18f501c16c958abd19fafa10b1fb5baac2387a51807eb9229fa1cbe4a663b9b6

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AmazonGamesSetup.exe
Size

1.8MB
MD5

02be3726c0a90958a3c30577d3b3a131
SHA1

bedbab8bd74a9d7313ba32ca033c81ec32c04706
SHA256

1a99f1054e51fe86416c59e5c526d69776fdabd7bb9831dbaab8582322121c7a
SHA512

662eaa8d3b112ef981d27832a2a46b0ecb55e2d1dcf49fe1fbd134e3c4e02758bc9ad3db2e25f53fc174e2083dd278967f405a768fdd814612c9a43bc6d1c713
SSDEEP

49152:G/mvl+01HHWra6IjgKDlUzIzsBKLxYqJKevCnuueO+0D17gM8s:bvUAnWrBq1ABzH

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Executes dropped EXE 2 IoCs

Processes:

Amazon Games Setup.exeAmazon Games.exe

pid process

4372 Amazon Games Setup.exe
4220 Amazon Games.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Amazon Games.exe

pid process

4220 Amazon Games.exe
4220 Amazon Games.exe
4220 Amazon Games.exe
4220 Amazon Games.exe
4220 Amazon Games.exe
4220 Amazon Games.exe

pid	process
4372	Amazon Games Setup.exe
4220	Amazon Games.exe

pid	process
4220	Amazon Games.exe
4220	Amazon Games.exe
4220	Amazon Games.exe
4220	Amazon Games.exe
4220	Amazon Games.exe
4220	Amazon Games.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AmazonGamesSetup.exeAmazon Games Setup.exe

description	pid	process	target process
PID 1208 wrote to memory of 4372	1208	AmazonGamesSetup.exe	Amazon Games Setup.exe
PID 1208 wrote to memory of 4372	1208	AmazonGamesSetup.exe	Amazon Games Setup.exe
PID 1208 wrote to memory of 4372	1208	AmazonGamesSetup.exe	Amazon Games Setup.exe
PID 4372 wrote to memory of 4220	4372	Amazon Games Setup.exe	Amazon Games.exe
PID 4372 wrote to memory of 4220	4372	Amazon Games Setup.exe	Amazon Games.exe
PID 4372 wrote to memory of 4220	4372	Amazon Games Setup.exe	Amazon Games.exe

C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe" "/nopatch"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe
    "C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe" " /channelId=87d38116-4cbf-4af0-a371-a5b498975346"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\static\public\core\auth-limbo-40b52b60a701b5c26a7d.css

Filesize
320KB

MD5
acf81f08b85de98eca96cc1b2bbb199a

SHA1
4c089f322370d4461ffa94097d39cc148f45c4da

SHA256
e1326b0de115e4dae4d3157f50636abd85505c0995e4131d68878fedc512498e

SHA512
9220c6162e604d05c404ea9868a3564b7691e51bf7535d1628d194d3fb7bd2391cae076e5da99f664632fc0c6acd7a0807fcb2d1b4af1e2842cfb6973e2e056b

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe

Filesize
1.6MB

MD5
31c680c73261d867169c9859b0235fc4

SHA1
5a94d51dfe4c37acebc1b51d995ea1fcc8ab5f76

SHA256
cd4de592833fb5bc3ff1897cecb02cd0b24b4db6b9b09649c444388ca4425921

SHA512
d2f85d52108ee936743e5fc2e81a124d241b223bf4f10d10c807dc00146b537a757c9f6e5451b91f605b6245e4335544d4e1e80def515d219afb17794f41cb07

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\Data\Logs\Native\Install_2024-07-04_03-52_0.log

Filesize
1KB

MD5
3f399b5de2e03417f986d485d9ab6232

SHA1
410b011a919ffa04479bc634cb72d2f1fa321c9e

SHA256
bf9265a0f24424022691d89b4d5132f11d4e16e640674b913bebb24da29449cb

SHA512
f443eb7ac9bd2491ad2be688d38e2a0a1f04f78a9aac365739b9352b8bde153f4dd0f4dd577654d58e9458265f620892108860c47730bdb0d0f391b510c44b5a

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\Data\Logs\Native\Live-Install_2024-07-04_03-52_0.log

Filesize
701KB

MD5
6a209704d28c834d47daf7065ccce050

SHA1
58becf7b2a838b68d9e00d15ee997341349f9ce2

SHA256
14781f848eacf9c5af40f08c9deab307818e7e9b2290957aab1008dbdefd59ec

SHA512
d36191e83d55894e4b0c4b53e8f53f3ad68b0140736ef55aeb2477cf397b739308c7bc47f31d92e2b8bf28749f9662a5819fed1fd18ef5089dadf323d5a72934

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe

Filesize
1.9MB

MD5
3f1a9950778e30d7e742506da20c0c14

SHA1
e61f35b01bd30aeb144b9136b52239956e0f1d7e

SHA256
f6e6eb9e27a83689960f2438d86512092db2532c97d460e9b2e6a23834fa48f3

SHA512
43f84f1d28bf6ebbf338970c20ecbb153bdbf4d199d036136663c26a504d6ad454dc18cb108e90b4329c74b483e82b513462e119d1f8df01b2e926e123c38808

Download Submit