Malware Analysis Report

2024-10-23 21:24

Sample ID 240803-w1gb6swbnb
Target Solara.exe
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

Threat Level: Known bad

The file Solara.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar RAT

Quasar payload

Quasar family

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Runs ping.exe

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 18:23

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 18:23

Reported

2024-08-03 18:25

Platform

win7-20240729-en

Max time kernel

143s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 2544 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 2544 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 2544 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2544 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2544 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2300 wrote to memory of 2768 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2300 wrote to memory of 2768 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2300 wrote to memory of 2768 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2300 wrote to memory of 2940 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2300 wrote to memory of 2940 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2300 wrote to memory of 2940 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2940 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2940 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2940 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2940 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2940 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2940 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2720 wrote to memory of 2696 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2720 wrote to memory of 2500 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2500 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2500 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2500 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2500 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2500 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2500 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2500 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2500 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2500 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2500 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2344 wrote to memory of 2892 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2344 wrote to memory of 2892 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2344 wrote to memory of 2892 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2344 wrote to memory of 2960 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2960 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2960 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2960 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2960 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2960 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2960 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2960 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2960 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2960 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2960 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1120 wrote to memory of 1464 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1120 wrote to memory of 1464 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1120 wrote to memory of 1464 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1120 wrote to memory of 2220 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 2220 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 2220 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2220 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2220 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2220 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2220 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2220 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2220 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2220 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SK5H3Korz0Nr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iS0vXBTx76Oq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\beIjAqYj6C0z.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ri9sI293ECw4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\O2DknaK2haHZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\k2aD27vUHmUc.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\byK9SXkdgp8k.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4rinAEpdqkIa.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wx4UDzm0raJA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PVZXIWmrS2Nq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGBm0SBLYEQe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKsFkfG6mL8T.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEDflr4PDprn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SK0VdrIKZnli.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q5z56clmd1FE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 nohchy-47404.portmap.host udp

Files

memory/2544-0-0x000007FEF68F3000-0x000007FEF68F4000-memory.dmp

memory/2544-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp

memory/2544-2-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/2300-9-0x00000000000B0000-0x00000000003D4000-memory.dmp

memory/2544-8-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

memory/2300-7-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

memory/2300-10-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SK5H3Korz0Nr.bat

MD5 1e904951402540594e3973b60be84f3a
SHA1 1bb8916e0f09b68ddf27908a4126a2d96cfac2fe
SHA256 f33dbd16664e0b8431c7d54633de6670bca32066b96f92c5707bd023de154c03
SHA512 3cccca5195e06369e3e8848b93e90ca21d7dfb1ae1c5306911d21cc124a0095bad876ccfd2c2f58a589b0d42dccea6026da4986c57b0f0a9ea81e8c5ea432b1a

memory/2300-20-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

memory/2720-22-0x0000000000240000-0x0000000000564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iS0vXBTx76Oq.bat

MD5 5f01ec163e2840ef44aa8910e6e7945c
SHA1 1bbed0d1cac33db7734ca745f7d20593f0ba669b
SHA256 2d7482c76bca3ca62883c0987c98667cbf4042a92f653acfdc56298c19d65948
SHA512 49567b6501645b67e05af9e76e4fc34192928d3b0d2b5be8c42401a44e589b92f0c931adc19424ac675fd8c2a6b6f4918fbc61fe8a9353f86711e7992e6e292f

memory/2344-33-0x00000000009C0000-0x0000000000CE4000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\beIjAqYj6C0z.bat

MD5 0aac68b6281df08809fe0f9d6e8f359b
SHA1 c3e46dfdcb85dcf0dd707c6b458ebde0e39274ea
SHA256 e10ca01e6e9463e6cb7004d5df6af9c63adf39f14dd76bfddcd76cc5fcef1ea2
SHA512 5c8eb8b4ebc3fc715e47fcdd12263264c9976f9fa74e99ab526a4273694290ce9e2ccbba2abff7d35c6dcd8db67638d01cd344275d9f5b70b8de1129946defcc

C:\Users\Admin\AppData\Local\Temp\Ri9sI293ECw4.bat

MD5 c81e29311a100e26e92a8947844fbe21
SHA1 fb4aa1f97e3218a17637854d27253c2131c4c8be
SHA256 6905ee241e9379c31c13eaa8e5724ae2e4ac646786a5eac2da6c53e4fd16701a
SHA512 e12ec3c717e38ceb2e7fecdfa67b3cd66e40721f775330966765574a74125ae3333572fa429b0545e4f8a28ed86c066e12a341eb8849fa4c7e61c62dce7be4b4

memory/992-56-0x0000000000E40000-0x0000000001164000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\O2DknaK2haHZ.bat

MD5 0f5d72c64a86ea20b6f168f6b54fe657
SHA1 c9696f4f041e9310f9bee98ae134c04d4ff61065
SHA256 d2f3e17ab4cd9a7c14e206d9e564412df154e1f307237205ac55d824ebef9fa5
SHA512 ab3ee8e9a50bee54af7ffb2f28c0cefb1622ea355b2feabaefd170a4642655598d5a83b5672d25db15ce98860f74f371de9c0c3c88198ea86e0aca6f13024e20

C:\Users\Admin\AppData\Local\Temp\k2aD27vUHmUc.bat

MD5 8654d987fae705fc8e04b2b60b8003fc
SHA1 6e451129ee730a78948439fd510bfbfb4513cb72
SHA256 78fceb7e52ed6aa1c212d3362163ed1c5a0a159cea804d5c36b8c78addec3d99
SHA512 432784146bd245ead560d229dd841f27bf641f2b6eb7227b38fb916933b1b85b510fe2606a5225918110994abc98b6d4c33a9b1241792795c57f307a204597fd

C:\Users\Admin\AppData\Local\Temp\byK9SXkdgp8k.bat

MD5 9d4d839443bc9078e7fa3fd0b4051b66
SHA1 4a8f6c5a81cb06abf977d38164f7fe614791d5a1
SHA256 437319723ee9d8c1aa816a1bae7b88220480756578193fee7b65f8375297f6df
SHA512 66682df9cb6244125b5301c75f6a93a4d7dd0f39989993bff172dc815cfa49461509ba00bd57acaabddd75078be4336e3683a580fabaf1af0861fa3cce7b0245

memory/2804-89-0x0000000001170000-0x0000000001494000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4rinAEpdqkIa.bat

MD5 2e28037f8280fa9cf37b1dcf113426f0
SHA1 02138c5465618b6d895e8cf7cf02d7fc71193435
SHA256 36b86a7e6b946f856d983d8c298e0ce03d7298be15b2b10d098eb027f81d14c6
SHA512 8bc3e3dd8caf5e8b0b90907ab090c8fccd1e0b6d46a15cb491072edbac1992f698946364190f29d6fb8149ad4e0e827b74a5bd33b1d72d886d08dd1f4ed323a8

memory/2696-100-0x0000000001190000-0x00000000014B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wx4UDzm0raJA.bat

MD5 58df4c494ab48a771825a368b5a12f4b
SHA1 523ff1b181e92e857ece5a06d2841647c89819cf
SHA256 1bac8ff9b514d4a1495076495a4b78731d89c90cff77b7507e0bd0afac1d8e64
SHA512 5ac08d05e409bef784ec14deb9c6b26087fcb1c939e79f6846d42fbbfb6622c510212932159d8f0b6ea7e635dc1f76a4e5f286125bfb06dcada472787bb21e5f

C:\Users\Admin\AppData\Local\Temp\PVZXIWmrS2Nq.bat

MD5 961eb5afc72e3107a5db40e4485a7a1f
SHA1 14589ec416210482a392e4dec315fd6cf7fcf505
SHA256 a5f8b777c40dfbfbcdc91c9c14ac9e390cc6c0b188724d9f6eab0bfa6282ec4c
SHA512 c11b555be400e849e7bacdec9c2a58ebadca1cc8f15359a032ebc3d622d1cdd6e5d127de29898dcc39de6d0ff28c5f9e905940c15a7aadbd1380bb0e24f31da9

C:\Users\Admin\AppData\Local\Temp\IGBm0SBLYEQe.bat

MD5 4028c31e6a2f0fd3d0bbbadedd6360ac
SHA1 7ca6c6bc84d0ad92a11eeb1d29e082871dce1d03
SHA256 db3556d82c5549a768e55aa0ebd7031ccce49b28eaa8bbfcb4d726e8c0bbbfb8
SHA512 1204d42c4a5a0c963a77553f2a90b0d5aae377ed14bb4e7fa949298b697cb33386517da3ae2e875cf3d05f69c5e9a883317a57782ba65a4ac83bf2dd49a657fd

C:\Users\Admin\AppData\Local\Temp\nKsFkfG6mL8T.bat

MD5 498abdf9157efb2e0571d2ba1da7e0f0
SHA1 177a22f8a12f6b527183183c8ec80fa330628293
SHA256 9f555f7885848764c33e01ff99b236a1fcac13edef71003e9fe2c9df296b1f83
SHA512 f99cf4dcfd413d452f152ef1f59a46a4939b4d05d61d3ca99df81accd98666a5535d342a726d2593fb9c2012ce7e56d31127ed5641de5fb1d30c789bae382b51

memory/2400-144-0x0000000001230000-0x0000000001554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cEDflr4PDprn.bat

MD5 efc7cfd002840a3cdac8d326ae41f201
SHA1 f27ecdfa6575f33265a646c0377a4428e80ce093
SHA256 1e296a914457f8611b349e35df9f442dbe0d13710854be6493178d4f55221917
SHA512 ce39d7c38517f51ef41be12ab0f738d3bcb7558a3d5d982eb21d742f9fd41797ca69c86f5a02d4ce8d2f327355fcf7be6bbb48319abbe2222d4039ca5f0af1b6

C:\Users\Admin\AppData\Local\Temp\SK0VdrIKZnli.bat

MD5 18d19f99185c50ffad2cc72c52279adb
SHA1 a589fe9326e8dea1add7b254ac5feb83277b59ad
SHA256 9a861564c260c9a2bc3df68f9a83970eb5018a4b2abce05228645ff778ba43ce
SHA512 2d02808808ee90ac679e1ecb0895651506ed0740b16f7b0d9158d541e3ed9452844c52c7b71ece26e1701ce4ab388937747eb490cb350f1e6c3286207d44434b

memory/2864-167-0x0000000001370000-0x0000000001694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Q5z56clmd1FE.bat

MD5 0e40bfca38e6d18f0741ab7e481913b4
SHA1 48dd4e38353e0fa4b150c375cc0eb5d3f99c9320
SHA256 43816504e5fb1efcb51f7ac58e2de20df9ba9e7fd84de2a41838ae3f4495da4d
SHA512 efd34d3734de0d9938c5ee8f837a032a86a40b0605f73bf7c213f0633dfa43c34c835c7a9cc3316932488c6d7858e634047944ad4217b3d4bc65b1b75e9d18f9

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 18:23

Reported

2024-08-03 18:25

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2860 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2860 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2860 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2636 wrote to memory of 2848 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2636 wrote to memory of 2848 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2636 wrote to memory of 1472 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 1472 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1472 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1472 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1472 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1472 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1472 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1472 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3176 wrote to memory of 5064 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3176 wrote to memory of 5064 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3176 wrote to memory of 3144 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3176 wrote to memory of 3144 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3144 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3144 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3144 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3144 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3144 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3144 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3080 wrote to memory of 3664 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3080 wrote to memory of 3664 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3080 wrote to memory of 3420 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3080 wrote to memory of 3420 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3420 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3420 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3420 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3420 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3420 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3420 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2660 wrote to memory of 5100 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2660 wrote to memory of 5100 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2660 wrote to memory of 216 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 216 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 216 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 216 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 216 wrote to memory of 4208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 216 wrote to memory of 4208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 216 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 216 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1464 wrote to memory of 5044 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1464 wrote to memory of 5044 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1464 wrote to memory of 4388 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1464 wrote to memory of 4388 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4388 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4388 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4388 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4388 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4388 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4388 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3336 wrote to memory of 432 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3336 wrote to memory of 432 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3336 wrote to memory of 1208 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3336 wrote to memory of 1208 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1208 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1208 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1208 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1208 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1208 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0TifzbZREaaA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KVHNKoo84m7I.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCNZObr3IZBE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eDVmalsg2rlK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aNYJFrQrZNuu.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lF9Kh7HXrNpT.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ajD1xA4nKR2F.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCi1ZImwhHMm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HW3c7NlhGQZx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l5XCbTtHrfaJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EHqIkVX9LdFh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyI0KxOf1H4O.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wptF5b7z9Lgl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V9V23lehc3Sg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zR39jPqCVTgf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp

Files

memory/2860-0-0x00007FFCEFC63000-0x00007FFCEFC65000-memory.dmp

memory/2860-1-0x0000000000930000-0x0000000000C54000-memory.dmp

memory/2860-2-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/2636-9-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp

memory/2860-8-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp

memory/2636-10-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp

memory/2636-11-0x000000001C7B0000-0x000000001C800000-memory.dmp

memory/2636-12-0x000000001C8C0000-0x000000001C972000-memory.dmp

memory/2636-17-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0TifzbZREaaA.bat

MD5 1cd76710e4c313362519362848ebba08
SHA1 7bd5d966ab36ba28a0c9bdd68cc952aa3798e432
SHA256 fabae4d1565ffc4dec7ef8b5e36a1ad883995fa8c285a54efad11eb345f34d10
SHA512 1f8c7186a92a89558027c14444eac8c3df7656416dd6e86804e3d082464f4056f98790d7953fe4ddf162128453efe80a577e9e5637fa7529c9e1cdff802aad5f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\KVHNKoo84m7I.bat

MD5 6461af99e4d0417acea664e6591b2703
SHA1 cee514ad1ab37449cd8d35648f053784f4478884
SHA256 81a94b4ab4d37dab1eb9fe6aa6a195dc863a6e18b755de0fa404a5704d5c1f95
SHA512 475598ad7b82e5b246749ee08f2aa698010d706638e6075f5c7cf3708e7e56c89483c23f25ea6d52e1e79adc5391dadef3804f29cc9d053149fff78a00fc13e1

C:\Users\Admin\AppData\Local\Temp\PCNZObr3IZBE.bat

MD5 739dbe206824d7c992b5734f419a6b9a
SHA1 64cb449d596855d856835ac11623c7f4084f37a6
SHA256 a776b4ebca6a931f52a4f0c83ccd93b12c0c1429723773929d22565c46450304
SHA512 207d0b05371a34a3d5bbd991271ac6ae03e819fbea367f843ef93e4cd3094a9c0a2e04a04fe7546017485145540c556d9d04f68998de182fe1fc36257201f2d4

C:\Users\Admin\AppData\Local\Temp\eDVmalsg2rlK.bat

MD5 bb9b1d674aa2c2791b86955d35f64412
SHA1 c0cd246e7ce234bb53a8f298b2a60cf591212be0
SHA256 922ddd783b43e71a5cd0541cc2f63a3d7966df9ed884b3d28acf37887a6ba42c
SHA512 3b714e67a19df6d2ce4c8b513332fb634aaf2a2990563e80233a6291b2bf6bedd4f5e751c59a044cde9a0f6601909e539abeb91c9527081e9c619aa9cdaaed84

C:\Users\Admin\AppData\Local\Temp\aNYJFrQrZNuu.bat

MD5 a8c8490b338af057950cc63c8b1725a6
SHA1 7b48cef79427ca6e9e09b112cb103b47c53e472f
SHA256 5c5ed0ebed4e41384cc1ef85d2c04cc43ac819ccdcf76068ab39538e51fb4e48
SHA512 aae5f0aad4cfe91fb062fdc1ddc70bc6ce684c60d7dbd400680481f85635733f4818de31c4126974da868be8e3352ceec3338a164f28d1dd2f955cfd59712aa3

C:\Users\Admin\AppData\Local\Temp\lF9Kh7HXrNpT.bat

MD5 e8e0d0f8fc5b771ce993197619dedd47
SHA1 ed45ec2415de9d45b43834fbc498301951990ef6
SHA256 1baf7f0805050659d1191830f71ae0de684d0778206835d31cc517ccd7ff327d
SHA512 50de07b512cc7030f0d3a8e0594dfc056e44368ba7c0d880d8b91f023393bf8cd9b359ac77cbeb8564d21675ede8c7926cc7d1ec35734bf7f188f2ba7cd20386

C:\Users\Admin\AppData\Local\Temp\ajD1xA4nKR2F.bat

MD5 efa4ea0447615fe33763394a0c1f00be
SHA1 c3579195fdd1506bdfd473ea2f5f1ce296425a12
SHA256 f35db88a314e471af2dd57c1e583b5f350e6177d94177b4eb523dd12493e1ff4
SHA512 e853a18d552e09c29f0963937ce5d50952abfe10fe74635403e214c427f01187bfd41870c70b934e90a99eb9bfb85617136fa6246fd7df431437d7d2e1db82f2

C:\Users\Admin\AppData\Local\Temp\FCi1ZImwhHMm.bat

MD5 7c5470d423bc8039eb6a3f135ed32d43
SHA1 c878788ef6a352ab684e6241ba9f02ee5e7ca377
SHA256 ed7ff64ff3aa7f3266d02ee901d91fcec437944839f374c5f1e7fc89854fc8ab
SHA512 5f2759928316fb53f135ee7d50b55a64f94d703fa1eb5d0dc085c898d591d42233810a28d500d0c8c3dab7dcce2d715332b72142fc01f5197cbfbd8aaaa0c704

C:\Users\Admin\AppData\Local\Temp\HW3c7NlhGQZx.bat

MD5 134ffb17bdec5ec5b32ba20bde8eef08
SHA1 52a2e11b83095f69434824f02dd43a0de87d87c1
SHA256 690286a3471e2979acec95bedda89059b4af11cb31d3f02cf1108aa24dcfdc63
SHA512 1540437b03ee0412b3f5593135e15984db229cef03ba5391d4b1da24d8e36399d3a027802fb697a36d4b2d5f369f23429db9964d4d2cd52b4ce4d3cc80b81b09

C:\Users\Admin\AppData\Local\Temp\l5XCbTtHrfaJ.bat

MD5 0448e9784ad8354ec9cf02966b7001dd
SHA1 dd3a1cc8870e052b4d7b0daaba209e954e1bde90
SHA256 a364dd83598c837b4783b433a79ac856634e4e9342c413b825ef642289920c0d
SHA512 1eb98babacbe1146a6873ecce6d6ff1ac2a2b0e54342d026fb8f502bd4b10bc534941557c810c05c8f60e69463e47851ae213571d7cd59449159d72de41d10a0

C:\Users\Admin\AppData\Local\Temp\EHqIkVX9LdFh.bat

MD5 f01847bc0fab2b54e2281d85a6753f19
SHA1 018a3ada069f2bddcee86ed08c280e2b989ed6ee
SHA256 21910cda11a7852ba15253d251ec3c52fc1286b33c9607bd985fd9b622c4e6e1
SHA512 4bafdc821319ba871ea405557f12f7e2eaa8dc9278740dcac61a1cd5afd69922a3d3e8728f435d834af9dbdb456cca9656076c045d6912d4039319ceb762d9f5

C:\Users\Admin\AppData\Local\Temp\ZyI0KxOf1H4O.bat

MD5 08d3d5615c7c7ac2c732045a26eaa862
SHA1 c42a4d1971908b4ffa93efb2f3c353d526eb2b34
SHA256 1129d4cdc52531d47d3e6e0697306e4532936550b22863c5dbe1504e895ac5fa
SHA512 d180431b9c1773a104e19e06dd55568bbfa2df4752e01325e65212d7e2bbe2c63c708f54d584e8c0eaf85310391530e81a84a8a15c3c01ad6031322e5be9288d

C:\Users\Admin\AppData\Local\Temp\wptF5b7z9Lgl.bat

MD5 67cd413d02ddd4c6cf021ebaba433655
SHA1 3123de6fec570cad8d09e11517d3a989b86748f7
SHA256 ad5db7141a167e5cb716cc5af6626f4b010e4ccfc1bd4340e71bf33cc7a23e23
SHA512 887545913536cb5bbfdf5a2733bc44a57dd356f996e75c6be193ca93ee5fa3a600eb069442d42b3519cd287fff6823d7ec8df817591ab3ab6ae6b2a6b5386e68

C:\Users\Admin\AppData\Local\Temp\V9V23lehc3Sg.bat

MD5 e67e7c45ba92c0847c524d80fe9f271d
SHA1 0ca8d830a5deed89f003343d1b1d55af83734790
SHA256 94bf8152b92837575685435d7f52ce1c98dbcfc1a7283edd22fdb95a2c5b1b46
SHA512 336c44da01fddb3aa9869ee6f38e1bcefcba822ba00aac895b4e39fe2ad627ebc91be5acaeddb28b2bb0c125397fc8b1f80dafd66f326d9f92af042ec89efe14

C:\Users\Admin\AppData\Local\Temp\zR39jPqCVTgf.bat

MD5 f0ecb3ecc92d79108905be24f939a705
SHA1 8d8d3d8f61ae9023461b5c9fff9796b12bd1b3a4
SHA256 6d84d9ed92a1ec4020a1e0886cbb863436c20bf862195836a7a488b0e1a0e148
SHA512 791097a295e1e14aec5f7cea1a8fca23802d4ccd9d169367b910b68d1e6e3630ab0249a5bc7f2eacd1c0a308fc4ee98cfc720679c7a85d18d8fbe98fd6de9e18