1rr:jQpsYu4jPpKhq2Qijck4sztZaPZxrN7I

Malware Config

Targets

    • Target

      $sxr-cmd.exe

    • Size

      163KB

    • MD5

      ad739cf69f6437ce3d5a59ff684a32d6

    • SHA1

      31629cacc22142d146c10f0147b7cc784c6268ca

    • SHA256

      236e138954c9bce0ccd53f98247728e7c979df19d604a4e6f98f34ddb28fc3de

    • SHA512

      f1c23fc0fd8c275db05e4f75d3c08bec7eed99424218589ce93a673087b670f166247f13b208eed5ac6e553ca98523df0c602034742cd24995779a4905dc0334

    • SSDEEP

      3072:jQpsYu4jPpKh3aKHQijbK1kkRsztZaFFZJPr5Xzn7RPV8PdbbZDXIa1rr:jQpsYu4jPpKhq2Qijck4sztZaPZxrN7I

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks