Overview

overview

10

Static

static

10

ccmsetup.exe

windows7-x64

10

ccmsetup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 21:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccmsetup.exe

  • Size

    4.6MB

  • MD5

    823444545911fd17e953437b7c712f2f

  • SHA1

    6d1c0b1c3caade86c13196a0763538d0ee29322e

  • SHA256

    845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d

  • SHA512

    51692b5d995081627364345ff73d2f16c573a1cdbccf6130e0ee76417decdf2b57bf09d8c242c709642e9c40d2482e6ccd6ecda99c932b10fac1d8ac44d3367b

  • SSDEEP

    49152:gnsHyjtk2MYC5GDfmrE906DDnrvpjFGO+LFPPYK6Ii1+0UfWUWveO1b9Uqi1dP8B:gnsmtk2aWmrE906DDnjpREFgBIi9/

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccmsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\ccmsetup.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\._cache_ccmsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_ccmsetup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2428
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3892
  • C:\Windows\ccmsetup\._cache_Synaptics.exe
    "C:\Windows\ccmsetup\._cache_Synaptics.exe" /runservice INJUPDATE="InjUpdate"
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2144
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    4.6MB

    MD5

    823444545911fd17e953437b7c712f2f

    SHA1

    6d1c0b1c3caade86c13196a0763538d0ee29322e

    SHA256

    845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d

    SHA512

    51692b5d995081627364345ff73d2f16c573a1cdbccf6130e0ee76417decdf2b57bf09d8c242c709642e9c40d2482e6ccd6ecda99c932b10fac1d8ac44d3367b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_ccmsetup.exe
    Filesize

    3.9MB

    MD5

    169e238a8e29445c319f934362361d28

    SHA1

    824e61de77da1e91b4bbb09c92e6908e80d4143d

    SHA256

    63fb838c9604c2af8d8bc17a48d2d745f389ad984cc2ab5e0765d5b27c91a710

    SHA512

    a7fcaa91c5de184956605d403e1881b0f62076b01c0c6d03b5dbd42e9b8ca704ae59362b3d46f966c213e7b1e915da95d681db9cb6063923a50b76a55427f2ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\47B75E00
    Filesize

    23KB

    MD5

    603b488ac5bd66aeace457de187b7fc2

    SHA1

    5be81f9e63269f574408981be91a08e1420b6678

    SHA256

    e6c79df52377a4a429c4176fa1647f9248dfd15bc00acc029a052c33aac74087

    SHA512

    fc0e6700ea02c5d03175b1dff5e85109e64079f44bdededc82d33d999c552351e981ad6c1162ee08d7ab54769ec05c2f1f9891088fdc6a67d063b34016e8700d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7dzmrT7J.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Windows\ccmsetup\Logs\ccmsetup.log
    Filesize

    11KB

    MD5

    f08236877f6561c56f424a92ffb4401a

    SHA1

    7e62202bf4adbffc2f2ff557af15969b05481560

    SHA256

    d96949a68376c1cb071999fb292a921879d382b0a4055378e4118bd891d2a0cd

    SHA512

    5574d56cf983a5ae2faacdb8a92754fb3f284be54ed213aef121ae5321600a878a313404a810e0af649ca56466afeb6dbd66f2519dc732bd9d4c80e6c22eebff

    Download Submit

  • C:\Windows\ccmsetup\Logs\ccmsetup.log
    Filesize

    18KB

    MD5

    20019af09bfe3566db3bc29585181514

    SHA1

    c99903e03b06b7bbf2ffde0298c916264e4b888f

    SHA256

    844a02d84bc16d5c0a07895ec165850300602a5215df2662ad98993054ff0eb5

    SHA512

    15b70537ea6e4c1d86dcf95edf7c6a8ccfda0e49b7593d7dd9d90118cf49f247e61cb9ad43f39471265dfc5a1e040ec984b73ee740381a2d369e206539a39618

    Download Submit

  • memory/1928-287-0x0000000000400000-0x00000000008AC000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1928-202-0x0000000000400000-0x00000000008AC000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1928-256-0x0000000000400000-0x00000000008AC000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2204-204-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-206-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-207-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-208-0x00007FFC4A400000-0x00007FFC4A410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-209-0x00007FFC4A400000-0x00007FFC4A410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-205-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-203-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3492-0-0x0000000002750000-0x0000000002751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-128-0x0000000000400000-0x00000000008AC000-memory.dmp

    Filesize

    4.7MB

    Download