09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AmongusHack.exe
Size

202KB
MD5

5c39bb532bd116ae2c9e47528c9f81f3
SHA1

4af704758e4d281997df43811fcd759e4b3ea755
SHA256

09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e
SHA512

18cd104f1d9ec1c6b52f0461d9cbba4483bad21074805e0e8c425045d77e439e795b19953964abc791f7b17dc7247d4481c2e4e6083019e8e5b4ca704682d320
SSDEEP

3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI0aqPoOeRontyZEgszB8DYLJqE:gLV6Bta6dtJmakIM5pP1jMZIt8DffeLr

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2564	2224	AmongusHack.exe	31
PID 2224 wrote to memory of 2564	2224	AmongusHack.exe	31
PID 2224 wrote to memory of 2564	2224	AmongusHack.exe	31
PID 2224 wrote to memory of 2564	2224	AmongusHack.exe	31
PID 2564 wrote to memory of 2392	2564	AmongusHack.exe	32
PID 2564 wrote to memory of 2392	2564	AmongusHack.exe	32
PID 2564 wrote to memory of 2392	2564	AmongusHack.exe	32
PID 2564 wrote to memory of 2392	2564	AmongusHack.exe	32
PID 2392 wrote to memory of 2884	2392	AmongusHack.exe	33
PID 2392 wrote to memory of 2884	2392	AmongusHack.exe	33
PID 2392 wrote to memory of 2884	2392	AmongusHack.exe	33
PID 2392 wrote to memory of 2884	2392	AmongusHack.exe	33
PID 2884 wrote to memory of 2852	2884	AmongusHack.exe	34
PID 2884 wrote to memory of 2852	2884	AmongusHack.exe	34
PID 2884 wrote to memory of 2852	2884	AmongusHack.exe	34
PID 2884 wrote to memory of 2852	2884	AmongusHack.exe	34
PID 2852 wrote to memory of 1644	2852	AmongusHack.exe	35
PID 2852 wrote to memory of 1644	2852	AmongusHack.exe	35
PID 2852 wrote to memory of 1644	2852	AmongusHack.exe	35
PID 2852 wrote to memory of 1644	2852	AmongusHack.exe	35
PID 1644 wrote to memory of 1208	1644	AmongusHack.exe	36
PID 1644 wrote to memory of 1208	1644	AmongusHack.exe	36
PID 1644 wrote to memory of 1208	1644	AmongusHack.exe	36
PID 1644 wrote to memory of 1208	1644	AmongusHack.exe	36
PID 1208 wrote to memory of 2144	1208	AmongusHack.exe	37
PID 1208 wrote to memory of 2144	1208	AmongusHack.exe	37
PID 1208 wrote to memory of 2144	1208	AmongusHack.exe	37
PID 1208 wrote to memory of 2144	1208	AmongusHack.exe	37
PID 2144 wrote to memory of 2200	2144	AmongusHack.exe	38
PID 2144 wrote to memory of 2200	2144	AmongusHack.exe	38
PID 2144 wrote to memory of 2200	2144	AmongusHack.exe	38
PID 2144 wrote to memory of 2200	2144	AmongusHack.exe	38
PID 2200 wrote to memory of 3016	2200	AmongusHack.exe	39
PID 2200 wrote to memory of 3016	2200	AmongusHack.exe	39
PID 2200 wrote to memory of 3016	2200	AmongusHack.exe	39
PID 2200 wrote to memory of 3016	2200	AmongusHack.exe	39
PID 3016 wrote to memory of 2968	3016	AmongusHack.exe	40
PID 3016 wrote to memory of 2968	3016	AmongusHack.exe	40
PID 3016 wrote to memory of 2968	3016	AmongusHack.exe	40
PID 3016 wrote to memory of 2968	3016	AmongusHack.exe	40
PID 2968 wrote to memory of 2004	2968	AmongusHack.exe	41
PID 2968 wrote to memory of 2004	2968	AmongusHack.exe	41
PID 2968 wrote to memory of 2004	2968	AmongusHack.exe	41
PID 2968 wrote to memory of 2004	2968	AmongusHack.exe	41
PID 2004 wrote to memory of 1996	2004	AmongusHack.exe	42
PID 2004 wrote to memory of 1996	2004	AmongusHack.exe	42
PID 2004 wrote to memory of 1996	2004	AmongusHack.exe	42
PID 2004 wrote to memory of 1996	2004	AmongusHack.exe	42
PID 1996 wrote to memory of 672	1996	AmongusHack.exe	43
PID 1996 wrote to memory of 672	1996	AmongusHack.exe	43
PID 1996 wrote to memory of 672	1996	AmongusHack.exe	43
PID 1996 wrote to memory of 672	1996	AmongusHack.exe	43
PID 672 wrote to memory of 408	672	AmongusHack.exe	44
PID 672 wrote to memory of 408	672	AmongusHack.exe	44
PID 672 wrote to memory of 408	672	AmongusHack.exe	44
PID 672 wrote to memory of 408	672	AmongusHack.exe	44
PID 408 wrote to memory of 1720	408	AmongusHack.exe	45
PID 408 wrote to memory of 1720	408	AmongusHack.exe	45
PID 408 wrote to memory of 1720	408	AmongusHack.exe	45
PID 408 wrote to memory of 1720	408	AmongusHack.exe	45
PID 1720 wrote to memory of 1820	1720	AmongusHack.exe	46
PID 1720 wrote to memory of 1820	1720	AmongusHack.exe	46
PID 1720 wrote to memory of 1820	1720	AmongusHack.exe	46
PID 1720 wrote to memory of 1820	1720	AmongusHack.exe	46

C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
  "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
    "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
      "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-0-0x0000000074A01000-0x0000000074A02000-memory.dmp

Filesize
4KB

Download
memory/2224-1-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-2-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-5-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-4-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-3-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-6-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download