09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e

Resubmissions

14-01-2025 06:33

250114-hbk26s1rem 10

14-01-2025 06:12

250114-gyapaa1mfq 10

19-06-2022 16:53

220619-vdyr9sfcgl 10

Analysis

max time kernel
25s
max time network
2s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14-01-2025 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AmongusHack.exe
Size

202KB
MD5

5c39bb532bd116ae2c9e47528c9f81f3
SHA1

4af704758e4d281997df43811fcd759e4b3ea755
SHA256

09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e
SHA512

18cd104f1d9ec1c6b52f0461d9cbba4483bad21074805e0e8c425045d77e439e795b19953964abc791f7b17dc7247d4481c2e4e6083019e8e5b4ca704682d320
SSDEEP

3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI0aqPoOeRontyZEgszB8DYLJqE:gLV6Bta6dtJmakIM5pP1jMZIt8DffeLr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	AmongusHack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4472	4576	AmongusHack.exe	80
PID 4576 wrote to memory of 4472	4576	AmongusHack.exe	80
PID 4576 wrote to memory of 4472	4576	AmongusHack.exe	80
PID 4472 wrote to memory of 1332	4472	AmongusHack.exe	81
PID 4472 wrote to memory of 1332	4472	AmongusHack.exe	81
PID 4472 wrote to memory of 1332	4472	AmongusHack.exe	81
PID 1332 wrote to memory of 1708	1332	AmongusHack.exe	82
PID 1332 wrote to memory of 1708	1332	AmongusHack.exe	82
PID 1332 wrote to memory of 1708	1332	AmongusHack.exe	82
PID 1708 wrote to memory of 3248	1708	AmongusHack.exe	83
PID 1708 wrote to memory of 3248	1708	AmongusHack.exe	83
PID 1708 wrote to memory of 3248	1708	AmongusHack.exe	83

C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
  "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
    "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
      "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AmongusHack.exe.log

Filesize
496B

MD5
ecbaa939f4cf8a3c2c4070882a0e61b5

SHA1
5d3733a1386294a95406ade7803c954efe300f0d

SHA256
6f4ae1353d3c20efa457b72225566ee4e50b1c7ce19115faead0ebd6c9711644

SHA512
1cee74c6a3ba57a9d6f6e3d08de07f72c349b308551b2cc25110f077dd3437968b7042a4a5817ab286039d3c74b94b51176317d5d4bfc0d748a03712a7895a87

Download Submit
memory/1332-9-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1332-12-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1332-11-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1332-13-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4472-5-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4472-7-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4472-8-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4472-10-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4576-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4576-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4576-6-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4576-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download