Analysis
-
max time kernel
157s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2024 14:13
Behavioral task
behavioral1
Sample
api-ms-win-crt-environment-l1-1-0.exe
Resource
win7-20231215-en
General
-
Target
api-ms-win-crt-environment-l1-1-0.exe
-
Size
3.1MB
-
MD5
8c1e7d74c62a687a236a3262f09269d4
-
SHA1
896a403897661d3834f540a10678463f4ef4c81d
-
SHA256
9e6fa1f280864e2933528e17984bf2d448b003bda842145f34e63cc8a4b337ef
-
SHA512
85f98c7c311c224043a588180ff170290b6e5cffc78edb77cbfbc8bfc662d34b17c7f9a6a9708f769398854284b98e9d14d45229b2f74c19ce52481f4887bc24
-
SSDEEP
49152:Pv1A62jiaQDKwPFlJn3xFQsZQOdmRJ6abR3LoGdMoTHHB72eh2NT:Pve62jiaQDKwPFlJn3TQsZQOdmRJ60
Malware Config
Extracted
quasar
1.4.1
svchost
szczurson1337.freemyip.com:63027
480dd827-793e-49b8-b01d-ed2623e7d90a
-
encryption_key
6891155C128F5ED55194A86C4A5AB7A3EE3E2C5B
-
install_name
api-ms-win-crt-environment-l1-0-1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
api-ms-win-crt-environment-l1-1-0
-
subdirectory
downlevel
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4684-0-0x00000000005E0000-0x0000000000904000-memory.dmp family_quasar C:\Windows\System32\downlevel\api-ms-win-crt-environment-l1-0-1.exe family_quasar C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
api-ms-win-crt-environment-l1-0-1.exepid process 948 api-ms-win-crt-environment-l1-0-1.exe -
Drops file in System32 directory 3 IoCs
Processes:
api-ms-win-crt-environment-l1-1-0.exeapi-ms-win-crt-environment-l1-0-1.exedescription ioc process File created C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe api-ms-win-crt-environment-l1-1-0.exe File opened for modification C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe api-ms-win-crt-environment-l1-1-0.exe File opened for modification C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe api-ms-win-crt-environment-l1-0-1.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5048 schtasks.exe 4524 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
api-ms-win-crt-environment-l1-1-0.exeapi-ms-win-crt-environment-l1-0-1.exedescription pid process Token: SeDebugPrivilege 4684 api-ms-win-crt-environment-l1-1-0.exe Token: SeDebugPrivilege 948 api-ms-win-crt-environment-l1-0-1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
api-ms-win-crt-environment-l1-1-0.exeapi-ms-win-crt-environment-l1-0-1.exedescription pid process target process PID 4684 wrote to memory of 5048 4684 api-ms-win-crt-environment-l1-1-0.exe schtasks.exe PID 4684 wrote to memory of 5048 4684 api-ms-win-crt-environment-l1-1-0.exe schtasks.exe PID 4684 wrote to memory of 948 4684 api-ms-win-crt-environment-l1-1-0.exe api-ms-win-crt-environment-l1-0-1.exe PID 4684 wrote to memory of 948 4684 api-ms-win-crt-environment-l1-1-0.exe api-ms-win-crt-environment-l1-0-1.exe PID 948 wrote to memory of 4524 948 api-ms-win-crt-environment-l1-0-1.exe schtasks.exe PID 948 wrote to memory of 4524 948 api-ms-win-crt-environment-l1-0-1.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.exe"C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "api-ms-win-crt-environment-l1-1-0" /sc ONLOGON /tr "C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe"C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "api-ms-win-crt-environment-l1-1-0" /sc ONLOGON /tr "C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\downlevel\api-ms-win-crt-environment-l1-0-1.exeFilesize
381KB
MD5a729de68d38f7036fc7ebe307e373193
SHA13fc615557c7bfe6264f49c2e4d721ead0861ce58
SHA25602de690a54dda0aacc09cfebe786fc87505c1b8125b2614025c18de67023015e
SHA512750b9753abb667d9fc51f4c663d854bec0b67816f61d0a6079455bcbfe9be1537e02596bd18dc651c080d8042f62682fe6a2deb6de2b7529e38afc2d5e3c155b
-
C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-0-1.exeFilesize
458KB
MD5f5f48fe59e9cf2fe88a6fb3be5d2af4f
SHA1dd21fbfb811d4c8007e26ed47cf5176f015f36e2
SHA256c1105aeed96ddd890b79ead47cb0394f78443861511d5ce70cbbbc0b200a1a33
SHA5124f042541d3d264342436b7bf5316ee5a2ee1c4db2f52338452cc6cf6eb0778b980fa7b4c38269e7805ca98e49b7c92ae24cae7ecfc1ed15fdd90874d799dc479
-
memory/948-9-0x00007FFBA7B50000-0x00007FFBA8611000-memory.dmpFilesize
10.8MB
-
memory/948-11-0x0000000002F00000-0x0000000002F10000-memory.dmpFilesize
64KB
-
memory/948-12-0x000000001BBE0000-0x000000001BC30000-memory.dmpFilesize
320KB
-
memory/948-13-0x000000001C730000-0x000000001C7E2000-memory.dmpFilesize
712KB
-
memory/948-14-0x00007FFBA7B50000-0x00007FFBA8611000-memory.dmpFilesize
10.8MB
-
memory/948-15-0x0000000002F00000-0x0000000002F10000-memory.dmpFilesize
64KB
-
memory/4684-0-0x00000000005E0000-0x0000000000904000-memory.dmpFilesize
3.1MB
-
memory/4684-1-0x00007FFBA7B50000-0x00007FFBA8611000-memory.dmpFilesize
10.8MB
-
memory/4684-2-0x0000000000FD0000-0x0000000000FE0000-memory.dmpFilesize
64KB
-
memory/4684-10-0x00007FFBA7B50000-0x00007FFBA8611000-memory.dmpFilesize
10.8MB