Overview

overview

10

Static

static

10

api-ms-win...-0.exe

windows7-x64

10

api-ms-win...-0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2024 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    api-ms-win-crt-environment-l1-1-0.exe

  • Size

    3.1MB

  • MD5

    8c1e7d74c62a687a236a3262f09269d4

  • SHA1

    896a403897661d3834f540a10678463f4ef4c81d

  • SHA256

    9e6fa1f280864e2933528e17984bf2d448b003bda842145f34e63cc8a4b337ef

  • SHA512

    85f98c7c311c224043a588180ff170290b6e5cffc78edb77cbfbc8bfc662d34b17c7f9a6a9708f769398854284b98e9d14d45229b2f74c19ce52481f4887bc24

  • SSDEEP

    49152:Pv1A62jiaQDKwPFlJn3xFQsZQOdmRJ6abR3LoGdMoTHHB72eh2NT:Pve62jiaQDKwPFlJn3TQsZQOdmRJ60

Score
10/10
quasarsvchostspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

C2

szczurson1337.freemyip.com:63027

Mutex

480dd827-793e-49b8-b01d-ed2623e7d90a

Attributes
  • encryption_key

    6891155C128F5ED55194A86C4A5AB7A3EE3E2C5B

  • install_name

    api-ms-win-crt-environment-l1-0-1.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    api-ms-win-crt-environment-l1-1-0

  • subdirectory

    downlevel

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.exe
    "C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "api-ms-win-crt-environment-l1-1-0" /sc ONLOGON /tr "C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2708
    • C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe
      "C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "api-ms-win-crt-environment-l1-1-0" /sc ONLOGON /tr "C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\downlevel\api-ms-win-crt-environment-l1-0-1.exe
    Filesize

    2.5MB

    MD5

    2274663e316cb349d97bb88c9923a206

    SHA1

    c4dc67a5a02f392f4bfe44bbb67f88782d161418

    SHA256

    729457597f0acf7c3e0857453d0bf93f6a4ee08274191b9946a689d8c653e98e

    SHA512

    eccca25ef71d46ccbf9febe8b9f3cc73cc4bed24bda330d02f91c80ffccdcc568ee4aec9bc0661b00c3f05c511a72b1dc1d654d02eaf9ecd5558d2b6d6095685

    Download Submit
  • C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe
    Filesize

    1.7MB

    MD5

    2c3d2e23097118ab4af1137516f696f4

    SHA1

    5818cf2461db6f15505a83e6ed8af62510a697d9

    SHA256

    9de00f3c00dc71a9e7a8a277e965a2ff286caace92fe1af6e6dd1eb34725b2b2

    SHA512

    1bab2fd214fbeebc6069d0f4d98b028e16982f7a9c430c9e119724ba0c51c76a7ad885ce7a78d06678543a6dc3f789cd190748644390180fc2e5f161323a64f4

    Download Submit
  • memory/2432-0-0x0000000001340000-0x0000000001664000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2432-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2432-2-0x000000001B630000-0x000000001B6B0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2432-8-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2868-9-0x0000000000FA0000-0x00000000012C4000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2868-10-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2868-11-0x000000001ABC0000-0x000000001AC40000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2868-12-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2868-13-0x000000001ABC0000-0x000000001AC40000-memory.dmp
    Filesize

    512KB

    Download