09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e

Resubmissions

14/01/2025, 06:33

250114-hbk26s1rem 10

14/01/2025, 06:12

250114-gyapaa1mfq 10

19/06/2022, 16:53

220619-vdyr9sfcgl 10

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19/06/2022, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AmongusHack.exe
Size

202KB
MD5

5c39bb532bd116ae2c9e47528c9f81f3
SHA1

4af704758e4d281997df43811fcd759e4b3ea755
SHA256

09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e
SHA512

18cd104f1d9ec1c6b52f0461d9cbba4483bad21074805e0e8c425045d77e439e795b19953964abc791f7b17dc7247d4481c2e4e6083019e8e5b4ca704682d320

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 25 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	AmongusHack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4184	4572	AmongusHack.exe	83
PID 4572 wrote to memory of 4184	4572	AmongusHack.exe	83
PID 4572 wrote to memory of 4184	4572	AmongusHack.exe	83
PID 4184 wrote to memory of 3684	4184	AmongusHack.exe	87
PID 4184 wrote to memory of 3684	4184	AmongusHack.exe	87
PID 4184 wrote to memory of 3684	4184	AmongusHack.exe	87
PID 3684 wrote to memory of 3508	3684	AmongusHack.exe	88
PID 3684 wrote to memory of 3508	3684	AmongusHack.exe	88
PID 3684 wrote to memory of 3508	3684	AmongusHack.exe	88
PID 3508 wrote to memory of 216	3508	AmongusHack.exe	89
PID 3508 wrote to memory of 216	3508	AmongusHack.exe	89
PID 3508 wrote to memory of 216	3508	AmongusHack.exe	89
PID 216 wrote to memory of 3756	216	AmongusHack.exe	91
PID 216 wrote to memory of 3756	216	AmongusHack.exe	91
PID 216 wrote to memory of 3756	216	AmongusHack.exe	91
PID 3756 wrote to memory of 4236	3756	AmongusHack.exe	92
PID 3756 wrote to memory of 4236	3756	AmongusHack.exe	92
PID 3756 wrote to memory of 4236	3756	AmongusHack.exe	92
PID 4236 wrote to memory of 2644	4236	AmongusHack.exe	93
PID 4236 wrote to memory of 2644	4236	AmongusHack.exe	93
PID 4236 wrote to memory of 2644	4236	AmongusHack.exe	93
PID 2644 wrote to memory of 4240	2644	AmongusHack.exe	94
PID 2644 wrote to memory of 4240	2644	AmongusHack.exe	94
PID 2644 wrote to memory of 4240	2644	AmongusHack.exe	94
PID 4240 wrote to memory of 1716	4240	AmongusHack.exe	95
PID 4240 wrote to memory of 1716	4240	AmongusHack.exe	95
PID 4240 wrote to memory of 1716	4240	AmongusHack.exe	95
PID 1716 wrote to memory of 2660	1716	AmongusHack.exe	96
PID 1716 wrote to memory of 2660	1716	AmongusHack.exe	96
PID 1716 wrote to memory of 2660	1716	AmongusHack.exe	96
PID 2660 wrote to memory of 2216	2660	AmongusHack.exe	97
PID 2660 wrote to memory of 2216	2660	AmongusHack.exe	97
PID 2660 wrote to memory of 2216	2660	AmongusHack.exe	97
PID 2216 wrote to memory of 1272	2216	AmongusHack.exe	98
PID 2216 wrote to memory of 1272	2216	AmongusHack.exe	98
PID 2216 wrote to memory of 1272	2216	AmongusHack.exe	98
PID 1272 wrote to memory of 2164	1272	AmongusHack.exe	99
PID 1272 wrote to memory of 2164	1272	AmongusHack.exe	99
PID 1272 wrote to memory of 2164	1272	AmongusHack.exe	99
PID 2164 wrote to memory of 4016	2164	AmongusHack.exe	100
PID 2164 wrote to memory of 4016	2164	AmongusHack.exe	100
PID 2164 wrote to memory of 4016	2164	AmongusHack.exe	100
PID 4016 wrote to memory of 3020	4016	AmongusHack.exe	101
PID 4016 wrote to memory of 3020	4016	AmongusHack.exe	101
PID 4016 wrote to memory of 3020	4016	AmongusHack.exe	101
PID 3020 wrote to memory of 3500	3020	AmongusHack.exe	102
PID 3020 wrote to memory of 3500	3020	AmongusHack.exe	102
PID 3020 wrote to memory of 3500	3020	AmongusHack.exe	102
PID 3500 wrote to memory of 3044	3500	AmongusHack.exe	103
PID 3500 wrote to memory of 3044	3500	AmongusHack.exe	103
PID 3500 wrote to memory of 3044	3500	AmongusHack.exe	103
PID 3044 wrote to memory of 3156	3044	AmongusHack.exe	104
PID 3044 wrote to memory of 3156	3044	AmongusHack.exe	104
PID 3044 wrote to memory of 3156	3044	AmongusHack.exe	104
PID 3156 wrote to memory of 4992	3156	AmongusHack.exe	105
PID 3156 wrote to memory of 4992	3156	AmongusHack.exe	105
PID 3156 wrote to memory of 4992	3156	AmongusHack.exe	105
PID 4992 wrote to memory of 424	4992	AmongusHack.exe	106
PID 4992 wrote to memory of 424	4992	AmongusHack.exe	106
PID 4992 wrote to memory of 424	4992	AmongusHack.exe	106
PID 424 wrote to memory of 3524	424	AmongusHack.exe	107
PID 424 wrote to memory of 3524	424	AmongusHack.exe	107
PID 424 wrote to memory of 3524	424	AmongusHack.exe	107
PID 3524 wrote to memory of 4060	3524	AmongusHack.exe	108

C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
  "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
    "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
      "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        11⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        12⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        13⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        14⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        15⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        16⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        17⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        18⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        19⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        20⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        21⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        22⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        23⤵
        Checks computer location settings
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        24⤵
        Checks computer location settings
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        25⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        26⤵
        
        PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AmongusHack.exe.log

Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
memory/216-145-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/216-143-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/424-191-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/424-193-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/1272-169-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/1272-167-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/1716-160-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/1716-158-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2024-200-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2024-202-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2164-172-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2164-170-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2216-164-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2216-166-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2644-154-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2644-152-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2660-161-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2660-163-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3020-178-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3020-176-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3044-182-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3044-184-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3156-185-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3156-187-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3500-179-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3500-181-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3508-140-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3508-142-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3524-196-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3524-194-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3684-137-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3684-139-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3756-148-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3756-146-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4016-175-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4016-173-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4060-199-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4060-197-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4184-134-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4184-136-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4236-149-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4236-151-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4240-157-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4240-155-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4336-203-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4336-205-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4572-133-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4572-130-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4728-206-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4992-188-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4992-190-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download