Overview
overview
10Static
static
10AmongusHack.exe
windows7-x64
3AmongusHack.exe
windows10-2004-x64
7AmongusHack.exe
android-9-x86
AmongusHack.exe
android-10-x64
AmongusHack.exe
android-11-x64
AmongusHack.exe
macos-10.15-amd64
AmongusHack.exe
ubuntu-18.04-amd64
AmongusHack.exe
debian-9-armhf
AmongusHack.exe
debian-9-mips
AmongusHack.exe
debian-9-mipsel
Resubmissions
14-01-2025 06:33
250114-hbk26s1rem 1014-01-2025 06:12
250114-gyapaa1mfq 1019-06-2022 16:53
220619-vdyr9sfcgl 10Analysis
-
max time kernel
115s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-01-2025 06:33
Behavioral task
behavioral1
Sample
AmongusHack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AmongusHack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
AmongusHack.exe
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
AmongusHack.exe
Resource
android-x64-20240624-en
Behavioral task
behavioral5
Sample
AmongusHack.exe
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral6
Sample
AmongusHack.exe
Resource
macos-20241101-en
Behavioral task
behavioral7
Sample
AmongusHack.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral8
Sample
AmongusHack.exe
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral9
Sample
AmongusHack.exe
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral10
Sample
AmongusHack.exe
Resource
debian9-mipsel-20240418-en
General
-
Target
AmongusHack.exe
-
Size
202KB
-
MD5
5c39bb532bd116ae2c9e47528c9f81f3
-
SHA1
4af704758e4d281997df43811fcd759e4b3ea755
-
SHA256
09eeb778d2b787fb4a329923ce022d54c8b980213698d74487913700e40b5f1e
-
SHA512
18cd104f1d9ec1c6b52f0461d9cbba4483bad21074805e0e8c425045d77e439e795b19953964abc791f7b17dc7247d4481c2e4e6083019e8e5b4ca704682d320
-
SSDEEP
3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI0aqPoOeRontyZEgszB8DYLJqE:gLV6Bta6dtJmakIM5pP1jMZIt8DffeLr
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 21 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AmongusHack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AmongusHack.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2124 wrote to memory of 4180 2124 AmongusHack.exe 84 PID 2124 wrote to memory of 4180 2124 AmongusHack.exe 84 PID 2124 wrote to memory of 4180 2124 AmongusHack.exe 84 PID 4180 wrote to memory of 220 4180 AmongusHack.exe 93 PID 4180 wrote to memory of 220 4180 AmongusHack.exe 93 PID 4180 wrote to memory of 220 4180 AmongusHack.exe 93 PID 220 wrote to memory of 888 220 AmongusHack.exe 98 PID 220 wrote to memory of 888 220 AmongusHack.exe 98 PID 220 wrote to memory of 888 220 AmongusHack.exe 98 PID 888 wrote to memory of 916 888 AmongusHack.exe 99 PID 888 wrote to memory of 916 888 AmongusHack.exe 99 PID 888 wrote to memory of 916 888 AmongusHack.exe 99 PID 916 wrote to memory of 4544 916 AmongusHack.exe 100 PID 916 wrote to memory of 4544 916 AmongusHack.exe 100 PID 916 wrote to memory of 4544 916 AmongusHack.exe 100 PID 4544 wrote to memory of 4444 4544 AmongusHack.exe 104 PID 4544 wrote to memory of 4444 4544 AmongusHack.exe 104 PID 4544 wrote to memory of 4444 4544 AmongusHack.exe 104 PID 4444 wrote to memory of 3832 4444 AmongusHack.exe 105 PID 4444 wrote to memory of 3832 4444 AmongusHack.exe 105 PID 4444 wrote to memory of 3832 4444 AmongusHack.exe 105 PID 3832 wrote to memory of 2900 3832 AmongusHack.exe 106 PID 3832 wrote to memory of 2900 3832 AmongusHack.exe 106 PID 3832 wrote to memory of 2900 3832 AmongusHack.exe 106 PID 2900 wrote to memory of 1632 2900 AmongusHack.exe 107 PID 2900 wrote to memory of 1632 2900 AmongusHack.exe 107 PID 2900 wrote to memory of 1632 2900 AmongusHack.exe 107 PID 1632 wrote to memory of 3896 1632 AmongusHack.exe 108 PID 1632 wrote to memory of 3896 1632 AmongusHack.exe 108 PID 1632 wrote to memory of 3896 1632 AmongusHack.exe 108 PID 3896 wrote to memory of 4176 3896 AmongusHack.exe 109 PID 3896 wrote to memory of 4176 3896 AmongusHack.exe 109 PID 3896 wrote to memory of 4176 3896 AmongusHack.exe 109 PID 4176 wrote to memory of 184 4176 AmongusHack.exe 110 PID 4176 wrote to memory of 184 4176 AmongusHack.exe 110 PID 4176 wrote to memory of 184 4176 AmongusHack.exe 110 PID 184 wrote to memory of 4392 184 AmongusHack.exe 111 PID 184 wrote to memory of 4392 184 AmongusHack.exe 111 PID 184 wrote to memory of 4392 184 AmongusHack.exe 111 PID 4392 wrote to memory of 984 4392 AmongusHack.exe 112 PID 4392 wrote to memory of 984 4392 AmongusHack.exe 112 PID 4392 wrote to memory of 984 4392 AmongusHack.exe 112 PID 984 wrote to memory of 4564 984 AmongusHack.exe 113 PID 984 wrote to memory of 4564 984 AmongusHack.exe 113 PID 984 wrote to memory of 4564 984 AmongusHack.exe 113 PID 4564 wrote to memory of 4452 4564 AmongusHack.exe 114 PID 4564 wrote to memory of 4452 4564 AmongusHack.exe 114 PID 4564 wrote to memory of 4452 4564 AmongusHack.exe 114 PID 4452 wrote to memory of 4676 4452 AmongusHack.exe 115 PID 4452 wrote to memory of 4676 4452 AmongusHack.exe 115 PID 4452 wrote to memory of 4676 4452 AmongusHack.exe 115 PID 4676 wrote to memory of 5044 4676 AmongusHack.exe 116 PID 4676 wrote to memory of 5044 4676 AmongusHack.exe 116 PID 4676 wrote to memory of 5044 4676 AmongusHack.exe 116 PID 5044 wrote to memory of 2780 5044 AmongusHack.exe 117 PID 5044 wrote to memory of 2780 5044 AmongusHack.exe 117 PID 5044 wrote to memory of 2780 5044 AmongusHack.exe 117 PID 2780 wrote to memory of 1576 2780 AmongusHack.exe 118 PID 2780 wrote to memory of 1576 2780 AmongusHack.exe 118 PID 2780 wrote to memory of 1576 2780 AmongusHack.exe 118 PID 1576 wrote to memory of 1032 1576 AmongusHack.exe 119 PID 1576 wrote to memory of 1032 1576 AmongusHack.exe 119 PID 1576 wrote to memory of 1032 1576 AmongusHack.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exeC:\Users\Admin\AppData\Local\Temp\AmongusHack.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"9⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"10⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"11⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"12⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"13⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"14⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"15⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"16⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"17⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"18⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"19⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"20⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"21⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"C:\Users\Admin\AppData\Local\Temp\AmongusHack.exe"22⤵
- System Location Discovery: System Language Discovery
PID:1032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request180.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTR
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
180.129.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
19.229.111.52.in-addr.arpa
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede