Extracted

• • Target

    NeverLoseByOxy.exe

  • Size

    5.7MB

  • MD5

    24f6e0f1cd42246f176a505f8d7d1c4d

  • SHA1

    5160c3f78672b86970135261941e2ad003d44ba1

  • SHA256

    b5cce9b75d7d336fc8d3ebe678af0a9b25ade673964c86a5527df736fdd3ec84

  • SHA512

    77b48b6652526f4d8a571eaaf539181385c8b3ada0e974caf5c4949fa289c46694bab0e8b0e91048d76be87fe0003ea98bc605f560792df7fefde1465ab7da85

  • SSDEEP

    98304:whhqDOlIP2BtJIx4hpebqKbhAUDdROejIAV/PCqa5oRJ0XkKPdKH10msJ:whhqaIMg6wqKbyUDdROCIAV/PCkIkKFn

  Score

  10^/10

  xmrigxwormdiscoveryevasionexecutionminerpersistencerattrojanupxdefense_evasion

  • Detect Xworm Payload

  • Modifies WinLogon for persistence

    persistence

  • Xmrig family

    xmrig

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Stops running service(s)

    evasionexecution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2behavioral3