Overview
overview
10Static
static
10HydraDrago...tch.py
windows7-x64
3HydraDrago...tch.py
windows10-2004-x64
3HydraDrago...ter.py
windows7-x64
3HydraDrago...ter.py
windows10-2004-x64
3HydraDrago...ter.py
windows7-x64
3HydraDrago...ter.py
windows10-2004-x64
3HydraDrago...tor.py
windows7-x64
3HydraDrago...tor.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...ker.py
windows7-x64
3HydraDrago...ker.py
windows10-2004-x64
3HydraDrago...ins.py
windows7-x64
3HydraDrago...ins.py
windows10-2004-x64
3HydraDrago...lip.py
windows7-x64
3HydraDrago...lip.py
windows10-2004-x64
3HydraDrago...tic.py
windows7-x64
3HydraDrago...tic.py
windows10-2004-x64
3HydraDrago...ted.py
windows7-x64
3HydraDrago...ted.py
windows10-2004-x64
3HydraDrago...ers.py
windows7-x64
3HydraDrago...ers.py
windows10-2004-x64
3HydraDrago...ng0.py
windows7-x64
3HydraDrago...ng0.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...eck.py
windows7-x64
3HydraDrago...eck.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...ng0.py
windows7-x64
3HydraDrago...ng0.py
windows10-2004-x64
3Analysis
-
max time kernel
138s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 23:05
Behavioral task
behavioral1
Sample
HydraDragonAntivirus-main/website/fullymatch.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
HydraDragonAntivirus-main/website/fullymatch.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HydraDragonAntivirus-main/website/hydraupdater.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
HydraDragonAntivirus-main/website/hydraupdater.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
HydraDragonAntivirus-main/website/nochracter.py
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral6
Sample
HydraDragonAntivirus-main/website/nochracter.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
HydraDragonAntivirus-main/website/theunknowndetector.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
HydraDragonAntivirus-main/website/theunknowndetector.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
HydraDragonAntivirus-main/website/tools/containsnothing.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
HydraDragonAntivirus-main/website/tools/containsnothing.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
HydraDragonAntivirus-main/website/tools/domainchecker.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
HydraDragonAntivirus-main/website/tools/domainchecker.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
HydraDragonAntivirus-main/website/tools/noipinodomains.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
HydraDragonAntivirus-main/website/tools/noipinodomains.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
HydraDragonAntivirus-main/website/tools/nolocalip.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
HydraDragonAntivirus-main/website/tools/nolocalip.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
HydraDragonAntivirus-main/website/tools/problematic.py
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
HydraDragonAntivirus-main/website/tools/problematic.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
HydraDragonAntivirus-main/website/tools/removerunwanted.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
HydraDragonAntivirus-main/website/tools/removerunwanted.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
HydraDragonAntivirus-main/website/tools/removeunwantedchracters.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
HydraDragonAntivirus-main/website/tools/removeunwantedchracters.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
HydraDragonAntivirus-main/website/tools/trashing0.py
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral24
Sample
HydraDragonAntivirus-main/website/tools/trashing0.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
HydraDragonAntivirus-main/website/tools/whitelisting.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
HydraDragonAntivirus-main/website/tools/whitelisting.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
HydraDragonAntivirus-main/website/tools/whitelistingrecheck.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
HydraDragonAntivirus-main/website/tools/whitelistingrecheck.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
HydraDragonAntivirus-main/website/tools/whitelistking.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
HydraDragonAntivirus-main/website/tools/whitelistking.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
HydraDragonAntivirus-main/website/tools/whitelistking0.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
HydraDragonAntivirus-main/website/tools/whitelistking0.py
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
HydraDragonAntivirus-main/website/fullymatch.py
-
Size
1KB
-
MD5
ab27645a3ba4fdc2ee97a8e2d88fe140
-
SHA1
b1f1f962a01a918c45a70578daedc5450e65abe6
-
SHA256
1a76f36dca4fe49b8dbfc0b82dc3953e44f9b85346374f1d4e1f0472f48d941d
-
SHA512
5b211ba60be178a629745e777f8058ee9a9c3447e87b2d140e741f4f43c5159441add8e38862b75ae0d12e1854b397338f870df021c1fcca8d005c4375ce7c8f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9D8AA6CB-C3DE-11EF-A7EA-F6235BFAC6D3} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3716 iexplore.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 2500 OpenWith.exe 3716 iexplore.exe 3716 iexplore.exe 3832 IEXPLORE.EXE 3832 IEXPLORE.EXE 3832 IEXPLORE.EXE 3832 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2500 wrote to memory of 3716 2500 OpenWith.exe 99 PID 2500 wrote to memory of 3716 2500 OpenWith.exe 99 PID 3716 wrote to memory of 3832 3716 iexplore.exe 102 PID 3716 wrote to memory of 3832 3716 iexplore.exe 102 PID 3716 wrote to memory of 3832 3716 iexplore.exe 102
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\HydraDragonAntivirus-main\website\fullymatch.py1⤵
- Modifies registry class
PID:1172
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\HydraDragonAntivirus-main\website\fullymatch.py2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3716 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3832
-
-