6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

Analysis

max time kernel
1s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2022, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ambrosial.exe
Size

15.9MB
MD5

596b0f4684d45de83c204967c06e48a3
SHA1

933dc2dc29a17a9447c944289fed4f98e0eb5e5f
SHA256

6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a
SHA512

8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830
SSDEEP

196608:64WxsIO2gfRMhSE8/Erd8QP+ih91qBpodTAIRq+2vBt:64WuIO2gfRMYbcr6QP391qBafC

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\OpenSansLight.ttf	Ambrosial.exe
File created	C:\Windows\Fonts\Azonix.otf	Ambrosial.exe
File opened for modification	C:\Windows\Fonts\Azonix.otf	Ambrosial.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	Ambrosial.exe

C:\Users\Admin\AppData\Local\Temp\Ambrosial.exe
"C:\Users\Admin\AppData\Local\Temp\Ambrosial.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll

Filesize
49KB

MD5
a92d3779d002b23db954e6c0acd93af0

SHA1
fcd62290345c584187a8abf84e49452b5562a8b6

SHA256
d4ba233491868d656aa88215ba5f49439f49f0b571cbf0bf917fa6eaf93181b5

SHA512
96d61511bdf228c8187c5ba0f0a3571caa082f2b83cac339a7c9584782f648ebac151f79c11046ef728d9c6533f95ae879be5ff9b155b527bee2d502917d104b

Download Submit
memory/3196-132-0x000001C6E3740000-0x000001C6E472A000-memory.dmp

Filesize
15.9MB

Download
memory/3196-134-0x00007FFA06970000-0x00007FFA07431000-memory.dmp

Filesize
10.8MB

Download
memory/3196-133-0x000001C6E4B10000-0x000001C6E4B2A000-memory.dmp

Filesize
104KB

Download
memory/3196-135-0x000001C6E6470000-0x000001C6E6492000-memory.dmp

Filesize
136KB

Download
memory/3196-137-0x00007FFA05160000-0x00007FFA052AE000-memory.dmp

Filesize
1.3MB

Download
memory/3196-138-0x00007FFA00D20000-0x00007FFA00D47000-memory.dmp

Filesize
156KB

Download
memory/3196-139-0x000001C6FEF49000-0x000001C6FEF4F000-memory.dmp

Filesize
24KB

Download
memory/3196-140-0x00007FFA06970000-0x00007FFA07431000-memory.dmp

Filesize
10.8MB

Download
memory/3196-141-0x00007FFA00D20000-0x00007FFA00D47000-memory.dmp

Filesize
156KB

Download
memory/3196-142-0x000001C6FEF49000-0x000001C6FEF4F000-memory.dmp

Filesize
24KB

Download