Overview
overview
10Static
static
10HydraDrago...tch.py
windows7-x64
3HydraDrago...tch.py
windows10-2004-x64
3HydraDrago...ter.py
windows7-x64
3HydraDrago...ter.py
windows10-2004-x64
3HydraDrago...ter.py
windows7-x64
3HydraDrago...ter.py
windows10-2004-x64
3HydraDrago...tor.py
windows7-x64
3HydraDrago...tor.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...ker.py
windows7-x64
3HydraDrago...ker.py
windows10-2004-x64
3HydraDrago...ins.py
windows7-x64
3HydraDrago...ins.py
windows10-2004-x64
3HydraDrago...lip.py
windows7-x64
3HydraDrago...lip.py
windows10-2004-x64
3HydraDrago...tic.py
windows7-x64
3HydraDrago...tic.py
windows10-2004-x64
3HydraDrago...ted.py
windows7-x64
3HydraDrago...ted.py
windows10-2004-x64
3HydraDrago...ers.py
windows7-x64
3HydraDrago...ers.py
windows10-2004-x64
3HydraDrago...ng0.py
windows7-x64
3HydraDrago...ng0.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...eck.py
windows7-x64
3HydraDrago...eck.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...ng0.py
windows7-x64
3HydraDrago...ng0.py
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 23:05
Behavioral task
behavioral1
Sample
HydraDragonAntivirus-main/website/fullymatch.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
HydraDragonAntivirus-main/website/fullymatch.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HydraDragonAntivirus-main/website/hydraupdater.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
HydraDragonAntivirus-main/website/hydraupdater.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
HydraDragonAntivirus-main/website/nochracter.py
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral6
Sample
HydraDragonAntivirus-main/website/nochracter.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
HydraDragonAntivirus-main/website/theunknowndetector.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
HydraDragonAntivirus-main/website/theunknowndetector.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
HydraDragonAntivirus-main/website/tools/containsnothing.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
HydraDragonAntivirus-main/website/tools/containsnothing.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
HydraDragonAntivirus-main/website/tools/domainchecker.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
HydraDragonAntivirus-main/website/tools/domainchecker.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
HydraDragonAntivirus-main/website/tools/noipinodomains.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
HydraDragonAntivirus-main/website/tools/noipinodomains.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
HydraDragonAntivirus-main/website/tools/nolocalip.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
HydraDragonAntivirus-main/website/tools/nolocalip.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
HydraDragonAntivirus-main/website/tools/problematic.py
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
HydraDragonAntivirus-main/website/tools/problematic.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
HydraDragonAntivirus-main/website/tools/removerunwanted.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
HydraDragonAntivirus-main/website/tools/removerunwanted.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
HydraDragonAntivirus-main/website/tools/removeunwantedchracters.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
HydraDragonAntivirus-main/website/tools/removeunwantedchracters.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
HydraDragonAntivirus-main/website/tools/trashing0.py
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral24
Sample
HydraDragonAntivirus-main/website/tools/trashing0.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
HydraDragonAntivirus-main/website/tools/whitelisting.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
HydraDragonAntivirus-main/website/tools/whitelisting.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
HydraDragonAntivirus-main/website/tools/whitelistingrecheck.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
HydraDragonAntivirus-main/website/tools/whitelistingrecheck.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
HydraDragonAntivirus-main/website/tools/whitelistking.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
HydraDragonAntivirus-main/website/tools/whitelistking.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
HydraDragonAntivirus-main/website/tools/whitelistking0.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
HydraDragonAntivirus-main/website/tools/whitelistking0.py
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
HydraDragonAntivirus-main/website/tools/problematic.py
-
Size
560B
-
MD5
d47c501e8aaaabf886ee6f3bbefa38bb
-
SHA1
7e72db3040a07e232676a0cca8cace821794feda
-
SHA256
5efec26ab8525a9bee23e5ba15b515e547e5c0815848667a85c39fcc3ef9daa4
-
SHA512
cd8fac531bfc5f66e4e05b5b6e58e287eb2e46ac7c6e00512d18d0174060b5c3fa965dc2edf2b1858b656eef3e028af4e46fec99c0c00b14b2f2c0c93edcce57
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A0F7214C-C3DE-11EF-A7EA-FA89EA07D49F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings cmd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4104 iexplore.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 2604 OpenWith.exe 4104 iexplore.exe 4104 iexplore.exe 3264 IEXPLORE.EXE 3264 IEXPLORE.EXE 3264 IEXPLORE.EXE 3264 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2604 wrote to memory of 4104 2604 OpenWith.exe 101 PID 2604 wrote to memory of 4104 2604 OpenWith.exe 101 PID 4104 wrote to memory of 3264 4104 iexplore.exe 104 PID 4104 wrote to memory of 3264 4104 iexplore.exe 104 PID 4104 wrote to memory of 3264 4104 iexplore.exe 104
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\HydraDragonAntivirus-main\website\tools\problematic.py1⤵
- Modifies registry class
PID:4552
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\HydraDragonAntivirus-main\website\tools\problematic.py2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4104 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3264
-
-