09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e

Resubmissions

14/01/2025, 06:33

250114-hbk26s1rem 10

14/01/2025, 06:12

250114-gyapaa1mfq 10

19/06/2022, 16:53

220619-vdyr9sfcgl 10

Analysis

max time kernel
115s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AmongusHack.exe
Size

202KB
MD5

5c39bb532bd116ae2c9e47528c9f81f3
SHA1

4af704758e4d281997df43811fcd759e4b3ea755
SHA256

09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e
SHA512

18cd104f1d9ec1c6b52f0461d9cbba4483bad21074805e0e8c425045d77e439e795b19953964abc791f7b17dc7247d4481c2e4e6083019e8e5b4ca704682d320
SSDEEP

3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI0aqPoOeRontyZEgszB8DYLJqE:gLV6Bta6dtJmakIM5pP1jMZIt8DffeLr

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AmongusHack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AmongusHack.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4180	2124	AmongusHack.exe	84
PID 2124 wrote to memory of 4180	2124	AmongusHack.exe	84
PID 2124 wrote to memory of 4180	2124	AmongusHack.exe	84
PID 4180 wrote to memory of 220	4180	AmongusHack.exe	93
PID 4180 wrote to memory of 220	4180	AmongusHack.exe	93
PID 4180 wrote to memory of 220	4180	AmongusHack.exe	93
PID 220 wrote to memory of 888	220	AmongusHack.exe	98
PID 220 wrote to memory of 888	220	AmongusHack.exe	98
PID 220 wrote to memory of 888	220	AmongusHack.exe	98
PID 888 wrote to memory of 916	888	AmongusHack.exe	99
PID 888 wrote to memory of 916	888	AmongusHack.exe	99
PID 888 wrote to memory of 916	888	AmongusHack.exe	99
PID 916 wrote to memory of 4544	916	AmongusHack.exe	100
PID 916 wrote to memory of 4544	916	AmongusHack.exe	100
PID 916 wrote to memory of 4544	916	AmongusHack.exe	100
PID 4544 wrote to memory of 4444	4544	AmongusHack.exe	104
PID 4544 wrote to memory of 4444	4544	AmongusHack.exe	104
PID 4544 wrote to memory of 4444	4544	AmongusHack.exe	104
PID 4444 wrote to memory of 3832	4444	AmongusHack.exe	105
PID 4444 wrote to memory of 3832	4444	AmongusHack.exe	105
PID 4444 wrote to memory of 3832	4444	AmongusHack.exe	105
PID 3832 wrote to memory of 2900	3832	AmongusHack.exe	106
PID 3832 wrote to memory of 2900	3832	AmongusHack.exe	106
PID 3832 wrote to memory of 2900	3832	AmongusHack.exe	106
PID 2900 wrote to memory of 1632	2900	AmongusHack.exe	107
PID 2900 wrote to memory of 1632	2900	AmongusHack.exe	107
PID 2900 wrote to memory of 1632	2900	AmongusHack.exe	107
PID 1632 wrote to memory of 3896	1632	AmongusHack.exe	108
PID 1632 wrote to memory of 3896	1632	AmongusHack.exe	108
PID 1632 wrote to memory of 3896	1632	AmongusHack.exe	108
PID 3896 wrote to memory of 4176	3896	AmongusHack.exe	109
PID 3896 wrote to memory of 4176	3896	AmongusHack.exe	109
PID 3896 wrote to memory of 4176	3896	AmongusHack.exe	109
PID 4176 wrote to memory of 184	4176	AmongusHack.exe	110
PID 4176 wrote to memory of 184	4176	AmongusHack.exe	110
PID 4176 wrote to memory of 184	4176	AmongusHack.exe	110
PID 184 wrote to memory of 4392	184	AmongusHack.exe	111
PID 184 wrote to memory of 4392	184	AmongusHack.exe	111
PID 184 wrote to memory of 4392	184	AmongusHack.exe	111
PID 4392 wrote to memory of 984	4392	AmongusHack.exe	112
PID 4392 wrote to memory of 984	4392	AmongusHack.exe	112
PID 4392 wrote to memory of 984	4392	AmongusHack.exe	112
PID 984 wrote to memory of 4564	984	AmongusHack.exe	113
PID 984 wrote to memory of 4564	984	AmongusHack.exe	113
PID 984 wrote to memory of 4564	984	AmongusHack.exe	113
PID 4564 wrote to memory of 4452	4564	AmongusHack.exe	114
PID 4564 wrote to memory of 4452	4564	AmongusHack.exe	114
PID 4564 wrote to memory of 4452	4564	AmongusHack.exe	114
PID 4452 wrote to memory of 4676	4452	AmongusHack.exe	115
PID 4452 wrote to memory of 4676	4452	AmongusHack.exe	115
PID 4452 wrote to memory of 4676	4452	AmongusHack.exe	115
PID 4676 wrote to memory of 5044	4676	AmongusHack.exe	116
PID 4676 wrote to memory of 5044	4676	AmongusHack.exe	116
PID 4676 wrote to memory of 5044	4676	AmongusHack.exe	116
PID 5044 wrote to memory of 2780	5044	AmongusHack.exe	117
PID 5044 wrote to memory of 2780	5044	AmongusHack.exe	117
PID 5044 wrote to memory of 2780	5044	AmongusHack.exe	117
PID 2780 wrote to memory of 1576	2780	AmongusHack.exe	118
PID 2780 wrote to memory of 1576	2780	AmongusHack.exe	118
PID 2780 wrote to memory of 1576	2780	AmongusHack.exe	118
PID 1576 wrote to memory of 1032	1576	AmongusHack.exe	119
PID 1576 wrote to memory of 1032	1576	AmongusHack.exe	119
PID 1576 wrote to memory of 1032	1576	AmongusHack.exe	119

C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
  "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
    "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
      "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        12⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        14⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        15⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        16⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        17⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        18⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        19⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        20⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        21⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AmongusHack.exe.log

Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
memory/220-9-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/220-11-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/220-10-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/220-12-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-0-0x0000000074622000-0x0000000074623000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-2-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/2124-6-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4180-5-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4180-7-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4180-8-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download