Overview

overview

10

Static

static

3

NetCat Loader.exe

windows10-ltsc 2021-x64

NetCat Loader.exe

windows10-2004-x64

NetCat Loader.exe

windows10-ltsc 2021-x64

NetCat Loader.exe

windows11-21h2-x64

Analysis

  • max time kernel
    105s
  • max time network
    109s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    24-01-2025 21:43

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    NetCat Loader.exe

  • Size

    76KB

  • MD5

    1a56b39b62cff3bf7a75a708f6a11762

  • SHA1

    180d91a57ebb95a81bfaa394bca35c123efa916e

  • SHA256

    ad34f6a17ee318591b59ac4fbc300c53808630e4f163b644a58eadc85057348a

  • SHA512

    b86dfa4287e283fd7e734cc3897589c2bb6b98e35f1c82a6ab50f271baf8a9748a125a6c04425ccdf93566ddacb453290a9a63e5fc0d2797b70fb70b6dac03fb

  • SSDEEP

    1536:JqDtM7DwroXh9bSQ6/jyrV9nmRWnXzWb6Alyj:EwblSlryrV9nmwPeyj

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

194.59.31.87:1111

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:420
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:680
      • C:\Windows\SYSTEM32\shutdown.exe
        shutdown.exe /f /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5748
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
      2⤵
        PID:4180
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1916 -prefsLen 27153 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68695f63-f8fc-469d-82c0-c58790ca6ea7} 808 "\\.\pipe\gecko-crash-server-pipe.808" gpu
          3⤵
            PID:1092
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 27031 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {085e0cbc-6a61-447f-b361-64400842f452} 808 "\\.\pipe\gecko-crash-server-pipe.808" socket
            3⤵
              PID:1996
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 3260 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c8b680f-a473-4ab4-8fb1-2268c917b91f} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab
              3⤵
                PID:440
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 32405 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b1185d4-f3ea-4a34-8a3b-a01e06c8bc7f} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab
                3⤵
                  PID:3700
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4744 -prefMapHandle 4876 -prefsLen 32405 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {091a79b6-bb63-4e88-9aad-e5521b18b44b} 808 "\\.\pipe\gecko-crash-server-pipe.808" utility
                  3⤵
                  • Checks processor information in registry
                  PID:5124
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5160 -childID 3 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {662af556-ef98-4963-bf0d-cdc984587e5a} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab
                  3⤵
                    PID:5468
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5292 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cab6a1b3-6678-4778-8d74-27dfdb83a278} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab
                    3⤵
                      PID:5540
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 5 -isForBrowser -prefsHandle 5420 -prefMapHandle 5520 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b58c06b-552d-4f1d-a710-5fe730fefaba} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab
                      3⤵
                        PID:5572
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6200 -childID 6 -isForBrowser -prefsHandle 6188 -prefMapHandle 6156 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67ee5e9b-413d-4555-9fce-4d595f33a56c} 808 "\\.\pipe\gecko-crash-server-pipe.808" tab
                        3⤵
                          PID:4772
                    • C:\Windows\system32\LogonUI.exe
                      "LogonUI.exe" /flags:0x4 /state0:0xa3a2b055 /state1:0x41c64e6d
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:5832

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      3KB

                      MD5

                      3eb3833f769dd890afc295b977eab4b4

                      SHA1

                      e857649b037939602c72ad003e5d3698695f436f

                      SHA256

                      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                      SHA512

                      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      60b3262c3163ee3d466199160b9ed07d

                      SHA1

                      994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

                      SHA256

                      e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

                      SHA512

                      081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\activity-stream.discovery_stream.json
                      Filesize

                      22KB

                      MD5

                      3a49b0cd64920c50bef3b9e2f4e2f14c

                      SHA1

                      12ae4cbfcd7b4322e00a2221517c3c83817a1f38

                      SHA256

                      cae1b02f574c102535b9df466ce3ce1ee58a8d324bde338ded84b8e08cd6403b

                      SHA512

                      9d44f4673a7d05da48ebeef686370be23f1afda7b84e96e1aa2a045a83ad76fa6cdcb079156f77fed47a2e247ce2d78037cad4cf9f4f1bcdbe7c828941027591

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cj1ls2h0.133.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\AlternateServices.bin
                      Filesize

                      6KB

                      MD5

                      bf4fff9552431a2c367dce86676f2d90

                      SHA1

                      04b123a97d61252349b85987f2485dcc48afed38

                      SHA256

                      8ac0724d32cb0bccaeb2a250b0b44ab9141e67b984f45b12dd691b0d0bfeb39d

                      SHA512

                      0c2612d5c82efea6274f88036cce6c915dc052844e13e3318c00226c9bccb29c1c95459ccbe70e1fef21f0f7afe1bf1fa54ea1e2dd84fb48a0dc9c77f4d90aad

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      53b464d6164b35129a550a1e0ea90ace

                      SHA1

                      2be2cb4e2008f2800fdf9d7c26d8e07ffc68425f

                      SHA256

                      921bcb1614e802a3f9e61ed160efb68cdbffd5ba59b7b1d133ca759ea43218bd

                      SHA512

                      b122719bbb686a0fa0192bdb0701e49b4236c17c5e81f026393dee9a4dc7febfc339dafa2f1b49c36666ce2b0d7b01b61e936e759a608b2c3cbf7de9627c4864

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      4d6687fca645d3aaa974fcfecadc8c1a

                      SHA1

                      7ece481f115007f0bdbed87eed4bfc0efe700336

                      SHA256

                      a849b686cdb792a54d040a234a701d4b6b8f893d0bc836d0f7990ec3b303714a

                      SHA512

                      5226d8186e4b5fe4161ae3399cae718c99c407b41240a2dfad3518feba189fa717cfaa75811ce1a4c0c48083c451ae776b88b255986596ab2d4d06e114e91a2c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      c7eba02901a45104ed3e7b20f118bb2b

                      SHA1

                      8c27913dbfe2f8452c54dc4a48850260eedb7bf4

                      SHA256

                      5fae4c5fbebaeabb75be681e723cf15a97e79c5eb43d7c1d902c566f9a21a53e

                      SHA512

                      4a0e9855c006922784d2434a3ccca022599509e3f50f305e86765861f40ef360846d7b9f5338fdb0fc385001f8d5c9c4653fdd62c67545a777d79e4cce012b13

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\datareporting\glean\pending_pings\5a5164d9-a8fb-41ce-bf8d-1ac2fabaa068
                      Filesize

                      982B

                      MD5

                      0af3d643b0c0314e290cf7d5b6f729e2

                      SHA1

                      c1c5be38773f8bb7a859ce6febb0ea32234eb394

                      SHA256

                      202698581dfdf6b4f1c83d3bb7a472ba954d9c61177c43c648e2f0484360ce83

                      SHA512

                      9ccfd3cee75347cd87d720da106192f88c07b2abb0f5503a115815b989725ba68323513844b4ff8d6221dfdb1058cf69447d9287d51d3132561b53eb45d5f3da

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\datareporting\glean\pending_pings\5bc36968-668c-461a-82d4-3ff6eeb8395e
                      Filesize

                      671B

                      MD5

                      216a94b8eb365784567dcdd56f6a18f9

                      SHA1

                      f3bd79686c9f35c5b4c04239f3a69015dbb596e8

                      SHA256

                      8f89b68fd917e2994842dac7828ddc88efdabb92f8b431f368501a89624f8c62

                      SHA512

                      22f939cb425fa8f9b61387effe590c1189821446d5147694b579147c70a36400dfbf58b2516b6c7ec7a02cd36d0a1f8b44068d42cbcbf8c4cc8d408527826358

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\datareporting\glean\pending_pings\5ef24607-a25a-44a2-a061-21976640dfb3
                      Filesize

                      24KB

                      MD5

                      59609a10a75121ee730296034724637e

                      SHA1

                      3d3664848a60b285430a66d065b21c64df9f4193

                      SHA256

                      f9e448e015ef69d611d8134de886ae204ed2e513b52b62903aa4bf9a1ab7862e

                      SHA512

                      4222c42ac5255d5985d3d4bde5ac7e99b163929d89bae168f4684afd81e9636881cb2a67f87e8f97ad0265dada07ee750978e60928a9d345971c4e4c6a5d2158

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\prefs.js
                      Filesize

                      9KB

                      MD5

                      d2145b0bfb8b785e997f8374b969be1e

                      SHA1

                      158791498ac7eb6e6eaadb946793bd346a2c9846

                      SHA256

                      9d7fb8d370e2bc1318ef952a9a607a4148f62659690977fdb2dc3726e57ff63c

                      SHA512

                      95c84a49e5ca0f45a4d75560ccc6513a636ee917f1e654875643a26e49c5fb52caf71d95743daeefe7eeb33c6a7d85e5d32d313fabe618473bbba1ca16a28794

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\prefs.js
                      Filesize

                      9KB

                      MD5

                      25ad4a783fce947d85c10d8e7300b138

                      SHA1

                      87fe0993a75f7abe16cd933e161f6c7d0671b5b5

                      SHA256

                      ba26dbc605e711d390c39a5cd349bb64445e92927ddbac8f6fece0f02b2760b6

                      SHA512

                      2eb295fc1f45be9bd5c04f31f9bc63d0c3b1e7bef5d1fb64c127ef9dec684da90be5394dbfb7ccc4403ff380164872c17f0b8e42fb17677993a55dbf3d9cae25

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1zjbj2oz.default-release\sessionstore-backups\recovery.baklz4
                      Filesize

                      1KB

                      MD5

                      5da0128fbc3ceefa722a5f2f5c56f640

                      SHA1

                      04c8a20d8b907753c06aae7eaff4a6d2afff61ce

                      SHA256

                      5d9ffc923d1aa554eba1b160de268008fe38d21d502031b98b43cb674061e902

                      SHA512

                      38fa555129079cdba17099964c47cc3aae404febc2952bb471f1bed30642b4ca2eda55c82b73432e6c4de8a61104909067cd00d52a41e8afd3746c2551d97d80

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\System32.exe
                      Filesize

                      63KB

                      MD5

                      66bbe5829a613fedad7f79e2c6273448

                      SHA1

                      57314396a65e08b7bfc5f0b8cdfa9a050579d9d9

                      SHA256

                      72499a032c26ef7031b942590e4dd2e28d60b332620c7d2dc42bc4b70995e0dd

                      SHA512

                      9b0ea0bb6a4a6ae75c6463f2bc3b5bd012a40a89f491868979230b850b948240b40326c703211edd349911e97a218bf77d01d06f254c33d83939c21a152efae3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
                      Filesize

                      57B

                      MD5

                      f9cfd0c4da0a9a068f8a26ee31c85036

                      SHA1

                      ea75b71cfdf7364eacfafcaac0421f9c80a2b4e5

                      SHA256

                      e52f33ee65ceb7e5fe9cd47744888c089c37ba7dbadeaf345e75b5cadd43ee2d

                      SHA512

                      f81823ed92d8f5aa299d0164f59fb77a3af4c6a9ca5a98e0d4b33104ec7f15ef19037d4bb4f3b2c8c1ca156bac2253f5052eb801468db73d71a67b10405e4b51

                      Download Submit

                    • memory/420-35-0x00000193DBDF0000-0x00000193DBE12000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1384-0-0x00007FFAEE133000-0x00007FFAEE135000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1384-1-0x0000000000690000-0x00000000006AA000-memory.dmp

                      Filesize

                      104KB

                      Download

                    • memory/4576-25-0x00007FFAEE130000-0x00007FFAEEBF2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4576-51-0x000000001DF60000-0x000000001DF6C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/4576-50-0x00007FFAEE130000-0x00007FFAEEBF2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4576-24-0x00007FFAEE130000-0x00007FFAEEBF2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4576-21-0x0000000000010000-0x0000000000026000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/4576-470-0x00007FFAEE130000-0x00007FFAEEBF2000-memory.dmp

                      Filesize

                      10.8MB

                      Download