541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427

Analysis

max time kernel
86s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
02/05/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hydra-1.1.0.Setup.exe
Size

128.8MB
MD5

366d719f4ffb6e6378bb8eb0ca5f89c0
SHA1

7ab9d1f32366c7eba513c37ae7304f6c74dd8933
SHA256

541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427
SHA512

da1816efa36d0f9e9c8aa0d03cd9cb64851762d83e212d5f91d77d42de91fc23af920922bbf1ca5824a2668d0d4915fc9b024b1dc0abbeb56e6a3e5ed970d5ca
SSDEEP

3145728:QkJG7QPqLxp8O4d4pPU62+0JXWg3/VnRbQvk4H6wWhuyGdgv+m7K2mpHQj/:QkJGUPsxdHt0kg3/VndY5dQ+mO2mpHg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4916	Update.exe
2828	Squirrel.exe
1688	Hydra.exe
1596	Update.exe
4536	Hydra.exe
4000	Update.exe
2296	Hydra.exe
1732	Hydra.exe

Loads dropped DLL 9 IoCs

pid	Process
1688	Hydra.exe
1688	Hydra.exe
4536	Hydra.exe
2296	Hydra.exe
1732	Hydra.exe
1732	Hydra.exe
1732	Hydra.exe
1732	Hydra.exe
1732	Hydra.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\hydralauncher\shell\open\command	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\hydralauncher\shell	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\hydralauncher\shell\open	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\hydralauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\hydra\\app-1.1.0\\Hydra.exe\" \"%1\""	Hydra.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\hydralauncher	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\hydralauncher\URL Protocol	Hydra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\hydralauncher\ = "URL:hydralauncher"	Hydra.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1688	Hydra.exe
1688	Hydra.exe
1688	Hydra.exe
1688	Hydra.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1688	Hydra.exe
Token: SeCreatePagefilePrivilege	1688	Hydra.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4916	Update.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4916	1260	Hydra-1.1.0.Setup.exe	82
PID 1260 wrote to memory of 4916	1260	Hydra-1.1.0.Setup.exe	82
PID 4916 wrote to memory of 2828	4916	Update.exe	83
PID 4916 wrote to memory of 2828	4916	Update.exe	83
PID 4916 wrote to memory of 1688	4916	Update.exe	84
PID 4916 wrote to memory of 1688	4916	Update.exe	84
PID 1688 wrote to memory of 1596	1688	Hydra.exe	85
PID 1688 wrote to memory of 1596	1688	Hydra.exe	85
PID 1688 wrote to memory of 4536	1688	Hydra.exe	86
PID 1688 wrote to memory of 4536	1688	Hydra.exe	86
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 1732	1688	Hydra.exe	87
PID 1688 wrote to memory of 4000	1688	Hydra.exe	88
PID 1688 wrote to memory of 4000	1688	Hydra.exe	88
PID 1688 wrote to memory of 2296	1688	Hydra.exe	89
PID 1688 wrote to memory of 2296	1688	Hydra.exe	89

C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --squirrel-install 1.1.0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Local\hydra\Update.exe
      C:\Users\Admin\AppData\Local\hydra\Update.exe --createShortcut=Hydra.exe
      4⤵
      Executes dropped EXE
      PID:1596
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Hydra /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Hydra\Crashpad --url=https://f.a.k/e --annotation=_productName=Hydra --annotation=_version=1.1.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=29.1.4 --initial-client-data=0x580,0x584,0x588,0x57c,0x58c,0x7ff62759a880,0x7ff62759a88c,0x7ff62759a898
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4536
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1828 --field-trial-handle=1836,i,14765171578450730905,11932933900854631381,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1732
  - - C:\Users\Admin\AppData\Local\hydra\Update.exe
      C:\Users\Admin\AppData\Local\hydra\Update.exe --checkForUpdate https://update.electronjs.org/hydralauncher/hydra/win32-x64/1.1.0
      4⤵
      Executes dropped EXE
      PID:4000
  - - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
      "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2184 --field-trial-handle=1836,i,14765171578450730905,11932933900854631381,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
76B

MD5
82aad9846f60a10e4495a1c628a4f0b6

SHA1
4119492d3c6fe99ba75f852756d8b04b950e76f0

SHA256
529fd322807a4f0ad7a95c5ed06b4aaf0aabd3f52f33d9b852c6f063a63ef839

SHA512
e19321f50ec6aeca3f040ea98f88a03e4afe8908796a4dbbd7bb41b25713b7a85fbc1dce366d25afea47d4a67181164b678e7f727bd58d88b68db7fafebcbdaf

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
a560bad9e373ea5223792d60bede2b13

SHA1
82a0da9b52741d8994f28ad9ed6cbd3e6d3538fa

SHA256
76359cd4b0349a83337b941332ad042c90351c2bb0a4628307740324c97984cc

SHA512
58a1b4e1580273e1e5021dd2309b1841767d2a4be76ab4a7d4ff11b53fa9de068f6da67bf0dccfb19b4c91351387c0e6e200a2a864ec3fa737a1cb0970c8242c

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
43KB

MD5
b5a42ecde0b058b3c4e661e0ec84400b

SHA1
7e2bfc653c5bc6997553c150a0823daae372cd99

SHA256
ce636d201ef86ffbf4ee8c8762b4d9dc255be9d5f490d0a22e36fe0c938f7244

SHA512
b7f4a7bddb226066f7edf23dfb9bee658c30ae03dfe727ec739f51fd98c63831f732343c14a6ca080f31baed38bf9064cdd57c9d1daaf4c42c029fe83d846dc0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
11KB

MD5
2e4587a60d1bfe337eeb2601c49fb135

SHA1
145d5e3d2ad85a99449a966f7eb131b3c90af481

SHA256
c665ea7e7605a3e9af8be71e3e78c6da60bbafa058b707fd628ca0058e37999b

SHA512
e8b7c0bdd4d5d80479c40b77927982da874655e990ce2b5df1203a3c07817ead5fd178266f2e75d2837b4b6addafb3fb74de1be5ab7b49b0efee89aa289c547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\343b3955-d2ee-4465-9dfc-8c96b21c2ca4.tmp.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\hydra\Hydra.exe

Filesize
261KB

MD5
c29c528c1e3eafbe317a0b390ae9cb90

SHA1
1b98d7b425d335ddd34d6cc612c4768894c345fe

SHA256
37c8d1d2853655c3ea13994199e9bb2b0c030b7d751c5081851373c8857b8e79

SHA512
4e038d113041715f4dca360503611a35a8651cd8fd3e730ea51b12206677d4aeb786244e82a7d4ad76de5bba846ecf130283068ea6e859af73c4de93c19be4d7

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\chrome_100_percent.pak

Filesize
150KB

MD5
b1bccf31fa5710207026d373edd96161

SHA1
ae7bb0c083aea838df1d78d61b54fb76c9a1182e

SHA256
49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3

SHA512
134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\chrome_200_percent.pak

Filesize
229KB

MD5
e02160c24b8077b36ff06dc05a9df057

SHA1
fc722e071ce9caf52ad9a463c90fc2319aa6c790

SHA256
4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106

SHA512
1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\ffmpeg.dll

Filesize
2.7MB

MD5
855d27d5735c1afd26ff53a7f1bb93eb

SHA1
fc4d2c2f13022bedbdee3eb073961587360bb6ca

SHA256
a32800cbf98c84f2da9dcfea2fe8bdcfaaeef07c4eb81469945a992f83bb339c

SHA512
d6df90c3dc66f9dc9d8f7549d8385c0853a398b6dde5fecfbeb2396725f4c4aab50021b39fdb09ab6f553483e9a2bc985a3d4cce33de4c3f3958a86430cccb69

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\libEGL.dll

Filesize
468KB

MD5
5667c348e845c446fb56d7f9d4f11019

SHA1
f02f09799a54ec90371370deac68d36499be45dc

SHA256
72126255176dca2000061657efa0a8e91a9658d1724769b9260093116e131c33

SHA512
daf716e9af5976772e0bf7f33bcbcf347f64de8fc9787f568c1478a464d9f4603f92f3e41242782b07cb5503fffd78bc2e25f040cb932a52614e46a8e92bd2f6

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\libGLESv2.dll

Filesize
7.3MB

MD5
eaedf6de749ef1230197ce1ac0455f0e

SHA1
ba737231f09676278cdeb7840aab1df1ea76c57b

SHA256
8dae6f25ad4fcbbb7eb617ac02fac48c7f0bea7f75c630ea02882cf4fb469a25

SHA512
3417438c516a51e1e04a82c4f145d881c2f2dfb90428656c9aaea80b3b46fa3e4c536b320bc6b137186e200603a4aaa250bd21e0f117b3a02f224cbf20d3a2cc

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\locales\en-US.pak

Filesize
440KB

MD5
8f164155d22029535cd60f47966a89af

SHA1
19733935efe68f7ff3e2a84d28317e0391eb824b

SHA256
20be1732675fedf380010b09936ed65c71bb761d0a05732215ef0795b5aba606

SHA512
4582715817bb9c99d875aa89b1efbd0f70b63dcd37dbfc64e3078d1d4d7ad4ae8fac5a703afe1fc65b9af2f5c0fe8d3e293e2f0530106a6974b38b4cebca9db0

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources.pak

Filesize
5.0MB

MD5
8b4ae918802e54e58cad58b37cc9085c

SHA1
99ba711d34401ae0205ab86aeb7fccf52b576168

SHA256
51eef9af8b1d4cf7c9e4ecfb78b6954ba179e2298b1f134ffdcb4b9eab1bd8e6

SHA512
fe068c1e1b4929a0e85ec5bcf925f75d5a80d892fe45a1c948c39d433aec0674cdb55809c2659aabd9a969aa61387c8a5796d226116ed75c7a4d05b5c09fc785

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\app.asar

Filesize
11.0MB

MD5
ac9806525d2615d75a015a555d26f0c2

SHA1
88d66a4fdaf87eaa9a6f3c632e795c67b377ee59

SHA256
a9bf0998bfda78da9f1426ef98c1f61d63fd073be7e29269a3ae18a8ae0ee85e

SHA512
33c060955144905ee67f884df49ed99ca5f051b6607c9ce6a4ae35eacebb90081ee9cc7055f3bc6fc583a84c27f7a00a5e628904fc167b82bb5cfd984d5fc303

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\squirrel.exe

Filesize
1.8MB

MD5
ff4f902f07f0d3ce4768ec7c5d79f204

SHA1
c3dbb5119263d332a575105a4aa2e91b136612c1

SHA256
0a8a6015b64e956211bd8e70eab23801801358c77d606ef4517eb871d5c8fae8

SHA512
f11a5f60b0d9944e19b98aed6c72b2a4f33660dbb1ccfaa293189b56d6e497207d084bf63e2ae1636c3d4f25077cddfe881c34a625fedc127567fdefae84793a

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\v8_context_snapshot.bin

Filesize
663KB

MD5
796517f2fa15adf83ee3be8e7d647a73

SHA1
4287c74c8a765286350dc5322eb79dcdc3f2fd06

SHA256
68effe7d9398b4e81b829fe65c4c68c4cbb9b42a4bb146df826fbf808926f675

SHA512
7c24fb1c249d7355f0b2576e14fa802acca11333ee23ec59503ae611292de63c217343af77c49ca10ed6e9bcd792810a1f1b2abc50784572902ec87ea7203f03

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\vk_swiftshader.dll

Filesize
5.1MB

MD5
a209cc01921c3cceebf40fd2ca3aa1eb

SHA1
7c6a483cd79642fc76ecd695f2bcbcd32034f11d

SHA256
d60bf3062d47378d169aea2f7e6666a099d116e55305ae4f3a494f969b7d3d4b

SHA512
276e8856ad362a6836c021f712df9668c1b0eaeb0ed4ba003b5aab5c37cb7427f6cbdcb51fbe657eeb3af276839a3f622a6499dc8b3a62cde82890eefca5e300

Download Submit
memory/1596-1986-0x0000000002C60000-0x0000000002C80000-memory.dmp

Filesize
128KB

Download
memory/2828-1929-0x0000000000A90000-0x0000000000C68000-memory.dmp

Filesize
1.8MB

Download
memory/4916-1902-0x0000000020560000-0x0000000020598000-memory.dmp

Filesize
224KB

Download
memory/4916-1903-0x0000000020530000-0x000000002053E000-memory.dmp

Filesize
56KB

Download
memory/4916-8-0x0000000000ED0000-0x00000000010A6000-memory.dmp

Filesize
1.8MB

Download