Overview
overview
10Static
static
10HydraDrago...tch.py
windows7-x64
3HydraDrago...tch.py
windows10-2004-x64
3HydraDrago...ter.py
windows7-x64
3HydraDrago...ter.py
windows10-2004-x64
3HydraDrago...ter.py
windows7-x64
3HydraDrago...ter.py
windows10-2004-x64
3HydraDrago...tor.py
windows7-x64
3HydraDrago...tor.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...ker.py
windows7-x64
3HydraDrago...ker.py
windows10-2004-x64
3HydraDrago...ins.py
windows7-x64
3HydraDrago...ins.py
windows10-2004-x64
3HydraDrago...lip.py
windows7-x64
3HydraDrago...lip.py
windows10-2004-x64
3HydraDrago...tic.py
windows7-x64
3HydraDrago...tic.py
windows10-2004-x64
3HydraDrago...ted.py
windows7-x64
3HydraDrago...ted.py
windows10-2004-x64
3HydraDrago...ers.py
windows7-x64
3HydraDrago...ers.py
windows10-2004-x64
3HydraDrago...ng0.py
windows7-x64
3HydraDrago...ng0.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...eck.py
windows7-x64
3HydraDrago...eck.py
windows10-2004-x64
3HydraDrago...ing.py
windows7-x64
3HydraDrago...ing.py
windows10-2004-x64
3HydraDrago...ng0.py
windows7-x64
3HydraDrago...ng0.py
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 23:05
Behavioral task
behavioral1
Sample
HydraDragonAntivirus-main/website/fullymatch.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
HydraDragonAntivirus-main/website/fullymatch.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HydraDragonAntivirus-main/website/hydraupdater.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
HydraDragonAntivirus-main/website/hydraupdater.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
HydraDragonAntivirus-main/website/nochracter.py
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral6
Sample
HydraDragonAntivirus-main/website/nochracter.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
HydraDragonAntivirus-main/website/theunknowndetector.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
HydraDragonAntivirus-main/website/theunknowndetector.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
HydraDragonAntivirus-main/website/tools/containsnothing.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
HydraDragonAntivirus-main/website/tools/containsnothing.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
HydraDragonAntivirus-main/website/tools/domainchecker.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
HydraDragonAntivirus-main/website/tools/domainchecker.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
HydraDragonAntivirus-main/website/tools/noipinodomains.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
HydraDragonAntivirus-main/website/tools/noipinodomains.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
HydraDragonAntivirus-main/website/tools/nolocalip.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
HydraDragonAntivirus-main/website/tools/nolocalip.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
HydraDragonAntivirus-main/website/tools/problematic.py
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
HydraDragonAntivirus-main/website/tools/problematic.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
HydraDragonAntivirus-main/website/tools/removerunwanted.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
HydraDragonAntivirus-main/website/tools/removerunwanted.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
HydraDragonAntivirus-main/website/tools/removeunwantedchracters.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral22
Sample
HydraDragonAntivirus-main/website/tools/removeunwantedchracters.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
HydraDragonAntivirus-main/website/tools/trashing0.py
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral24
Sample
HydraDragonAntivirus-main/website/tools/trashing0.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
HydraDragonAntivirus-main/website/tools/whitelisting.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
HydraDragonAntivirus-main/website/tools/whitelisting.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
HydraDragonAntivirus-main/website/tools/whitelistingrecheck.py
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
HydraDragonAntivirus-main/website/tools/whitelistingrecheck.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
HydraDragonAntivirus-main/website/tools/whitelistking.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
HydraDragonAntivirus-main/website/tools/whitelistking.py
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
HydraDragonAntivirus-main/website/tools/whitelistking0.py
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
HydraDragonAntivirus-main/website/tools/whitelistking0.py
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
HydraDragonAntivirus-main/website/tools/whitelistking.py
-
Size
410B
-
MD5
1c1fcc18fa6a66f51cba2254bb7920e8
-
SHA1
798b5ea90393a7af8df5777b5f1ee24df9efa7b3
-
SHA256
529fbd2278928647c7210bf834b5764471de8c91aa3b63ac8d296069d60d10f0
-
SHA512
44158fc4fbe06f720bc3abc951030e98acfe9c87172e2eb69be65c0477e01ca16f65ac5803368f10d4de0f725b9762619d58dbdafef7305719f3967aafa2f359
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80453260eb57db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31152107" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152107" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e5100000000020000000000106600000001000020000000a647653a5dcb2c97ac070e9e1e3edf8b1b471388af9f62bdc77bd3d5cc18e360000000000e80000000020000200000006bf953674d910edb0a69e90b8b79f3463d645c52f06f0b2068110287e8006ba620000000ce6457721475682a152e8090cad45b478240bed922953dc1af40597e9202272340000000479322ad69f7fc1364ba05d987f0c605be876edc9fb25f1979fd8b52cb9bc9f78fb0bbd14d1013a95640c00a87728024c7d66a0ab9e5aa3ba610d8946aa25cdc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31152107" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d42f60eb57db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8B179757-C3DE-11EF-A7EA-4E8E92B54298} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1606413041" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e51000000000200000000001066000000010000200000001ee0cbfaae4c00685dd8b909b2ea340d70fa1e726cfb93b2f46be65d9fb7a81c000000000e8000000002000020000000d2417fa898903f8bec823d0b0392896abf80bbdeb319acd5698faf81f19bc8a520000000604cbae23854e5a15dd687c0a927d07f76cc486b64e98f25a2e1288a7a0a6651400000006cbf466d80054884dd5507bf6c0053eab140285cee3d3791abcc4cddb61016a2725952067c6d54a7a6b8df65e511b3537d3fb03669ab2658a597912392d94213 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1601725517" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1601725517" iexplore.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1188 OpenWith.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2388 iexplore.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 1188 OpenWith.exe 2388 iexplore.exe 2388 iexplore.exe 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1188 wrote to memory of 2388 1188 OpenWith.exe 100 PID 1188 wrote to memory of 2388 1188 OpenWith.exe 100 PID 2388 wrote to memory of 2912 2388 iexplore.exe 103 PID 2388 wrote to memory of 2912 2388 iexplore.exe 103 PID 2388 wrote to memory of 2912 2388 iexplore.exe 103
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\HydraDragonAntivirus-main\website\tools\whitelistking.py1⤵
- Modifies registry class
PID:1060
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\HydraDragonAntivirus-main\website\tools\whitelistking.py2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5863881560832be6db3d7e95507b796d8
SHA1bab29c682b73454cb94d1a0edfaae5fd64d076f6
SHA2561b8c898d463e9947656d97610caa6068a39c17fae72baa9168113364b7f70063
SHA5120556ac3e08e23d12ba2558e3e1320f8c7591359a003c6b98e3d93208361000c3fc25dc13e9f4a3575ef854bd903b32f62a36e541ba10de67f38663d8d8debbcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5c842f7ab6e4ea87ad080d8c3dca9a363
SHA179d2bb4a2cd92ff257deb65683ac33ae4804740c
SHA256134b29a9fb9ec6c432880c401e6633f75580ecc8289e91632576d16224799ffc
SHA51257e1ed78146d8b20288026c1e46376d7ed369e4f5c4df2d7c1130c5b27ec5ceebb3a821eef1cc546f76c77b8255203b6ed7384382ad3ed4ed5b294b5716e164a