Analysis Overview
SHA256
bc1bee5bf891b3cb91c8e74927634250aaa9f2fed3bb3c965e6106f34e5cc54b
Threat Level: Known bad
The file Solara.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-31 23:05
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 23:05
Reported
2024-07-31 23:08
Platform
win10-20240404-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1008 wrote to memory of 3712 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 1008 wrote to memory of 3712 | N/A | C:\Users\Admin\AppData\Local\Temp\Solara.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
Network
| Country | Destination | Domain | Proto |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| N/A | 10.2.0.2:4782 | tcp |
Files
memory/1008-0-0x00007FFA0B5C3000-0x00007FFA0B5C4000-memory.dmp
memory/1008-1-0x0000000000470000-0x0000000000794000-memory.dmp
memory/1008-2-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 18f4ed548b5f7d78671bb4ab4bc3affb |
| SHA1 | 62fc7cdc7d84cc52147f7782f5dd28616bee09fd |
| SHA256 | bc1bee5bf891b3cb91c8e74927634250aaa9f2fed3bb3c965e6106f34e5cc54b |
| SHA512 | b5ed744f47b97ec7a0bc224f50035da9e9424a8f1820763ff650e384c0acc251ac28b50f5bc0fa5b787b9795709a37ca082d5dc649cade7990a1ca6fe8e6f153 |
memory/3712-9-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp
memory/1008-8-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp
memory/3712-10-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp
memory/3712-11-0x000000001B660000-0x000000001B6B0000-memory.dmp
memory/3712-12-0x000000001BB40000-0x000000001BBF2000-memory.dmp
memory/3712-13-0x000000001C330000-0x000000001C856000-memory.dmp
memory/3712-20-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp
memory/3712-21-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp