Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 18:23
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240729-en
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2860-1-0x0000000000930000-0x0000000000C54000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2636 SolaraExecutor.exe 3176 SolaraExecutor.exe 3080 SolaraExecutor.exe 2660 SolaraExecutor.exe 1464 SolaraExecutor.exe 3336 SolaraExecutor.exe 3592 SolaraExecutor.exe 2756 SolaraExecutor.exe 1564 SolaraExecutor.exe 2848 SolaraExecutor.exe 2920 SolaraExecutor.exe 860 SolaraExecutor.exe 2412 SolaraExecutor.exe 3532 SolaraExecutor.exe 2260 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
Solara.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1788 PING.EXE 3532 PING.EXE 4692 PING.EXE 2200 PING.EXE 4696 PING.EXE 2044 PING.EXE 960 PING.EXE 1004 PING.EXE 5076 PING.EXE 3768 PING.EXE 3268 PING.EXE 1208 PING.EXE 4856 PING.EXE 4208 PING.EXE 4780 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3532 PING.EXE 5076 PING.EXE 4692 PING.EXE 4696 PING.EXE 4780 PING.EXE 3768 PING.EXE 960 PING.EXE 4208 PING.EXE 1788 PING.EXE 3268 PING.EXE 2044 PING.EXE 1004 PING.EXE 4856 PING.EXE 2200 PING.EXE 1208 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 432 schtasks.exe 2880 schtasks.exe 1748 schtasks.exe 2708 schtasks.exe 1248 schtasks.exe 4412 schtasks.exe 5064 schtasks.exe 5044 schtasks.exe 2044 schtasks.exe 4008 schtasks.exe 2848 schtasks.exe 3800 schtasks.exe 2704 schtasks.exe 1140 schtasks.exe 3664 schtasks.exe 5100 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Solara.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 2860 Solara.exe Token: SeDebugPrivilege 2636 SolaraExecutor.exe Token: SeDebugPrivilege 3176 SolaraExecutor.exe Token: SeDebugPrivilege 3080 SolaraExecutor.exe Token: SeDebugPrivilege 2660 SolaraExecutor.exe Token: SeDebugPrivilege 1464 SolaraExecutor.exe Token: SeDebugPrivilege 3336 SolaraExecutor.exe Token: SeDebugPrivilege 3592 SolaraExecutor.exe Token: SeDebugPrivilege 2756 SolaraExecutor.exe Token: SeDebugPrivilege 1564 SolaraExecutor.exe Token: SeDebugPrivilege 2848 SolaraExecutor.exe Token: SeDebugPrivilege 2920 SolaraExecutor.exe Token: SeDebugPrivilege 860 SolaraExecutor.exe Token: SeDebugPrivilege 2412 SolaraExecutor.exe Token: SeDebugPrivilege 3532 SolaraExecutor.exe Token: SeDebugPrivilege 2260 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2636 SolaraExecutor.exe 3176 SolaraExecutor.exe 3080 SolaraExecutor.exe 2660 SolaraExecutor.exe 1464 SolaraExecutor.exe 3336 SolaraExecutor.exe 3592 SolaraExecutor.exe 2756 SolaraExecutor.exe 1564 SolaraExecutor.exe 2848 SolaraExecutor.exe 2920 SolaraExecutor.exe 860 SolaraExecutor.exe 2412 SolaraExecutor.exe 3532 SolaraExecutor.exe 2260 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2636 SolaraExecutor.exe 3176 SolaraExecutor.exe 3080 SolaraExecutor.exe 2660 SolaraExecutor.exe 1464 SolaraExecutor.exe 3336 SolaraExecutor.exe 3592 SolaraExecutor.exe 2756 SolaraExecutor.exe 1564 SolaraExecutor.exe 2848 SolaraExecutor.exe 2920 SolaraExecutor.exe 860 SolaraExecutor.exe 2412 SolaraExecutor.exe 3532 SolaraExecutor.exe 2260 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Solara.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 2860 wrote to memory of 1140 2860 Solara.exe schtasks.exe PID 2860 wrote to memory of 1140 2860 Solara.exe schtasks.exe PID 2860 wrote to memory of 2636 2860 Solara.exe SolaraExecutor.exe PID 2860 wrote to memory of 2636 2860 Solara.exe SolaraExecutor.exe PID 2636 wrote to memory of 2848 2636 SolaraExecutor.exe schtasks.exe PID 2636 wrote to memory of 2848 2636 SolaraExecutor.exe schtasks.exe PID 2636 wrote to memory of 1472 2636 SolaraExecutor.exe cmd.exe PID 2636 wrote to memory of 1472 2636 SolaraExecutor.exe cmd.exe PID 1472 wrote to memory of 5044 1472 cmd.exe chcp.com PID 1472 wrote to memory of 5044 1472 cmd.exe chcp.com PID 1472 wrote to memory of 1208 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 1208 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 3176 1472 cmd.exe SolaraExecutor.exe PID 1472 wrote to memory of 3176 1472 cmd.exe SolaraExecutor.exe PID 3176 wrote to memory of 5064 3176 SolaraExecutor.exe schtasks.exe PID 3176 wrote to memory of 5064 3176 SolaraExecutor.exe schtasks.exe PID 3176 wrote to memory of 3144 3176 SolaraExecutor.exe cmd.exe PID 3176 wrote to memory of 3144 3176 SolaraExecutor.exe cmd.exe PID 3144 wrote to memory of 4052 3144 cmd.exe chcp.com PID 3144 wrote to memory of 4052 3144 cmd.exe chcp.com PID 3144 wrote to memory of 1004 3144 cmd.exe PING.EXE PID 3144 wrote to memory of 1004 3144 cmd.exe PING.EXE PID 3144 wrote to memory of 3080 3144 cmd.exe SolaraExecutor.exe PID 3144 wrote to memory of 3080 3144 cmd.exe SolaraExecutor.exe PID 3080 wrote to memory of 3664 3080 SolaraExecutor.exe schtasks.exe PID 3080 wrote to memory of 3664 3080 SolaraExecutor.exe schtasks.exe PID 3080 wrote to memory of 3420 3080 SolaraExecutor.exe cmd.exe PID 3080 wrote to memory of 3420 3080 SolaraExecutor.exe cmd.exe PID 3420 wrote to memory of 1896 3420 cmd.exe chcp.com PID 3420 wrote to memory of 1896 3420 cmd.exe chcp.com PID 3420 wrote to memory of 4856 3420 cmd.exe PING.EXE PID 3420 wrote to memory of 4856 3420 cmd.exe PING.EXE PID 3420 wrote to memory of 2660 3420 cmd.exe SolaraExecutor.exe PID 3420 wrote to memory of 2660 3420 cmd.exe SolaraExecutor.exe PID 2660 wrote to memory of 5100 2660 SolaraExecutor.exe schtasks.exe PID 2660 wrote to memory of 5100 2660 SolaraExecutor.exe schtasks.exe PID 2660 wrote to memory of 216 2660 SolaraExecutor.exe cmd.exe PID 2660 wrote to memory of 216 2660 SolaraExecutor.exe cmd.exe PID 216 wrote to memory of 1596 216 cmd.exe chcp.com PID 216 wrote to memory of 1596 216 cmd.exe chcp.com PID 216 wrote to memory of 4208 216 cmd.exe PING.EXE PID 216 wrote to memory of 4208 216 cmd.exe PING.EXE PID 216 wrote to memory of 1464 216 cmd.exe SolaraExecutor.exe PID 216 wrote to memory of 1464 216 cmd.exe SolaraExecutor.exe PID 1464 wrote to memory of 5044 1464 SolaraExecutor.exe schtasks.exe PID 1464 wrote to memory of 5044 1464 SolaraExecutor.exe schtasks.exe PID 1464 wrote to memory of 4388 1464 SolaraExecutor.exe cmd.exe PID 1464 wrote to memory of 4388 1464 SolaraExecutor.exe cmd.exe PID 4388 wrote to memory of 1440 4388 cmd.exe chcp.com PID 4388 wrote to memory of 1440 4388 cmd.exe chcp.com PID 4388 wrote to memory of 1788 4388 cmd.exe PING.EXE PID 4388 wrote to memory of 1788 4388 cmd.exe PING.EXE PID 4388 wrote to memory of 3336 4388 cmd.exe SolaraExecutor.exe PID 4388 wrote to memory of 3336 4388 cmd.exe SolaraExecutor.exe PID 3336 wrote to memory of 432 3336 SolaraExecutor.exe schtasks.exe PID 3336 wrote to memory of 432 3336 SolaraExecutor.exe schtasks.exe PID 3336 wrote to memory of 1208 3336 SolaraExecutor.exe cmd.exe PID 3336 wrote to memory of 1208 3336 SolaraExecutor.exe cmd.exe PID 1208 wrote to memory of 4932 1208 cmd.exe chcp.com PID 1208 wrote to memory of 4932 1208 cmd.exe chcp.com PID 1208 wrote to memory of 4780 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 4780 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 3592 1208 cmd.exe SolaraExecutor.exe PID 1208 wrote to memory of 3592 1208 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1140 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0TifzbZREaaA.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:5044
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1208 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:5064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KVHNKoo84m7I.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4052
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1004 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCNZObr3IZBE.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1896
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4856 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:5100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eDVmalsg2rlK.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1596
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4208 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:5044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aNYJFrQrZNuu.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1440
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1788 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:432 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lF9Kh7HXrNpT.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4932
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4780 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2880 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ajD1xA4nKR2F.bat" "15⤵PID:1072
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:996
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3532 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCi1ZImwhHMm.bat" "17⤵PID:1252
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1600
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5076 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1564 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HW3c7NlhGQZx.bat" "19⤵PID:1596
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2188
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3768 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2848 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l5XCbTtHrfaJ.bat" "21⤵PID:392
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3464
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4692 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2708 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EHqIkVX9LdFh.bat" "23⤵PID:2464
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:988
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2200 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:860 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1248 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyI0KxOf1H4O.bat" "25⤵PID:3824
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1492
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:960 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2412 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wptF5b7z9Lgl.bat" "27⤵PID:732
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:848
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4696 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4412 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V9V23lehc3Sg.bat" "29⤵PID:2840
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2500
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3268 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4008 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zR39jPqCVTgf.bat" "31⤵PID:4856
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2308
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
204B
MD51cd76710e4c313362519362848ebba08
SHA17bd5d966ab36ba28a0c9bdd68cc952aa3798e432
SHA256fabae4d1565ffc4dec7ef8b5e36a1ad883995fa8c285a54efad11eb345f34d10
SHA5121f8c7186a92a89558027c14444eac8c3df7656416dd6e86804e3d082464f4056f98790d7953fe4ddf162128453efe80a577e9e5637fa7529c9e1cdff802aad5f
-
Filesize
204B
MD5f01847bc0fab2b54e2281d85a6753f19
SHA1018a3ada069f2bddcee86ed08c280e2b989ed6ee
SHA25621910cda11a7852ba15253d251ec3c52fc1286b33c9607bd985fd9b622c4e6e1
SHA5124bafdc821319ba871ea405557f12f7e2eaa8dc9278740dcac61a1cd5afd69922a3d3e8728f435d834af9dbdb456cca9656076c045d6912d4039319ceb762d9f5
-
Filesize
204B
MD57c5470d423bc8039eb6a3f135ed32d43
SHA1c878788ef6a352ab684e6241ba9f02ee5e7ca377
SHA256ed7ff64ff3aa7f3266d02ee901d91fcec437944839f374c5f1e7fc89854fc8ab
SHA5125f2759928316fb53f135ee7d50b55a64f94d703fa1eb5d0dc085c898d591d42233810a28d500d0c8c3dab7dcce2d715332b72142fc01f5197cbfbd8aaaa0c704
-
Filesize
204B
MD5134ffb17bdec5ec5b32ba20bde8eef08
SHA152a2e11b83095f69434824f02dd43a0de87d87c1
SHA256690286a3471e2979acec95bedda89059b4af11cb31d3f02cf1108aa24dcfdc63
SHA5121540437b03ee0412b3f5593135e15984db229cef03ba5391d4b1da24d8e36399d3a027802fb697a36d4b2d5f369f23429db9964d4d2cd52b4ce4d3cc80b81b09
-
Filesize
204B
MD56461af99e4d0417acea664e6591b2703
SHA1cee514ad1ab37449cd8d35648f053784f4478884
SHA25681a94b4ab4d37dab1eb9fe6aa6a195dc863a6e18b755de0fa404a5704d5c1f95
SHA512475598ad7b82e5b246749ee08f2aa698010d706638e6075f5c7cf3708e7e56c89483c23f25ea6d52e1e79adc5391dadef3804f29cc9d053149fff78a00fc13e1
-
Filesize
204B
MD5739dbe206824d7c992b5734f419a6b9a
SHA164cb449d596855d856835ac11623c7f4084f37a6
SHA256a776b4ebca6a931f52a4f0c83ccd93b12c0c1429723773929d22565c46450304
SHA512207d0b05371a34a3d5bbd991271ac6ae03e819fbea367f843ef93e4cd3094a9c0a2e04a04fe7546017485145540c556d9d04f68998de182fe1fc36257201f2d4
-
Filesize
204B
MD5e67e7c45ba92c0847c524d80fe9f271d
SHA10ca8d830a5deed89f003343d1b1d55af83734790
SHA25694bf8152b92837575685435d7f52ce1c98dbcfc1a7283edd22fdb95a2c5b1b46
SHA512336c44da01fddb3aa9869ee6f38e1bcefcba822ba00aac895b4e39fe2ad627ebc91be5acaeddb28b2bb0c125397fc8b1f80dafd66f326d9f92af042ec89efe14
-
Filesize
204B
MD508d3d5615c7c7ac2c732045a26eaa862
SHA1c42a4d1971908b4ffa93efb2f3c353d526eb2b34
SHA2561129d4cdc52531d47d3e6e0697306e4532936550b22863c5dbe1504e895ac5fa
SHA512d180431b9c1773a104e19e06dd55568bbfa2df4752e01325e65212d7e2bbe2c63c708f54d584e8c0eaf85310391530e81a84a8a15c3c01ad6031322e5be9288d
-
Filesize
204B
MD5a8c8490b338af057950cc63c8b1725a6
SHA17b48cef79427ca6e9e09b112cb103b47c53e472f
SHA2565c5ed0ebed4e41384cc1ef85d2c04cc43ac819ccdcf76068ab39538e51fb4e48
SHA512aae5f0aad4cfe91fb062fdc1ddc70bc6ce684c60d7dbd400680481f85635733f4818de31c4126974da868be8e3352ceec3338a164f28d1dd2f955cfd59712aa3
-
Filesize
204B
MD5efa4ea0447615fe33763394a0c1f00be
SHA1c3579195fdd1506bdfd473ea2f5f1ce296425a12
SHA256f35db88a314e471af2dd57c1e583b5f350e6177d94177b4eb523dd12493e1ff4
SHA512e853a18d552e09c29f0963937ce5d50952abfe10fe74635403e214c427f01187bfd41870c70b934e90a99eb9bfb85617136fa6246fd7df431437d7d2e1db82f2
-
Filesize
204B
MD5bb9b1d674aa2c2791b86955d35f64412
SHA1c0cd246e7ce234bb53a8f298b2a60cf591212be0
SHA256922ddd783b43e71a5cd0541cc2f63a3d7966df9ed884b3d28acf37887a6ba42c
SHA5123b714e67a19df6d2ce4c8b513332fb634aaf2a2990563e80233a6291b2bf6bedd4f5e751c59a044cde9a0f6601909e539abeb91c9527081e9c619aa9cdaaed84
-
Filesize
204B
MD50448e9784ad8354ec9cf02966b7001dd
SHA1dd3a1cc8870e052b4d7b0daaba209e954e1bde90
SHA256a364dd83598c837b4783b433a79ac856634e4e9342c413b825ef642289920c0d
SHA5121eb98babacbe1146a6873ecce6d6ff1ac2a2b0e54342d026fb8f502bd4b10bc534941557c810c05c8f60e69463e47851ae213571d7cd59449159d72de41d10a0
-
Filesize
204B
MD5e8e0d0f8fc5b771ce993197619dedd47
SHA1ed45ec2415de9d45b43834fbc498301951990ef6
SHA2561baf7f0805050659d1191830f71ae0de684d0778206835d31cc517ccd7ff327d
SHA51250de07b512cc7030f0d3a8e0594dfc056e44368ba7c0d880d8b91f023393bf8cd9b359ac77cbeb8564d21675ede8c7926cc7d1ec35734bf7f188f2ba7cd20386
-
Filesize
204B
MD567cd413d02ddd4c6cf021ebaba433655
SHA13123de6fec570cad8d09e11517d3a989b86748f7
SHA256ad5db7141a167e5cb716cc5af6626f4b010e4ccfc1bd4340e71bf33cc7a23e23
SHA512887545913536cb5bbfdf5a2733bc44a57dd356f996e75c6be193ca93ee5fa3a600eb069442d42b3519cd287fff6823d7ec8df817591ab3ab6ae6b2a6b5386e68
-
Filesize
204B
MD5f0ecb3ecc92d79108905be24f939a705
SHA18d8d3d8f61ae9023461b5c9fff9796b12bd1b3a4
SHA2566d84d9ed92a1ec4020a1e0886cbb863436c20bf862195836a7a488b0e1a0e148
SHA512791097a295e1e14aec5f7cea1a8fca23802d4ccd9d169367b910b68d1e6e3630ab0249a5bc7f2eacd1c0a308fc4ee98cfc720679c7a85d18d8fbe98fd6de9e18
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd