Analysis
-
max time kernel
143s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 18:23
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240729-en
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2544-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar behavioral1/memory/2300-9-0x00000000000B0000-0x00000000003D4000-memory.dmp family_quasar behavioral1/memory/2720-22-0x0000000000240000-0x0000000000564000-memory.dmp family_quasar behavioral1/memory/2344-33-0x00000000009C0000-0x0000000000CE4000-memory.dmp family_quasar behavioral1/memory/992-56-0x0000000000E40000-0x0000000001164000-memory.dmp family_quasar behavioral1/memory/2804-89-0x0000000001170000-0x0000000001494000-memory.dmp family_quasar behavioral1/memory/2696-100-0x0000000001190000-0x00000000014B4000-memory.dmp family_quasar behavioral1/memory/2400-144-0x0000000001230000-0x0000000001554000-memory.dmp family_quasar behavioral1/memory/2864-167-0x0000000001370000-0x0000000001694000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2300 SolaraExecutor.exe 2720 SolaraExecutor.exe 2344 SolaraExecutor.exe 1120 SolaraExecutor.exe 992 SolaraExecutor.exe 1700 SolaraExecutor.exe 1636 SolaraExecutor.exe 2804 SolaraExecutor.exe 2696 SolaraExecutor.exe 2996 SolaraExecutor.exe 2076 SolaraExecutor.exe 1212 SolaraExecutor.exe 2400 SolaraExecutor.exe 2452 SolaraExecutor.exe 2864 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
Solara.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3028 PING.EXE 2252 PING.EXE 2932 PING.EXE 2964 PING.EXE 540 PING.EXE 2356 PING.EXE 2668 PING.EXE 2688 PING.EXE 2960 PING.EXE 2584 PING.EXE 2412 PING.EXE 2500 PING.EXE 2152 PING.EXE 2020 PING.EXE 2084 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2668 PING.EXE 3028 PING.EXE 2932 PING.EXE 540 PING.EXE 2020 PING.EXE 2252 PING.EXE 2500 PING.EXE 2152 PING.EXE 2356 PING.EXE 2688 PING.EXE 2584 PING.EXE 2084 PING.EXE 2412 PING.EXE 2964 PING.EXE 2960 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2768 schtasks.exe 2892 schtasks.exe 3004 schtasks.exe 2128 schtasks.exe 676 schtasks.exe 2808 schtasks.exe 2264 schtasks.exe 980 schtasks.exe 1012 schtasks.exe 876 schtasks.exe 2696 schtasks.exe 1464 schtasks.exe 2604 schtasks.exe 2180 schtasks.exe 1192 schtasks.exe 3032 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Solara.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 2544 Solara.exe Token: SeDebugPrivilege 2300 SolaraExecutor.exe Token: SeDebugPrivilege 2720 SolaraExecutor.exe Token: SeDebugPrivilege 2344 SolaraExecutor.exe Token: SeDebugPrivilege 1120 SolaraExecutor.exe Token: SeDebugPrivilege 992 SolaraExecutor.exe Token: SeDebugPrivilege 1700 SolaraExecutor.exe Token: SeDebugPrivilege 1636 SolaraExecutor.exe Token: SeDebugPrivilege 2804 SolaraExecutor.exe Token: SeDebugPrivilege 2696 SolaraExecutor.exe Token: SeDebugPrivilege 2996 SolaraExecutor.exe Token: SeDebugPrivilege 2076 SolaraExecutor.exe Token: SeDebugPrivilege 1212 SolaraExecutor.exe Token: SeDebugPrivilege 2400 SolaraExecutor.exe Token: SeDebugPrivilege 2452 SolaraExecutor.exe Token: SeDebugPrivilege 2864 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2300 SolaraExecutor.exe 2720 SolaraExecutor.exe 2344 SolaraExecutor.exe 1120 SolaraExecutor.exe 992 SolaraExecutor.exe 1700 SolaraExecutor.exe 1636 SolaraExecutor.exe 2804 SolaraExecutor.exe 2696 SolaraExecutor.exe 2996 SolaraExecutor.exe 2076 SolaraExecutor.exe 1212 SolaraExecutor.exe 2400 SolaraExecutor.exe 2452 SolaraExecutor.exe 2864 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2300 SolaraExecutor.exe 2720 SolaraExecutor.exe 2344 SolaraExecutor.exe 1120 SolaraExecutor.exe 992 SolaraExecutor.exe 1700 SolaraExecutor.exe 1636 SolaraExecutor.exe 2804 SolaraExecutor.exe 2696 SolaraExecutor.exe 2996 SolaraExecutor.exe 2076 SolaraExecutor.exe 1212 SolaraExecutor.exe 2400 SolaraExecutor.exe 2452 SolaraExecutor.exe 2864 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Solara.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 2544 wrote to memory of 2264 2544 Solara.exe schtasks.exe PID 2544 wrote to memory of 2264 2544 Solara.exe schtasks.exe PID 2544 wrote to memory of 2264 2544 Solara.exe schtasks.exe PID 2544 wrote to memory of 2300 2544 Solara.exe SolaraExecutor.exe PID 2544 wrote to memory of 2300 2544 Solara.exe SolaraExecutor.exe PID 2544 wrote to memory of 2300 2544 Solara.exe SolaraExecutor.exe PID 2300 wrote to memory of 2768 2300 SolaraExecutor.exe schtasks.exe PID 2300 wrote to memory of 2768 2300 SolaraExecutor.exe schtasks.exe PID 2300 wrote to memory of 2768 2300 SolaraExecutor.exe schtasks.exe PID 2300 wrote to memory of 2940 2300 SolaraExecutor.exe cmd.exe PID 2300 wrote to memory of 2940 2300 SolaraExecutor.exe cmd.exe PID 2300 wrote to memory of 2940 2300 SolaraExecutor.exe cmd.exe PID 2940 wrote to memory of 2808 2940 cmd.exe chcp.com PID 2940 wrote to memory of 2808 2940 cmd.exe chcp.com PID 2940 wrote to memory of 2808 2940 cmd.exe chcp.com PID 2940 wrote to memory of 2688 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 2688 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 2688 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 2720 2940 cmd.exe SolaraExecutor.exe PID 2940 wrote to memory of 2720 2940 cmd.exe SolaraExecutor.exe PID 2940 wrote to memory of 2720 2940 cmd.exe SolaraExecutor.exe PID 2720 wrote to memory of 2696 2720 SolaraExecutor.exe schtasks.exe PID 2720 wrote to memory of 2696 2720 SolaraExecutor.exe schtasks.exe PID 2720 wrote to memory of 2696 2720 SolaraExecutor.exe schtasks.exe PID 2720 wrote to memory of 2500 2720 SolaraExecutor.exe cmd.exe PID 2720 wrote to memory of 2500 2720 SolaraExecutor.exe cmd.exe PID 2720 wrote to memory of 2500 2720 SolaraExecutor.exe cmd.exe PID 2500 wrote to memory of 1376 2500 cmd.exe chcp.com PID 2500 wrote to memory of 1376 2500 cmd.exe chcp.com PID 2500 wrote to memory of 1376 2500 cmd.exe chcp.com PID 2500 wrote to memory of 2584 2500 cmd.exe PING.EXE PID 2500 wrote to memory of 2584 2500 cmd.exe PING.EXE PID 2500 wrote to memory of 2584 2500 cmd.exe PING.EXE PID 2500 wrote to memory of 2344 2500 cmd.exe SolaraExecutor.exe PID 2500 wrote to memory of 2344 2500 cmd.exe SolaraExecutor.exe PID 2500 wrote to memory of 2344 2500 cmd.exe SolaraExecutor.exe PID 2344 wrote to memory of 2892 2344 SolaraExecutor.exe schtasks.exe PID 2344 wrote to memory of 2892 2344 SolaraExecutor.exe schtasks.exe PID 2344 wrote to memory of 2892 2344 SolaraExecutor.exe schtasks.exe PID 2344 wrote to memory of 2960 2344 SolaraExecutor.exe cmd.exe PID 2344 wrote to memory of 2960 2344 SolaraExecutor.exe cmd.exe PID 2344 wrote to memory of 2960 2344 SolaraExecutor.exe cmd.exe PID 2960 wrote to memory of 3000 2960 cmd.exe chcp.com PID 2960 wrote to memory of 3000 2960 cmd.exe chcp.com PID 2960 wrote to memory of 3000 2960 cmd.exe chcp.com PID 2960 wrote to memory of 2084 2960 cmd.exe PING.EXE PID 2960 wrote to memory of 2084 2960 cmd.exe PING.EXE PID 2960 wrote to memory of 2084 2960 cmd.exe PING.EXE PID 2960 wrote to memory of 1120 2960 cmd.exe SolaraExecutor.exe PID 2960 wrote to memory of 1120 2960 cmd.exe SolaraExecutor.exe PID 2960 wrote to memory of 1120 2960 cmd.exe SolaraExecutor.exe PID 1120 wrote to memory of 1464 1120 SolaraExecutor.exe schtasks.exe PID 1120 wrote to memory of 1464 1120 SolaraExecutor.exe schtasks.exe PID 1120 wrote to memory of 1464 1120 SolaraExecutor.exe schtasks.exe PID 1120 wrote to memory of 2220 1120 SolaraExecutor.exe cmd.exe PID 1120 wrote to memory of 2220 1120 SolaraExecutor.exe cmd.exe PID 1120 wrote to memory of 2220 1120 SolaraExecutor.exe cmd.exe PID 2220 wrote to memory of 3068 2220 cmd.exe chcp.com PID 2220 wrote to memory of 3068 2220 cmd.exe chcp.com PID 2220 wrote to memory of 3068 2220 cmd.exe chcp.com PID 2220 wrote to memory of 3028 2220 cmd.exe PING.EXE PID 2220 wrote to memory of 3028 2220 cmd.exe PING.EXE PID 2220 wrote to memory of 3028 2220 cmd.exe PING.EXE PID 2220 wrote to memory of 992 2220 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2264 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2768 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SK5H3Korz0Nr.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2808
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2696 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iS0vXBTx76Oq.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1376
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2584 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2892 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\beIjAqYj6C0z.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3000
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2084 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1464 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ri9sI293ECw4.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3068
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3028 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:992 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:980 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\O2DknaK2haHZ.bat" "11⤵PID:912
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1580
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2252 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1012 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\k2aD27vUHmUc.bat" "13⤵PID:1696
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1432
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2412 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:876 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\byK9SXkdgp8k.bat" "15⤵PID:2448
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:948
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2932 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2808 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4rinAEpdqkIa.bat" "17⤵PID:2644
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2660
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2964 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2696 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2604 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Wx4UDzm0raJA.bat" "19⤵PID:2528
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2524
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2500 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2996 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3004 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PVZXIWmrS2Nq.bat" "21⤵PID:3056
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2508
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2180 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IGBm0SBLYEQe.bat" "23⤵PID:2164
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2308
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2152 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1192 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\nKsFkfG6mL8T.bat" "25⤵PID:2380
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1308
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:540 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2128 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cEDflr4PDprn.bat" "27⤵PID:1428
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1284
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2020 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2452 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:676 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SK0VdrIKZnli.bat" "29⤵PID:2928
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1616
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2356 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3032 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Q5z56clmd1FE.bat" "31⤵PID:2016
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2072
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD52e28037f8280fa9cf37b1dcf113426f0
SHA102138c5465618b6d895e8cf7cf02d7fc71193435
SHA25636b86a7e6b946f856d983d8c298e0ce03d7298be15b2b10d098eb027f81d14c6
SHA5128bc3e3dd8caf5e8b0b90907ab090c8fccd1e0b6d46a15cb491072edbac1992f698946364190f29d6fb8149ad4e0e827b74a5bd33b1d72d886d08dd1f4ed323a8
-
Filesize
204B
MD54028c31e6a2f0fd3d0bbbadedd6360ac
SHA17ca6c6bc84d0ad92a11eeb1d29e082871dce1d03
SHA256db3556d82c5549a768e55aa0ebd7031ccce49b28eaa8bbfcb4d726e8c0bbbfb8
SHA5121204d42c4a5a0c963a77553f2a90b0d5aae377ed14bb4e7fa949298b697cb33386517da3ae2e875cf3d05f69c5e9a883317a57782ba65a4ac83bf2dd49a657fd
-
Filesize
204B
MD50f5d72c64a86ea20b6f168f6b54fe657
SHA1c9696f4f041e9310f9bee98ae134c04d4ff61065
SHA256d2f3e17ab4cd9a7c14e206d9e564412df154e1f307237205ac55d824ebef9fa5
SHA512ab3ee8e9a50bee54af7ffb2f28c0cefb1622ea355b2feabaefd170a4642655598d5a83b5672d25db15ce98860f74f371de9c0c3c88198ea86e0aca6f13024e20
-
Filesize
204B
MD5961eb5afc72e3107a5db40e4485a7a1f
SHA114589ec416210482a392e4dec315fd6cf7fcf505
SHA256a5f8b777c40dfbfbcdc91c9c14ac9e390cc6c0b188724d9f6eab0bfa6282ec4c
SHA512c11b555be400e849e7bacdec9c2a58ebadca1cc8f15359a032ebc3d622d1cdd6e5d127de29898dcc39de6d0ff28c5f9e905940c15a7aadbd1380bb0e24f31da9
-
Filesize
204B
MD50e40bfca38e6d18f0741ab7e481913b4
SHA148dd4e38353e0fa4b150c375cc0eb5d3f99c9320
SHA25643816504e5fb1efcb51f7ac58e2de20df9ba9e7fd84de2a41838ae3f4495da4d
SHA512efd34d3734de0d9938c5ee8f837a032a86a40b0605f73bf7c213f0633dfa43c34c835c7a9cc3316932488c6d7858e634047944ad4217b3d4bc65b1b75e9d18f9
-
Filesize
204B
MD5c81e29311a100e26e92a8947844fbe21
SHA1fb4aa1f97e3218a17637854d27253c2131c4c8be
SHA2566905ee241e9379c31c13eaa8e5724ae2e4ac646786a5eac2da6c53e4fd16701a
SHA512e12ec3c717e38ceb2e7fecdfa67b3cd66e40721f775330966765574a74125ae3333572fa429b0545e4f8a28ed86c066e12a341eb8849fa4c7e61c62dce7be4b4
-
Filesize
204B
MD518d19f99185c50ffad2cc72c52279adb
SHA1a589fe9326e8dea1add7b254ac5feb83277b59ad
SHA2569a861564c260c9a2bc3df68f9a83970eb5018a4b2abce05228645ff778ba43ce
SHA5122d02808808ee90ac679e1ecb0895651506ed0740b16f7b0d9158d541e3ed9452844c52c7b71ece26e1701ce4ab388937747eb490cb350f1e6c3286207d44434b
-
Filesize
204B
MD51e904951402540594e3973b60be84f3a
SHA11bb8916e0f09b68ddf27908a4126a2d96cfac2fe
SHA256f33dbd16664e0b8431c7d54633de6670bca32066b96f92c5707bd023de154c03
SHA5123cccca5195e06369e3e8848b93e90ca21d7dfb1ae1c5306911d21cc124a0095bad876ccfd2c2f58a589b0d42dccea6026da4986c57b0f0a9ea81e8c5ea432b1a
-
Filesize
204B
MD558df4c494ab48a771825a368b5a12f4b
SHA1523ff1b181e92e857ece5a06d2841647c89819cf
SHA2561bac8ff9b514d4a1495076495a4b78731d89c90cff77b7507e0bd0afac1d8e64
SHA5125ac08d05e409bef784ec14deb9c6b26087fcb1c939e79f6846d42fbbfb6622c510212932159d8f0b6ea7e635dc1f76a4e5f286125bfb06dcada472787bb21e5f
-
Filesize
204B
MD50aac68b6281df08809fe0f9d6e8f359b
SHA1c3e46dfdcb85dcf0dd707c6b458ebde0e39274ea
SHA256e10ca01e6e9463e6cb7004d5df6af9c63adf39f14dd76bfddcd76cc5fcef1ea2
SHA5125c8eb8b4ebc3fc715e47fcdd12263264c9976f9fa74e99ab526a4273694290ce9e2ccbba2abff7d35c6dcd8db67638d01cd344275d9f5b70b8de1129946defcc
-
Filesize
204B
MD59d4d839443bc9078e7fa3fd0b4051b66
SHA14a8f6c5a81cb06abf977d38164f7fe614791d5a1
SHA256437319723ee9d8c1aa816a1bae7b88220480756578193fee7b65f8375297f6df
SHA51266682df9cb6244125b5301c75f6a93a4d7dd0f39989993bff172dc815cfa49461509ba00bd57acaabddd75078be4336e3683a580fabaf1af0861fa3cce7b0245
-
Filesize
204B
MD5efc7cfd002840a3cdac8d326ae41f201
SHA1f27ecdfa6575f33265a646c0377a4428e80ce093
SHA2561e296a914457f8611b349e35df9f442dbe0d13710854be6493178d4f55221917
SHA512ce39d7c38517f51ef41be12ab0f738d3bcb7558a3d5d982eb21d742f9fd41797ca69c86f5a02d4ce8d2f327355fcf7be6bbb48319abbe2222d4039ca5f0af1b6
-
Filesize
204B
MD55f01ec163e2840ef44aa8910e6e7945c
SHA11bbed0d1cac33db7734ca745f7d20593f0ba669b
SHA2562d7482c76bca3ca62883c0987c98667cbf4042a92f653acfdc56298c19d65948
SHA51249567b6501645b67e05af9e76e4fc34192928d3b0d2b5be8c42401a44e589b92f0c931adc19424ac675fd8c2a6b6f4918fbc61fe8a9353f86711e7992e6e292f
-
Filesize
204B
MD58654d987fae705fc8e04b2b60b8003fc
SHA16e451129ee730a78948439fd510bfbfb4513cb72
SHA25678fceb7e52ed6aa1c212d3362163ed1c5a0a159cea804d5c36b8c78addec3d99
SHA512432784146bd245ead560d229dd841f27bf641f2b6eb7227b38fb916933b1b85b510fe2606a5225918110994abc98b6d4c33a9b1241792795c57f307a204597fd
-
Filesize
204B
MD5498abdf9157efb2e0571d2ba1da7e0f0
SHA1177a22f8a12f6b527183183c8ec80fa330628293
SHA2569f555f7885848764c33e01ff99b236a1fcac13edef71003e9fe2c9df296b1f83
SHA512f99cf4dcfd413d452f152ef1f59a46a4939b4d05d61d3ca99df81accd98666a5535d342a726d2593fb9c2012ce7e56d31127ed5641de5fb1d30c789bae382b51
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e