xred | 845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d

Analysis

max time kernel
141s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccmsetup.exe
Size

4.6MB
MD5

823444545911fd17e953437b7c712f2f
SHA1

6d1c0b1c3caade86c13196a0763538d0ee29322e
SHA256

845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d
SHA512

51692b5d995081627364345ff73d2f16c573a1cdbccf6130e0ee76417decdf2b57bf09d8c242c709642e9c40d2482e6ccd6ecda99c932b10fac1d8ac44d3367b
SSDEEP

49152:gnsHyjtk2MYC5GDfmrE906DDnrvpjFGO+LFPPYK6Ii1+0UfWUWveO1b9Uqi1dP8B:gnsmtk2aWmrE906DDnjpREFgBIi9/

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 4 IoCs

pid	Process
2840	._cache_ccmsetup.exe
2916	Synaptics.exe
2980	._cache_Synaptics.exe
2456	._cache_Synaptics.exe

Loads dropped DLL 17 IoCs

pid	Process
2216	ccmsetup.exe
2840	._cache_ccmsetup.exe
2840	._cache_ccmsetup.exe
2840	._cache_ccmsetup.exe
2216	ccmsetup.exe
2216	ccmsetup.exe
2916	Synaptics.exe
2916	Synaptics.exe
2916	Synaptics.exe
2916	Synaptics.exe
2916	Synaptics.exe
2980	._cache_Synaptics.exe
2980	._cache_Synaptics.exe
2980	._cache_Synaptics.exe
2456	._cache_Synaptics.exe
2456	._cache_Synaptics.exe
2456	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ccmsetup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ccmsetup\._cache_Synaptics.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_Synaptics.exe
File created	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_ccmsetup.exe
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_ccmsetup.exe
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_Synaptics.exe
File opened for modification	C:\Windows\ccmsetup\._cache_Synaptics.exe.download	._cache_Synaptics.exe
File created	C:\Windows\ccmsetup\._cache_Synaptics.exe.download	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccmsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ccmsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2356	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2356	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2840	2216	ccmsetup.exe	30
PID 2216 wrote to memory of 2840	2216	ccmsetup.exe	30
PID 2216 wrote to memory of 2840	2216	ccmsetup.exe	30
PID 2216 wrote to memory of 2840	2216	ccmsetup.exe	30
PID 2216 wrote to memory of 2840	2216	ccmsetup.exe	30
PID 2216 wrote to memory of 2840	2216	ccmsetup.exe	30
PID 2216 wrote to memory of 2840	2216	ccmsetup.exe	30
PID 2216 wrote to memory of 2916	2216	ccmsetup.exe	32
PID 2216 wrote to memory of 2916	2216	ccmsetup.exe	32
PID 2216 wrote to memory of 2916	2216	ccmsetup.exe	32
PID 2216 wrote to memory of 2916	2216	ccmsetup.exe	32
PID 2216 wrote to memory of 2916	2216	ccmsetup.exe	32
PID 2216 wrote to memory of 2916	2216	ccmsetup.exe	32
PID 2216 wrote to memory of 2916	2216	ccmsetup.exe	32
PID 2916 wrote to memory of 2980	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2980	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2980	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2980	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2980	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2980	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2980	2916	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\ccmsetup.exe
"C:\Users\Admin\AppData\Local\Temp\ccmsetup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\._cache_ccmsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ccmsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2980

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\ccmsetup\._cache_Synaptics.exe
"C:\Windows\ccmsetup\._cache_Synaptics.exe" /runservice INJUPDATE="InjUpdate"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
823444545911fd17e953437b7c712f2f

SHA1
6d1c0b1c3caade86c13196a0763538d0ee29322e

SHA256
845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d

SHA512
51692b5d995081627364345ff73d2f16c573a1cdbccf6130e0ee76417decdf2b57bf09d8c242c709642e9c40d2482e6ccd6ecda99c932b10fac1d8ac44d3367b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y1hk3oy.xlsm

Filesize
27KB

MD5
dc51a080fac44d33389cfdf09e8e4840

SHA1
88760375fcddab53350e9df0a3b3db08dc5088c8

SHA256
c6a2d928ef98fbd94b0e82f840c748d3987ac4c767f2df3b2c2be5d223e27de6

SHA512
49d4bd419dc3338ba16c812ca0c8299afd9a3a5df7558b1944184967c3aeda2a6a1428e44944bd760ade8691fbb04dee64a783d16526977585c3b4708196c351

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y1hk3oy.xlsm

Filesize
26KB

MD5
9c0cf8d60713b08e138be2f9ca3cc395

SHA1
90a22f15fe6da3f7d1ce930c433217f9638e7fce

SHA256
4e27147f13e96bd9284939e27510682dab8e33d44b958d87285e275d563fb771

SHA512
10b2410dc4831a5ffa5f125c38b3e859bf601bcaede2bcb2527ed96d85e4df3a91e1506d9543b9befd4cf52c884a7c964c247def744c68557b9c57ad884bf5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y1hk3oy.xlsm

Filesize
20KB

MD5
3c4e3e4b99669f682bf060c44e943672

SHA1
fcce0448432627d5414d50c5c08d0a15760980c7

SHA256
6f6e97f7e4ccae05c6c98f85920afdf82278e23c7eb981d07bac949e15eaa931

SHA512
b92676d944c33e845595ce4a230fe27eb12b035cbcdcf52a75f206aacabe8e48d3cd0a0f71d1ab0b01bb2fc2cec485103bf79123239ead01261224fa7fa0a0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y1hk3oy.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y1hk3oy.xlsm

Filesize
23KB

MD5
3ed838b373dfc5fac51969883d56ecbe

SHA1
dfdc7f53f329affe0f0ddf93feb6c1bbc4667ce5

SHA256
2f08c1f29cf7ff1f611ff9ef17b0febb9b6732eb5ceabdaf931969b87cd4ad51

SHA512
197a20b38e7654ac3b2b2a58ed00a2c10a7bda9442dd0163300c953bd005f5ef2cf56e2ec654c1ed251e5f956ec629e2a8c1196c73ef10128f914539ffc78ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y1hk3oy.xlsm

Filesize
25KB

MD5
e70a321c8152e43d3401b3cb815e21dc

SHA1
72415e45dd3a62553e073ec4c1d477753e61d9f7

SHA256
b4fc84db689517fcfbe56c68eb6c7bca66914039c7cc613c3b18c34e64a3c1d4

SHA512
c36ec25a18d5931a0e323be9b41456f68a65abb0c88a0516836b345195915072b10bda5da08ef72165b556974b6d653deb5b702941e0334fe531395cf6e149b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2y1hk3oy.xlsm

Filesize
22KB

MD5
d216bca811e53f4bc32111609e09e159

SHA1
590b8b0af765b8a1e0b85c292d446582af926217

SHA256
98f500a3bca0e0301bbe37d512a450373c46a294826d41cb2ef9c291337b10cf

SHA512
4a2263d6214f66702f43618f4f28d4a15ad3a460375bc035aac6ba4aec3e187b8d18d3befee6032a60b84207cf726441b0154da0877c286264863671404327b1

Download Submit
C:\Users\Admin\Desktop\~$SaveRegister.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\ccmsetup\Logs\ccmsetup.log

Filesize
14KB

MD5
b62eaf681de5c8e623f31e69a8f06c66

SHA1
8c0971c49f420872b8d7291ffab25f6a0c656b83

SHA256
4096d1eb96bd85de6bba6fe5ef8325bbad7a4696a56a2899e94b034bc69fd35f

SHA512
c4470387c7b251e2153a268ca98a53f4c9ae103caa430a3b83d96c6d04ebe410e0404fac3e00e6e90565b2f0c215c87a1f6b1edab0e2eb3c4d332ebf461d46f8

Download Submit
C:\Windows\ccmsetup\Logs\ccmsetup.log

Filesize
18KB

MD5
7f285e729abb903f1d7f4da3f3a3189d

SHA1
757fca24b29544b8d7bc32e5f2edca711f1c3a58

SHA256
8e842109d503442eeedbcbb9a86ddcb729fb3a110cb13411f6afa92b38c1a4bb

SHA512
a5dd1ae3c468dba1661651361ddf35cc92a4541bc8c97198e09c5ef5de5018e2d66315df129bdf13459f2b16f7c158f7af2b5ee72aa91c449851fc3884e38dbb

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ccmsetup.exe

Filesize
3.9MB

MD5
169e238a8e29445c319f934362361d28

SHA1
824e61de77da1e91b4bbb09c92e6908e80d4143d

SHA256
63fb838c9604c2af8d8bc17a48d2d745f389ad984cc2ab5e0765d5b27c91a710

SHA512
a7fcaa91c5de184956605d403e1881b0f62076b01c0c6d03b5dbd42e9b8ca704ae59362b3d46f966c213e7b1e915da95d681db9cb6063923a50b76a55427f2ba

Download Submit
memory/2216-29-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/2356-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2356-158-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2916-159-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/2916-160-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/2916-166-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/2916-195-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads