Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

DSDDDD.exe

windows7-x64

10

DSDDDD.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2025, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DSDDDD.exe

  • Size

    69KB

  • MD5

    fa699362343846cc0cef79e11c156718

  • SHA1

    9dc34285424c208a76d7324d76f1643c398d10f5

  • SHA256

    ca847cd0a27fd89fc04c1a7972b9d1dcfcf9e9a7be35b21c2d36b4c9f0195bea

  • SHA512

    56355dfa64fab11bb8d39a73a81217672cbb7a3b408897bdade6b6438ca556ff20f8e0147dcda8d408ddd6c636335d995b2ff129134766eb62ba29c947f242ae

  • SSDEEP

    1536:ML9bRckOzKJXx/FG+Lg+i7Rjazb5C3ECm6ME+dOcGdFfgIl:k/cextGeSjazb5ohUtdOhpVl

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

support-effectiveness.gl.at.ply.gg:49376

Attributes
  • Install_directory

    %AppData%

  • install_file

    fortnite.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DSDDDD.exe
    "C:\Users\Admin\AppData\Local\Temp\DSDDDD.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DSDDDD.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DSDDDD.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DSDDDD.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFDB.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpEFDB.tmp.bat
    Filesize

    158B

    MD5

    c1d93620e41ade5cdba77a2bed2eb1f0

    SHA1

    b10d89f62f4942ba18dc831c3b49bcb35e9cb0b5

    SHA256

    eb2ca9e3899be0f1d2a6b4bc0096db8301a838147bd24b2a40ea4026c9c66fbe

    SHA512

    3ddb45346c2e36bc6fba26f27027c4a5228a0adc34452f99e2c0d908b30a8afd195dad5bc6df26bace3412d3f2e507dedfa4d48e39c8a65d27ceb6b4f0f56c9a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    2b259fadbbbf01a39fa16fef5389ca3f

    SHA1

    167db6deb49d1c989cd5ee1889346012ec30d6e4

    SHA256

    8af588a8f33302b50d19cbfdf4a6c2b36f71ccd58d7592f660256703ae03a03e

    SHA512

    0bd62f88423e9a4cf6274b0208477ac6088881aceb2d504c728c139e5192628a7213958d797c8cd41143492b281ae5b111f26141ca898b3b492fc57d5b7578a1

    Download Submit

  • memory/2292-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-1-0x0000000001090000-0x00000000010A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2292-27-0x000000001B0C0000-0x000000001B140000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2292-28-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-29-0x000000001B0C0000-0x000000001B140000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-14-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2516-15-0x0000000002390000-0x0000000002398000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2860-6-0x0000000002A90000-0x0000000002B10000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2860-7-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2860-8-0x0000000001F50000-0x0000000001F58000-memory.dmp

    Filesize

    32KB

    Download