541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427

General

Target

Hydra-1.1.0.Setup.exe
Size

128.8MB
MD5

366d719f4ffb6e6378bb8eb0ca5f89c0
SHA1

7ab9d1f32366c7eba513c37ae7304f6c74dd8933
SHA256

541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427
SHA512

da1816efa36d0f9e9c8aa0d03cd9cb64851762d83e212d5f91d77d42de91fc23af920922bbf1ca5824a2668d0d4915fc9b024b1dc0abbeb56e6a3e5ed970d5ca
SSDEEP

3145728:QkJG7QPqLxp8O4d4pPU62+0JXWg3/VnRbQvk4H6wWhuyGdgv+m7K2mpHQj/:QkJGUPsxdHt0kg3/VndY5dQ+mO2mpHg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3032	Update.exe
2428	Squirrel.exe
1544	Hydra.exe
2820	Hydra.exe

Loads dropped DLL 6 IoCs

pid	Process
1968	Hydra-1.1.0.Setup.exe
3032	Update.exe
3032	Update.exe
3032	Update.exe
1544	Hydra.exe
2820	Hydra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3032	Update.exe
3032	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3032	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3032	1968	Hydra-1.1.0.Setup.exe	29
PID 1968 wrote to memory of 3032	1968	Hydra-1.1.0.Setup.exe	29
PID 1968 wrote to memory of 3032	1968	Hydra-1.1.0.Setup.exe	29
PID 1968 wrote to memory of 3032	1968	Hydra-1.1.0.Setup.exe	29
PID 3032 wrote to memory of 2428	3032	Update.exe	31
PID 3032 wrote to memory of 2428	3032	Update.exe	31
PID 3032 wrote to memory of 2428	3032	Update.exe	31
PID 3032 wrote to memory of 1544	3032	Update.exe	32
PID 3032 wrote to memory of 1544	3032	Update.exe	32
PID 3032 wrote to memory of 1544	3032	Update.exe	32
PID 3032 wrote to memory of 2820	3032	Update.exe	33
PID 3032 wrote to memory of 2820	3032	Update.exe	33
PID 3032 wrote to memory of 2820	3032	Update.exe	33

C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:2428
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --squirrel-install 1.1.0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1544
- - C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
    "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2820

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2636

Network

DNS

raw.githubusercontent.com

Update.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.111.133

185.199.108.133:443

raw.githubusercontent.com

tls

Update.exe

799 B
4.2kB
10
11

8.8.8.8:53

raw.githubusercontent.com

dns

Update.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.110.133

185.199.111.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
76B

MD5
82aad9846f60a10e4495a1c628a4f0b6

SHA1
4119492d3c6fe99ba75f852756d8b04b950e76f0

SHA256
529fd322807a4f0ad7a95c5ed06b4aaf0aabd3f52f33d9b852c6f063a63ef839

SHA512
e19321f50ec6aeca3f040ea98f88a03e4afe8908796a4dbbd7bb41b25713b7a85fbc1dce366d25afea47d4a67181164b678e7f727bd58d88b68db7fafebcbdaf

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
43KB

MD5
b5a42ecde0b058b3c4e661e0ec84400b

SHA1
7e2bfc653c5bc6997553c150a0823daae372cd99

SHA256
ce636d201ef86ffbf4ee8c8762b4d9dc255be9d5f490d0a22e36fe0c938f7244

SHA512
b7f4a7bddb226066f7edf23dfb9bee658c30ae03dfe727ec739f51fd98c63831f732343c14a6ca080f31baed38bf9064cdd57c9d1daaf4c42c029fe83d846dc0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
11KB

MD5
2e4587a60d1bfe337eeb2601c49fb135

SHA1
145d5e3d2ad85a99449a966f7eb131b3c90af481

SHA256
c665ea7e7605a3e9af8be71e3e78c6da60bbafa058b707fd628ca0058e37999b

SHA512
e8b7c0bdd4d5d80479c40b77927982da874655e990ce2b5df1203a3c07817ead5fd178266f2e75d2837b4b6addafb3fb74de1be5ab7b49b0efee89aa289c547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab454C.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar454F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe

Filesize
1.8MB

MD5
ff4f902f07f0d3ce4768ec7c5d79f204

SHA1
c3dbb5119263d332a575105a4aa2e91b136612c1

SHA256
0a8a6015b64e956211bd8e70eab23801801358c77d606ef4517eb871d5c8fae8

SHA512
f11a5f60b0d9944e19b98aed6c72b2a4f33660dbb1ccfaa293189b56d6e497207d084bf63e2ae1636c3d4f25077cddfe881c34a625fedc127567fdefae84793a

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
a560bad9e373ea5223792d60bede2b13

SHA1
82a0da9b52741d8994f28ad9ed6cbd3e6d3538fa

SHA256
76359cd4b0349a83337b941332ad042c90351c2bb0a4628307740324c97984cc

SHA512
58a1b4e1580273e1e5021dd2309b1841767d2a4be76ab4a7d4ff11b53fa9de068f6da67bf0dccfb19b4c91351387c0e6e200a2a864ec3fa737a1cb0970c8242c

Download Submit
\Users\Admin\AppData\Local\hydra\app-1.1.0\ffmpeg.dll

Filesize
2.7MB

MD5
855d27d5735c1afd26ff53a7f1bb93eb

SHA1
fc4d2c2f13022bedbdee3eb073961587360bb6ca

SHA256
a32800cbf98c84f2da9dcfea2fe8bdcfaaeef07c4eb81469945a992f83bb339c

SHA512
d6df90c3dc66f9dc9d8f7549d8385c0853a398b6dde5fecfbeb2396725f4c4aab50021b39fdb09ab6f553483e9a2bc985a3d4cce33de4c3f3958a86430cccb69

Download Submit
memory/2428-1922-0x0000000000ED0000-0x00000000010A8000-memory.dmp

Filesize
1.8MB

Download
memory/3032-1326-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/3032-1327-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/3032-9-0x0000000000120000-0x00000000002F6000-memory.dmp

Filesize
1.8MB

Download
memory/3032-1996-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.