hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbmlNNXpENmE1MTZ2YkhfYUx2WHRYVUN3dGZ0d3xBQ3Jtc0trTmxVRjNHNUFiRG9XejFnN3BxeDJvWU9MR3pWcWw5Rm1TMmtHY3RpQlR2REEyR0lCVFo0SzZJN3RzdWFTeGxxcWxoYWFKaEtNZDlFaUFJcnhYS1I5dUVvenBYbThUYzRadVhnWTJVVEtQVHhDLW8xUQ&q=https%3A%2F%2Fgithub[.]com%2Fdisepi%2Fambrosial%2Freleases&v=39EDt22qW5s

Analysis

max time kernel
88s
max time network
75s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07-03-2023 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmlNNXpENmE1MTZ2YkhfYUx2WHRYVUN3dGZ0d3xBQ3Jtc0trTmxVRjNHNUFiRG9XejFnN3BxeDJvWU9MR3pWcWw5Rm1TMmtHY3RpQlR2REEyR0lCVFo0SzZJN3RzdWFTeGxxcWxoYWFKaEtNZDlFaUFJcnhYS1I5dUVvenBYbThUYzRadVhnWTJVVEtQVHhDLW8xUQ&q=https%3A%2F%2Fgithub.com%2Fdisepi%2Fambrosial%2Freleases&v=39EDt22qW5s

Score

8^/10

agilenet

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Ambrosial.exe

pid process

2600 Ambrosial.exe
Loads dropped DLL 1 IoCs

Processes:

Ambrosial.exe

pid process

2600 Ambrosial.exe

pid	process
2600	Ambrosial.exe

pid	process
2600	Ambrosial.exe

Obfuscated with Agile.Net obfuscator 29 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2600-552-0x000002E0DBA80000-0x000002E0DBC68000-memory.dmp	agile_net
behavioral1/memory/2600-561-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-562-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-564-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-566-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-568-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-580-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-582-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-584-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-586-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-588-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-590-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-592-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-594-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-596-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-598-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-600-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-602-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-606-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-604-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-608-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-610-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-612-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-614-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-616-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-618-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-620-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-622-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net
behavioral1/memory/2600-624-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 5 IoCs

Processes:

Ambrosial.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\Fonts\Azonix.otf	Ambrosial.exe
File opened for modification	C:\Windows\Fonts\Azonix.otf	Ambrosial.exe
File created	C:\Windows\Fonts\OpenSansLight.ttf	Ambrosial.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133227022483364811"	chrome.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
400	chrome.exe
400	chrome.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

400 chrome.exe
400 chrome.exe
400 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe

Suspicious use of SendNotifyMessage 63 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe
1180	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 400 wrote to memory of 2152	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 2152	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3136	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 1512	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 1512	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe
PID 400 wrote to memory of 3784	400	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmlNNXpENmE1MTZ2YkhfYUx2WHRYVUN3dGZ0d3xBQ3Jtc0trTmxVRjNHNUFiRG9XejFnN3BxeDJvWU9MR3pWcWw5Rm1TMmtHY3RpQlR2REEyR0lCVFo0SzZJN3RzdWFTeGxxcWxoYWFKaEtNZDlFaUFJcnhYS1I5dUVvenBYbThUYzRadVhnWTJVVEtQVHhDLW8xUQ&q=https%3A%2F%2Fgithub.com%2Fdisepi%2Fambrosial%2Freleases&v=39EDt22qW5s
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9fee69758,0x7ff9fee69768,0x7ff9fee69778
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:2
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1760 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:1
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2912 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:1
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4612 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5100 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5108 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5396 --field-trial-handle=1732,i,16707421773490210660,4693283495919490911,131072 /prefetch:8
2⤵
PID:164

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4104

C:\Users\Admin\Downloads\Ambrosial.exe
"C:\Users\Admin\Downloads\Ambrosial.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2600

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.19.2002.0\Zephyr Classic\launcherAssets\ProjectHalcyon.png
Filesize
54KB

MD5
cf4b10cab822fb4e563d5c1fc7757a30

SHA1
57328884b3e1ebf4eaeb4715a33bf93a52c95d53

SHA256
abb9e95c2b6bf7f7fad5f483b9e3e746bbca54a82ff79009d0760dcd2ff013cc

SHA512
f0607ac012b3e86a56f63b9778bde661424e56b3b048f24c8d82b693fe673e860bf0225863f4f71915a1c8c5c83f3caa0de796a0059860d62e378e0b98135eb0

Download Submit
C:\Users\Admin\AppData\Local\Ambrosial\log.txt
Filesize
4KB

MD5
cbba0e956d1ef0f566ceea6c71c81810

SHA1
cc59d06ba05ccf2ca5c53c3048dac2e862fea2ec

SHA256
267bd1fef97a55b43f5984ed697f2b31d051ee9f262e1515adc855d0e52caa9a

SHA512
49d60c74900e6919cfa52e09614db6b31dfa6e7aefb7fccb0039eb322c5c85faadc1c2ff5aecf6231e0fb3dda1ce8f02e162e2102d9fc8b83cae0d4bd92dc6c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
960B

MD5
92ca2347a0607c0072290e322858a938

SHA1
1ab86c2bde58edc2f52762017f380e28dd6ea26b

SHA256
5bfe36808847a5fc4415f7c64b2484a9fee82ce995ddd5d75171c217d5405b6b

SHA512
e6f2a66c0c2d3f9827193207cb18eca02ebaeebc344b81285eca8aa3f6625c674f70a576b2607df15a7edc3cabae4f18bcc44dc5f2e65af47226b4a73820ab26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
bcb4c246cacfbabf41902af0bc678361

SHA1
b57a477002557937ca178ab4d6dd4ed2995b4a2d

SHA256
8e9d11cbe6e21539dc6e98244ab22d7b6a733850e49b6ecae48898219d348925

SHA512
f4722113b8c461236f87a396f83f89811879640cb8265a743a408ae240602e2585694b1be218513686708f4e6139d7f3807a6ad5ceb4d01bbb31e6b97919eaeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
01a15600c80bde108e5775ae73feca86

SHA1
605a42fed18b0e0221b0530b6ad89787c23828eb

SHA256
8c2890a7fd89272e1510115d9a0959b3aa674fd7a8a1f012fbdf60ece561da98

SHA512
f5d542ebce95a63ebbb6c5995c107ed04061603313391dafb0ca6da417c862e669c0efc02752572b925e1b3ec6626e2e4f6310442e23cffe4a11caba2d29dec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
aaac2bddc6ead46c311108e4842d55db

SHA1
e2a4537fef25b616aa80624704a8a11c4e1bba5e

SHA256
b67e6acb28bab26608f73289973971de9ee8569c4b506903bf44c39af3a7e0cb

SHA512
eb36fd8c002a5ccc3b675536e45cee8246e9884ad6142c2a0619b98e5530d000df8c9498627e2320d978eeeaedae963f442d9620f761f5e0e48c46da75f9291c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
dab5bf1ab4784ab55ec416eef37a0a46

SHA1
f5b13f083cc7e0d145e2ed87e0cf4000f82d5614

SHA256
b5a818d4881b8e43ac7894e0a78d2fea029aa851d4e13b06929f1ee1e644ed74

SHA512
c8e8b1db6c635b4bfe163ca9775654b50726edda9649a216851ba90ffb37d3381c7a16c9d074481d7d2a4b44e03c25ea88b99cf8b420d2070e67c3b9ed4af07d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
586d10090ef1139187af4d13b56ab043

SHA1
059fcb3a37c2add686736f6ba4c25b0c6198766b

SHA256
f70de762793129489fe1a012cb48bd7815ab98e5abdc0c7ae0f8eb4f198ffa3f

SHA512
1dcfb8945e10575c48152ec1fc856d6c18d1c2cbc257e81fb900ecda817af3ce4fe014526f28d2ea2168e665cd327b40235f155f457df55b85e8ff80da3360bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4255b2e474ad5a17e9a35434d4ac1a25

SHA1
6cc08926324e4764dba0e7f62652c9e068b192f7

SHA256
5c6d959d1eb0df5e9f18cac06dc29c67fa15605160a4ac94a858518fb620b3a4

SHA512
eb3483459f6c2fc56558a7fbe0547a9f138b4951a98bf3e75bdb564337fa34eac74c9c06a3d6aa3dc790eab8c8b84f47a69712b51ced493a93ec2ccad5699e24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
143KB

MD5
cb25010c28c709250913f9a59fed8502

SHA1
833a59b14aaa0fb83e6a623c7ee542169ce97ee8

SHA256
76f588c2f2c091eb65076993a46ba4c2b0d597e4a069746106dfe4f39f88c0d8

SHA512
ef6d75a6b0ce16170b7ced3d72fede2df08b1fe3d9a2f8947e5d3a466f04b192169db8499f4c3be8efba7751152d77f1eb3690afa2a5165fc1cc357882a62881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\Downloads\Ambrosial.exe
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\Downloads\Ambrosial.exe
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Users\Admin\Downloads\Azonix.otf
Filesize
11KB

MD5
cdfe47b31e9184a55cf02eef1baf7240

SHA1
b8825c605434d572f5277be0283d5a9b2cde59e4

SHA256
51a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9

SHA512
a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 301287.crdownload
Filesize
15.9MB

MD5
596b0f4684d45de83c204967c06e48a3

SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f

SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

Download Submit
C:\Windows\Fonts\OpenSansLight.ttf
Filesize
217KB

MD5
1bf71be111189e76987a4bb9b3115cb7

SHA1
40442c189568184b6e6c27a25d69f14d91b65039

SHA256
cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

SHA512
cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

Download Submit
\??\pipe\crashpad_400_QSUITQAFQGAVFUNB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
memory/2600-564-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-592-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-352-0x000002E0DA120000-0x000002E0DA1D0000-memory.dmp

Filesize
704KB

Download
memory/2600-552-0x000002E0DBA80000-0x000002E0DBC68000-memory.dmp

Filesize
1.9MB

Download
memory/2600-331-0x000002E0C1A30000-0x000002E0C1A4A000-memory.dmp

Filesize
104KB

Download
memory/2600-330-0x000002E0C0110000-0x000002E0C012C000-memory.dmp

Filesize
112KB

Download
memory/2600-560-0x00007FF9EB5F0000-0x00007FF9EB71C000-memory.dmp

Filesize
1.2MB

Download
memory/2600-561-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-562-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-329-0x000002E0DA1D0000-0x000002E0DA1E0000-memory.dmp

Filesize
64KB

Download
memory/2600-566-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-568-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-569-0x00007FF9ED850000-0x00007FF9ED877000-memory.dmp

Filesize
156KB

Download
memory/2600-580-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-582-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-584-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-586-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-588-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-590-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-359-0x000002E0DB2B0000-0x000002E0DB2D2000-memory.dmp

Filesize
136KB

Download
memory/2600-594-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-596-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-598-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-600-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-602-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-606-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-604-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-608-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-610-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-612-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-614-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-616-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-618-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-620-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-622-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-624-0x000002E0DBA80000-0x000002E0DBC64000-memory.dmp

Filesize
1.9MB

Download
memory/2600-777-0x000002E0DA1D0000-0x000002E0DA1E0000-memory.dmp

Filesize
64KB

Download
memory/2600-1108-0x00007FF9ED850000-0x00007FF9ED877000-memory.dmp

Filesize
156KB

Download
memory/2600-328-0x000002E0BED90000-0x000002E0BFD7A000-memory.dmp

Filesize
15.9MB

Download
memory/3136-129-0x00007FFA0A9B0000-0x00007FFA0A9B1000-memory.dmp

Filesize
4KB

Download