Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
Ambrosial.exe
Resource
win7-20240903-en
General
-
Target
Ambrosial.exe
-
Size
15.9MB
-
MD5
596b0f4684d45de83c204967c06e48a3
-
SHA1
933dc2dc29a17a9447c944289fed4f98e0eb5e5f
-
SHA256
6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a
-
SHA512
8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830
-
SSDEEP
196608:64WxsIO2gfRMhSE8/Erd8QP+ih91qBpodTAIRq+2vBt:64WuIO2gfRMYbcr6QP391qBafC
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\Azonix.otf Ambrosial.exe File opened for modification C:\Windows\Fonts\Azonix.otf Ambrosial.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1240 wrote to memory of 3036 1240 Ambrosial.exe 30 PID 1240 wrote to memory of 3036 1240 Ambrosial.exe 30 PID 1240 wrote to memory of 3036 1240 Ambrosial.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ambrosial.exe"C:\Users\Admin\AppData\Local\Temp\Ambrosial.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1240 -s 5922⤵PID:3036
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:584
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5cdfe47b31e9184a55cf02eef1baf7240
SHA1b8825c605434d572f5277be0283d5a9b2cde59e4
SHA25651a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9
SHA512a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5