Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Hydra-1.1.0.Setup.exe

windows7-x64

7

Hydra-1.1.0.Setup.exe

windows10-2004-x64

7

Resubmissions

14/05/2024, 07:17

240514-h4dtkafc23 7

14/05/2024, 07:11

240514-hz7k3sfa99 7

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hydra-1.1.0.Setup.exe

  • Size

    128.8MB

  • MD5

    366d719f4ffb6e6378bb8eb0ca5f89c0

  • SHA1

    7ab9d1f32366c7eba513c37ae7304f6c74dd8933

  • SHA256

    541a1966114e166cc5807973c227ad72fea6d687ce7c2e70293f794751247427

  • SHA512

    da1816efa36d0f9e9c8aa0d03cd9cb64851762d83e212d5f91d77d42de91fc23af920922bbf1ca5824a2668d0d4915fc9b024b1dc0abbeb56e6a3e5ed970d5ca

  • SSDEEP

    3145728:QkJG7QPqLxp8O4d4pPU62+0JXWg3/VnRbQvk4H6wWhuyGdgv+m7K2mpHQj/:QkJGUPsxdHt0kg3/VndY5dQ+mO2mpHg

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Hydra-1.1.0.Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe
        "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        3⤵
        • Executes dropped EXE
        PID:4496
      • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
        "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --squirrel-install 1.1.0
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Users\Admin\AppData\Local\hydra\Update.exe
          C:\Users\Admin\AppData\Local\hydra\Update.exe --createShortcut=Hydra.exe
          4⤵
          • Executes dropped EXE
          PID:3948
        • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
          C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Hydra /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Hydra\Crashpad --url=https://f.a.k/e --annotation=_productName=Hydra --annotation=_version=1.1.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=29.1.4 --initial-client-data=0x550,0x554,0x558,0x544,0x55c,0x7ff7b0a0a880,0x7ff7b0a0a88c,0x7ff7b0a0a898
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:532
        • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
          "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1896 --field-trial-handle=1900,i,14677992682464536384,14224646923438261880,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1768
        • C:\Users\Admin\AppData\Local\hydra\Update.exe
          C:\Users\Admin\AppData\Local\hydra\Update.exe --checkForUpdate https://update.electronjs.org/hydralauncher/hydra/win32-x64/1.1.0
          4⤵
          • Executes dropped EXE
          PID:420
        • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe
          "C:\Users\Admin\AppData\Local\hydra\app-1.1.0\Hydra.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Hydra" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2084 --field-trial-handle=1900,i,14677992682464536384,14224646923438261880,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4900
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2388
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4480

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES
      Filesize

      76B

      MD5

      82aad9846f60a10e4495a1c628a4f0b6

      SHA1

      4119492d3c6fe99ba75f852756d8b04b950e76f0

      SHA256

      529fd322807a4f0ad7a95c5ed06b4aaf0aabd3f52f33d9b852c6f063a63ef839

      SHA512

      e19321f50ec6aeca3f040ea98f88a03e4afe8908796a4dbbd7bb41b25713b7a85fbc1dce366d25afea47d4a67181164b678e7f727bd58d88b68db7fafebcbdaf

      Download Submit

    • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      Filesize

      1.8MB

      MD5

      a560bad9e373ea5223792d60bede2b13

      SHA1

      82a0da9b52741d8994f28ad9ed6cbd3e6d3538fa

      SHA256

      76359cd4b0349a83337b941332ad042c90351c2bb0a4628307740324c97984cc

      SHA512

      58a1b4e1580273e1e5021dd2309b1841767d2a4be76ab4a7d4ff11b53fa9de068f6da67bf0dccfb19b4c91351387c0e6e200a2a864ec3fa737a1cb0970c8242c

      Download Submit

    • C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif
      Filesize

      43KB

      MD5

      b5a42ecde0b058b3c4e661e0ec84400b

      SHA1

      7e2bfc653c5bc6997553c150a0823daae372cd99

      SHA256

      ce636d201ef86ffbf4ee8c8762b4d9dc255be9d5f490d0a22e36fe0c938f7244

      SHA512

      b7f4a7bddb226066f7edf23dfb9bee658c30ae03dfe727ec739f51fd98c63831f732343c14a6ca080f31baed38bf9064cdd57c9d1daaf4c42c029fe83d846dc0

      Download Submit

    • C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico
      Filesize

      11KB

      MD5

      2e4587a60d1bfe337eeb2601c49fb135

      SHA1

      145d5e3d2ad85a99449a966f7eb131b3c90af481

      SHA256

      c665ea7e7605a3e9af8be71e3e78c6da60bbafa058b707fd628ca0058e37999b

      SHA512

      e8b7c0bdd4d5d80479c40b77927982da874655e990ce2b5df1203a3c07817ead5fd178266f2e75d2837b4b6addafb3fb74de1be5ab7b49b0efee89aa289c547a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7dcbeaf7-6762-4c70-802e-b978c1084e5a.tmp.node
      Filesize

      1.8MB

      MD5

      66a65322c9d362a23cf3d3f7735d5430

      SHA1

      ed59f3e4b0b16b759b866ef7293d26a1512b952e

      SHA256

      f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

      SHA512

      0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\Hydra.exe
      Filesize

      261KB

      MD5

      c29c528c1e3eafbe317a0b390ae9cb90

      SHA1

      1b98d7b425d335ddd34d6cc612c4768894c345fe

      SHA256

      37c8d1d2853655c3ea13994199e9bb2b0c030b7d751c5081851373c8857b8e79

      SHA512

      4e038d113041715f4dca360503611a35a8651cd8fd3e730ea51b12206677d4aeb786244e82a7d4ad76de5bba846ecf130283068ea6e859af73c4de93c19be4d7

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\chrome_100_percent.pak
      Filesize

      150KB

      MD5

      b1bccf31fa5710207026d373edd96161

      SHA1

      ae7bb0c083aea838df1d78d61b54fb76c9a1182e

      SHA256

      49aff5690cb9b0f54f831351aa0f64416ba180a0c4891a859fa7294e81e9c8e3

      SHA512

      134a13ad86f8bd20a1d2350236269fd39c306389a600556a82025d5e0d5adaab0709d59e9b7ee96e8e2d25b6df49fefea27cdccefe5fba9687abf92a9a941d91

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\chrome_200_percent.pak
      Filesize

      229KB

      MD5

      e02160c24b8077b36ff06dc05a9df057

      SHA1

      fc722e071ce9caf52ad9a463c90fc2319aa6c790

      SHA256

      4d5b51f720f7d3146e131c54a6f75e4e826c61b2ff15c8955f6d6dd15bedf106

      SHA512

      1bf873b89b571974537b685cdb739f8ed148f710f6f24f0f362f8b6bb605996fcfec1501411f2cb2df374d5fdaf6e2daaada8cea68051e3c10a67030ea25929e

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\d3dcompiler_47.dll
      Filesize

      4.7MB

      MD5

      2191e768cc2e19009dad20dc999135a3

      SHA1

      f49a46ba0e954e657aaed1c9019a53d194272b6a

      SHA256

      7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

      SHA512

      5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\ffmpeg.dll
      Filesize

      2.7MB

      MD5

      855d27d5735c1afd26ff53a7f1bb93eb

      SHA1

      fc4d2c2f13022bedbdee3eb073961587360bb6ca

      SHA256

      a32800cbf98c84f2da9dcfea2fe8bdcfaaeef07c4eb81469945a992f83bb339c

      SHA512

      d6df90c3dc66f9dc9d8f7549d8385c0853a398b6dde5fecfbeb2396725f4c4aab50021b39fdb09ab6f553483e9a2bc985a3d4cce33de4c3f3958a86430cccb69

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\icudtl.dat
      Filesize

      10.2MB

      MD5

      74bded81ce10a426df54da39cfa132ff

      SHA1

      eb26bcc7d24be42bd8cfbded53bd62d605989bbf

      SHA256

      7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

      SHA512

      bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\libEGL.dll
      Filesize

      468KB

      MD5

      5667c348e845c446fb56d7f9d4f11019

      SHA1

      f02f09799a54ec90371370deac68d36499be45dc

      SHA256

      72126255176dca2000061657efa0a8e91a9658d1724769b9260093116e131c33

      SHA512

      daf716e9af5976772e0bf7f33bcbcf347f64de8fc9787f568c1478a464d9f4603f92f3e41242782b07cb5503fffd78bc2e25f040cb932a52614e46a8e92bd2f6

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\libGLESv2.dll
      Filesize

      7.3MB

      MD5

      eaedf6de749ef1230197ce1ac0455f0e

      SHA1

      ba737231f09676278cdeb7840aab1df1ea76c57b

      SHA256

      8dae6f25ad4fcbbb7eb617ac02fac48c7f0bea7f75c630ea02882cf4fb469a25

      SHA512

      3417438c516a51e1e04a82c4f145d881c2f2dfb90428656c9aaea80b3b46fa3e4c536b320bc6b137186e200603a4aaa250bd21e0f117b3a02f224cbf20d3a2cc

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\locales\en-US.pak
      Filesize

      440KB

      MD5

      8f164155d22029535cd60f47966a89af

      SHA1

      19733935efe68f7ff3e2a84d28317e0391eb824b

      SHA256

      20be1732675fedf380010b09936ed65c71bb761d0a05732215ef0795b5aba606

      SHA512

      4582715817bb9c99d875aa89b1efbd0f70b63dcd37dbfc64e3078d1d4d7ad4ae8fac5a703afe1fc65b9af2f5c0fe8d3e293e2f0530106a6974b38b4cebca9db0

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources.pak
      Filesize

      5.0MB

      MD5

      8b4ae918802e54e58cad58b37cc9085c

      SHA1

      99ba711d34401ae0205ab86aeb7fccf52b576168

      SHA256

      51eef9af8b1d4cf7c9e4ecfb78b6954ba179e2298b1f134ffdcb4b9eab1bd8e6

      SHA512

      fe068c1e1b4929a0e85ec5bcf925f75d5a80d892fe45a1c948c39d433aec0674cdb55809c2659aabd9a969aa61387c8a5796d226116ed75c7a4d05b5c09fc785

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\resources\app.asar
      Filesize

      11.0MB

      MD5

      ac9806525d2615d75a015a555d26f0c2

      SHA1

      88d66a4fdaf87eaa9a6f3c632e795c67b377ee59

      SHA256

      a9bf0998bfda78da9f1426ef98c1f61d63fd073be7e29269a3ae18a8ae0ee85e

      SHA512

      33c060955144905ee67f884df49ed99ca5f051b6607c9ce6a4ae35eacebb90081ee9cc7055f3bc6fc583a84c27f7a00a5e628904fc167b82bb5cfd984d5fc303

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\squirrel.exe
      Filesize

      1.8MB

      MD5

      ff4f902f07f0d3ce4768ec7c5d79f204

      SHA1

      c3dbb5119263d332a575105a4aa2e91b136612c1

      SHA256

      0a8a6015b64e956211bd8e70eab23801801358c77d606ef4517eb871d5c8fae8

      SHA512

      f11a5f60b0d9944e19b98aed6c72b2a4f33660dbb1ccfaa293189b56d6e497207d084bf63e2ae1636c3d4f25077cddfe881c34a625fedc127567fdefae84793a

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\v8_context_snapshot.bin
      Filesize

      663KB

      MD5

      796517f2fa15adf83ee3be8e7d647a73

      SHA1

      4287c74c8a765286350dc5322eb79dcdc3f2fd06

      SHA256

      68effe7d9398b4e81b829fe65c4c68c4cbb9b42a4bb146df826fbf808926f675

      SHA512

      7c24fb1c249d7355f0b2576e14fa802acca11333ee23ec59503ae611292de63c217343af77c49ca10ed6e9bcd792810a1f1b2abc50784572902ec87ea7203f03

      Download Submit

    • C:\Users\Admin\AppData\Local\hydra\app-1.1.0\vk_swiftshader.dll
      Filesize

      5.1MB

      MD5

      a209cc01921c3cceebf40fd2ca3aa1eb

      SHA1

      7c6a483cd79642fc76ecd695f2bcbcd32034f11d

      SHA256

      d60bf3062d47378d169aea2f7e6666a099d116e55305ae4f3a494f969b7d3d4b

      SHA512

      276e8856ad362a6836c021f712df9668c1b0eaeb0ed4ba003b5aab5c37cb7427f6cbdcb51fbe657eeb3af276839a3f622a6499dc8b3a62cde82890eefca5e300

      Download Submit

    • memory/2000-8-0x0000000000C80000-0x0000000000E56000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2000-1603-0x0000000022240000-0x000000002224E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2000-1602-0x0000000022280000-0x00000000222B8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2388-2002-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2000-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2001-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2006-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2012-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2011-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2010-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2009-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2008-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-2007-0x0000023875020000-0x0000023875021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3948-1990-0x000000001BA30000-0x000000001BA50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4496-1929-0x00000000003C0000-0x0000000000598000-memory.dmp

      Filesize

      1.8MB

      Download