xworm | ca847cd0a27fd89fc04c1a7972b9d1dcfcf9e9a7be35b21c2d36b4c9f0195bea | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

DSDDDD.exe

windows11-21h2-x64

Sharing

General

Target

DSDDDD.exe
Size

69KB
Sample

250308-xt41bs1vdy
MD5

fa699362343846cc0cef79e11c156718
SHA1

9dc34285424c208a76d7324d76f1643c398d10f5
SHA256

ca847cd0a27fd89fc04c1a7972b9d1dcfcf9e9a7be35b21c2d36b4c9f0195bea
SHA512

56355dfa64fab11bb8d39a73a81217672cbb7a3b408897bdade6b6438ca556ff20f8e0147dcda8d408ddd6c636335d995b2ff129134766eb62ba29c947f242ae
SSDEEP

1536:ML9bRckOzKJXx/FG+Lg+i7Rjazb5C3ECm6ME+dOcGdFfgIl:k/cextGeSjazb5ohUtdOhpVl

Score

10^/10

xworm execution persistence ransomware rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

DSDDDD.exe

Resource

win11-20250218-en

xworm execution persistence ransomware rat trojan

windows11-21h2-x64

18 signatures

900 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

support-effectiveness.gl.at.ply.gg:49376

Attributes

Install_directory
%AppData%
install_file
fortnite.exe

Targets

- Target
  
  DSDDDD.exe
- Size
  
  69KB
- MD5
  
  fa699362343846cc0cef79e11c156718
- SHA1
  
  9dc34285424c208a76d7324d76f1643c398d10f5
- SHA256
  
  ca847cd0a27fd89fc04c1a7972b9d1dcfcf9e9a7be35b21c2d36b4c9f0195bea
- SHA512
  
  56355dfa64fab11bb8d39a73a81217672cbb7a3b408897bdade6b6438ca556ff20f8e0147dcda8d408ddd6c636335d995b2ff129134766eb62ba29c947f242ae
- SSDEEP
  
  1536:ML9bRckOzKJXx/FG+Lg+i7Rjazb5C3ECm6ME+dOcGdFfgIl:k/cextGeSjazb5ohUtdOhpVl
Score

10^/10

xworm execution persistence ransomware rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xwormexecutionpersistenceransomwarerattrojan

© 2018-2025

Terms | Privacy