Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 18:05
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240708-en
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-1-0x0000000000F50000-0x0000000001274000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar behavioral1/memory/2368-8-0x00000000001A0000-0x00000000004C4000-memory.dmp family_quasar behavioral1/memory/2640-22-0x0000000000BF0000-0x0000000000F14000-memory.dmp family_quasar behavioral1/memory/1848-44-0x0000000000140000-0x0000000000464000-memory.dmp family_quasar behavioral1/memory/628-55-0x0000000000900000-0x0000000000C24000-memory.dmp family_quasar behavioral1/memory/1736-67-0x0000000000110000-0x0000000000434000-memory.dmp family_quasar behavioral1/memory/2148-78-0x0000000000CF0000-0x0000000001014000-memory.dmp family_quasar behavioral1/memory/2544-90-0x00000000012F0000-0x0000000001614000-memory.dmp family_quasar behavioral1/memory/2968-132-0x0000000000220000-0x0000000000544000-memory.dmp family_quasar behavioral1/memory/2996-143-0x00000000008E0000-0x0000000000C04000-memory.dmp family_quasar behavioral1/memory/740-154-0x0000000001210000-0x0000000001534000-memory.dmp family_quasar behavioral1/memory/584-165-0x0000000000070000-0x0000000000394000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2368 SolaraExecutor.exe 2640 SolaraExecutor.exe 1176 SolaraExecutor.exe 1848 SolaraExecutor.exe 628 SolaraExecutor.exe 1736 SolaraExecutor.exe 2148 SolaraExecutor.exe 2544 SolaraExecutor.exe 1972 SolaraExecutor.exe 2708 SolaraExecutor.exe 2552 SolaraExecutor.exe 2968 SolaraExecutor.exe 2996 SolaraExecutor.exe 740 SolaraExecutor.exe 584 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
Solara.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1684 PING.EXE 2812 PING.EXE 684 PING.EXE 2348 PING.EXE 1436 PING.EXE 1660 PING.EXE 2448 PING.EXE 1048 PING.EXE 1044 PING.EXE 1380 PING.EXE 1072 PING.EXE 3028 PING.EXE 1980 PING.EXE 2348 PING.EXE 2080 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2080 PING.EXE 1044 PING.EXE 1072 PING.EXE 2348 PING.EXE 2448 PING.EXE 1684 PING.EXE 1048 PING.EXE 3028 PING.EXE 684 PING.EXE 2812 PING.EXE 1980 PING.EXE 2348 PING.EXE 1380 PING.EXE 1660 PING.EXE 1436 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2452 schtasks.exe 2876 schtasks.exe 2344 schtasks.exe 2800 schtasks.exe 2184 schtasks.exe 1656 schtasks.exe 3020 schtasks.exe 1720 schtasks.exe 316 schtasks.exe 2948 schtasks.exe 772 schtasks.exe 2152 schtasks.exe 2604 schtasks.exe 2944 schtasks.exe 1368 schtasks.exe 2000 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Solara.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 1620 Solara.exe Token: SeDebugPrivilege 2368 SolaraExecutor.exe Token: SeDebugPrivilege 2640 SolaraExecutor.exe Token: SeDebugPrivilege 1176 SolaraExecutor.exe Token: SeDebugPrivilege 1848 SolaraExecutor.exe Token: SeDebugPrivilege 628 SolaraExecutor.exe Token: SeDebugPrivilege 1736 SolaraExecutor.exe Token: SeDebugPrivilege 2148 SolaraExecutor.exe Token: SeDebugPrivilege 2544 SolaraExecutor.exe Token: SeDebugPrivilege 1972 SolaraExecutor.exe Token: SeDebugPrivilege 2708 SolaraExecutor.exe Token: SeDebugPrivilege 2552 SolaraExecutor.exe Token: SeDebugPrivilege 2968 SolaraExecutor.exe Token: SeDebugPrivilege 2996 SolaraExecutor.exe Token: SeDebugPrivilege 740 SolaraExecutor.exe Token: SeDebugPrivilege 584 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2368 SolaraExecutor.exe 2640 SolaraExecutor.exe 1176 SolaraExecutor.exe 1848 SolaraExecutor.exe 628 SolaraExecutor.exe 1736 SolaraExecutor.exe 2148 SolaraExecutor.exe 2544 SolaraExecutor.exe 1972 SolaraExecutor.exe 2708 SolaraExecutor.exe 2552 SolaraExecutor.exe 2968 SolaraExecutor.exe 2996 SolaraExecutor.exe 740 SolaraExecutor.exe 584 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2368 SolaraExecutor.exe 2640 SolaraExecutor.exe 1176 SolaraExecutor.exe 1848 SolaraExecutor.exe 628 SolaraExecutor.exe 1736 SolaraExecutor.exe 2148 SolaraExecutor.exe 2544 SolaraExecutor.exe 1972 SolaraExecutor.exe 2708 SolaraExecutor.exe 2552 SolaraExecutor.exe 2968 SolaraExecutor.exe 2996 SolaraExecutor.exe 740 SolaraExecutor.exe 584 SolaraExecutor.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SolaraExecutor.exepid process 2368 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Solara.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 1620 wrote to memory of 3020 1620 Solara.exe schtasks.exe PID 1620 wrote to memory of 3020 1620 Solara.exe schtasks.exe PID 1620 wrote to memory of 3020 1620 Solara.exe schtasks.exe PID 1620 wrote to memory of 2368 1620 Solara.exe SolaraExecutor.exe PID 1620 wrote to memory of 2368 1620 Solara.exe SolaraExecutor.exe PID 1620 wrote to memory of 2368 1620 Solara.exe SolaraExecutor.exe PID 2368 wrote to memory of 2452 2368 SolaraExecutor.exe schtasks.exe PID 2368 wrote to memory of 2452 2368 SolaraExecutor.exe schtasks.exe PID 2368 wrote to memory of 2452 2368 SolaraExecutor.exe schtasks.exe PID 2368 wrote to memory of 3036 2368 SolaraExecutor.exe cmd.exe PID 2368 wrote to memory of 3036 2368 SolaraExecutor.exe cmd.exe PID 2368 wrote to memory of 3036 2368 SolaraExecutor.exe cmd.exe PID 3036 wrote to memory of 2712 3036 cmd.exe chcp.com PID 3036 wrote to memory of 2712 3036 cmd.exe chcp.com PID 3036 wrote to memory of 2712 3036 cmd.exe chcp.com PID 3036 wrote to memory of 3028 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 3028 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 3028 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 2640 3036 cmd.exe SolaraExecutor.exe PID 3036 wrote to memory of 2640 3036 cmd.exe SolaraExecutor.exe PID 3036 wrote to memory of 2640 3036 cmd.exe SolaraExecutor.exe PID 2640 wrote to memory of 2604 2640 SolaraExecutor.exe schtasks.exe PID 2640 wrote to memory of 2604 2640 SolaraExecutor.exe schtasks.exe PID 2640 wrote to memory of 2604 2640 SolaraExecutor.exe schtasks.exe PID 2640 wrote to memory of 2400 2640 SolaraExecutor.exe cmd.exe PID 2640 wrote to memory of 2400 2640 SolaraExecutor.exe cmd.exe PID 2640 wrote to memory of 2400 2640 SolaraExecutor.exe cmd.exe PID 2400 wrote to memory of 1348 2400 cmd.exe chcp.com PID 2400 wrote to memory of 1348 2400 cmd.exe chcp.com PID 2400 wrote to memory of 1348 2400 cmd.exe chcp.com PID 2400 wrote to memory of 1684 2400 cmd.exe PING.EXE PID 2400 wrote to memory of 1684 2400 cmd.exe PING.EXE PID 2400 wrote to memory of 1684 2400 cmd.exe PING.EXE PID 2400 wrote to memory of 1176 2400 cmd.exe SolaraExecutor.exe PID 2400 wrote to memory of 1176 2400 cmd.exe SolaraExecutor.exe PID 2400 wrote to memory of 1176 2400 cmd.exe SolaraExecutor.exe PID 1176 wrote to memory of 2876 1176 SolaraExecutor.exe schtasks.exe PID 1176 wrote to memory of 2876 1176 SolaraExecutor.exe schtasks.exe PID 1176 wrote to memory of 2876 1176 SolaraExecutor.exe schtasks.exe PID 1176 wrote to memory of 1984 1176 SolaraExecutor.exe cmd.exe PID 1176 wrote to memory of 1984 1176 SolaraExecutor.exe cmd.exe PID 1176 wrote to memory of 1984 1176 SolaraExecutor.exe cmd.exe PID 1984 wrote to memory of 2060 1984 cmd.exe chcp.com PID 1984 wrote to memory of 2060 1984 cmd.exe chcp.com PID 1984 wrote to memory of 2060 1984 cmd.exe chcp.com PID 1984 wrote to memory of 1436 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1436 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1436 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1848 1984 cmd.exe SolaraExecutor.exe PID 1984 wrote to memory of 1848 1984 cmd.exe SolaraExecutor.exe PID 1984 wrote to memory of 1848 1984 cmd.exe SolaraExecutor.exe PID 1848 wrote to memory of 2944 1848 SolaraExecutor.exe schtasks.exe PID 1848 wrote to memory of 2944 1848 SolaraExecutor.exe schtasks.exe PID 1848 wrote to memory of 2944 1848 SolaraExecutor.exe schtasks.exe PID 1848 wrote to memory of 2956 1848 SolaraExecutor.exe cmd.exe PID 1848 wrote to memory of 2956 1848 SolaraExecutor.exe cmd.exe PID 1848 wrote to memory of 2956 1848 SolaraExecutor.exe cmd.exe PID 2956 wrote to memory of 2684 2956 cmd.exe chcp.com PID 2956 wrote to memory of 2684 2956 cmd.exe chcp.com PID 2956 wrote to memory of 2684 2956 cmd.exe chcp.com PID 2956 wrote to memory of 2448 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 2448 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 2448 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 628 2956 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3020 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2452 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\moLlStjofTS9.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2712
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3028 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2604 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lRglklHhE4bX.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1348
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1684 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2876 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FSi7EoyLOKiS.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2060
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1436 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2944 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rHC7h9zfLSQx.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2684
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2448 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1368 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SOPFxnNRDr2O.bat" "11⤵PID:828
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1340
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1048 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:772 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7sjQBkStnEuj.bat" "13⤵PID:1864
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1472
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1980 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1720 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7XncvzNxmQRJ.bat" "15⤵PID:880
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2332
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2348 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2344 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fxx3to9kAoj2.bat" "17⤵PID:1792
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2784
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2812 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2800 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YcCOkuwfGPER.bat" "19⤵PID:2884
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2096
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2080 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:316 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9bWzBUkDZOQl.bat" "21⤵PID:1684
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2336
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2552 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2000 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\p1x4pjtB8tpf.bat" "23⤵PID:284
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:820
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1380 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2968 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2948 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9DhqK0XZEwWR.bat" "25⤵PID:2512
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3056
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1072 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2996 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2184 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1xXAEkPyZz11.bat" "27⤵PID:692
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:772
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:684 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:740 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1656 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jhwnjh8vXAUZ.bat" "29⤵PID:2436
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:300
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1660 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:584 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2152 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\itQWUOBR8mtC.bat" "31⤵PID:2844
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2172
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD5fb8bf7e8daf16ccf4c0448a79ba5fc47
SHA1c4e44705889b03b5a6d631dbe498ab5bd75b55c5
SHA2567c504213dbe624a7e46f310524e3e1d948786630488d69167649772dcb425d11
SHA512e9940c2a7c0aecb2ee9440f15f8da41b56e493e9a027dca15d760146df34fd8d9c209f8f3ef1e87aabef0e01ee61b83192054c24f1e8f0bbd6b416cade3d85e0
-
Filesize
204B
MD5bd3c7fc042804fcbc3f8a2fe2abb6f0c
SHA1ba4f0b74e97dbb4500965f33b2afec36f404aad9
SHA2564e2b06e82e3a593c5edecac0b27dc07f8e578bec918f4e6513506cb66ba5930d
SHA512d73e352931ca9e6453370fe042d7263f43428d95c71e19560dacf500de7c56ec8e13271531261a49fbe21ac08a0ffeb98e4c7e5b8f3443c5e7d39d6020342b3c
-
Filesize
204B
MD57a1b656d02969666948de373c851da2c
SHA134410f44fd461b47cd5c0e2dac2d983eed44fd83
SHA256f37e2d86cff7625a5310c46c920ff4393b2fc3a7bd57071b360f94e8a0805a71
SHA512400145e2d85eb54a04f69ed2c44624a67bfef2fa5c46237707f5528ca7e427e5bdc5ef9a05f9214b3b9bf477be9e4b1552895117285313a0eb9d8bf91ff2c6e6
-
Filesize
204B
MD574d095baf709e371cea45bd601bba1e8
SHA14c20ffed811a17d2d1d9d0f1a8216271a5bc5323
SHA256e786e1a43d400e1a36e19f5b0f1728fd30007eeead26f36adb6a89ba7c1cb923
SHA512c16219f606d99d4b7dd3573a122c9d966dab905203b72e165570efaf8cda8de114dea0d628b2e4d4ae2dcfc39dc30fe295bb3fee8449958f8633ab72c70a68f7
-
Filesize
204B
MD5065a999b55ebbe10f9a3e12821879de6
SHA12a7c15a966aded3b9c0b520cc78f2f2ac5951163
SHA256246d399efea56710048699622c51c218de0bcc75524a641a41a2b85b5011dcdb
SHA512e419d405d9b59cd0a89313350a3bf9af97794803827eb299b7918d323eb71715f7ec14e112cb26917afe7199004284a93b31936597a7bdbbb7324988f9f9a2ac
-
Filesize
204B
MD56a6bf01af96ab275a8491dd3a24f4c29
SHA1e29ade8ac3b7663ce4f5c43ecbba9d474c465bdf
SHA2563dcf978a150753ba9552e9ef6e6b2d03a513adfbc99eb329622c3e123ed0f021
SHA512931f6acfd090ceac793f3a476304efe6635e11472c121be3d1fc623c6dee648c16f66ebdea3b054c9bf4eec26e5abcf38c9fed2bdaee2c20b426d78681b58a45
-
Filesize
204B
MD5140a6051d5288d090a95c4356dd0aeb1
SHA1438f6280ea66590fcaeda4f000c57ae76be4a7f5
SHA2561dcd5a0a75b0903ef3fc5d33710a5e763952e033a1864e785c76963aab1e0e84
SHA512f1eaf056533d417731ded0087654348a2c7af881fb7f34c2d2f07e92ef3f7623eb788fb52e466b4ba20feb189f57e5ca0b0b0c8917614823d4e7850d89e7e29f
-
Filesize
204B
MD5669a627e4edab7a8e3bd252b1ddc600a
SHA1a7003a2bbea36961b3052511a9d019fbbf0a5774
SHA25649d3787117a065f1b3dbb3b3a715b3e052b25b8699b59cb192fe248373dc1c20
SHA512e45d824b6c06b621e6525a83b5c895906c5a1d44a928c056bc8f3f4b1b6190731ecc25c223cbacb840da083bf1b4d634fffda16737652890d4f82824e6000b5f
-
Filesize
204B
MD51d5963b75d0a5443dce734c11112685a
SHA1c4b70e28371598c6f2a9e4213b090086f0b825e0
SHA2561a681d742ed10613228ea28cb2e5f8aa31907083f63064bfb2d4b70141b29d43
SHA5128c97a8efb5eb250e7b986ac817ffd2c6d119c29d077e2495688bee69a56148a39876fc0fb00d76593b87849d5432e937de26f459c76312272fc1d4cc93aa818a
-
Filesize
204B
MD53a29fe0c6e4251e9f60bcb6b126d4809
SHA15e825fb7e758555cc3a711e0649797c881491bef
SHA2563ec75d5801f47cccf048f45e7622536d837188ed392fd017979f20575c48c4fb
SHA512e85bc319c30193cd5a3c5dd020181a6075e07e92b1625b8ec3bdff5cea74171012edc4e92654628aec12b76e3695c5d026e0781191d128e61864d461e5be499e
-
Filesize
204B
MD51ebe8fbe88a2b248f67a842c4efa451a
SHA1db2d803644273b750ca40c49b257863f1475e4cf
SHA256b7d81befeb5727a8522f1baeef1c5507643edcd426cd909b42a0a173ce33ca4d
SHA51270e839f1f5c0109a3eee22e31681d578ce61128e41b9f67db64348b9229caae7c8407d9aae420b90ad5ed4b04d4e746db917de43eb8f29a4b11ba12f4dc4c00a
-
Filesize
204B
MD5c504f46305974f4f1f5f4cdc8e47b542
SHA113d155f4f6714bf6f7fa9a360cf3c61b6cbb5a27
SHA256237d5a253e5eccc83f70f9ccbb53b824ccda2c006b895a234eab5a648dc2c9df
SHA51212d3696c04776b70a98ec348dc092491a1769e86c1ad01098ff214d00799bf28855f64868db28e3449f717fda1bb24d0acbe281e863db9d39ef178473b976127
-
Filesize
204B
MD5a6a8a007d3d70a1d71c3ccdc8a4af65e
SHA1b2620c000f276af57cf0dd790b90e3254111a299
SHA2562474d9804237af78918f78c1e87546c103d97cbaeec4957700968aed8c656a04
SHA51299b6fb2cb850fe95e8c89b3cd7c6462eb2a4cce5f7f0bd153d4f95367d6f1cf6f45310e16b7a6e7bd1d8bb6f81241ea7279beee315be65748301d7b1de81150b
-
Filesize
204B
MD56785f4f898bfc376ce63d88ee9c25822
SHA12eb8c0c9eec37fde827698529d001dab976a4cbe
SHA25678d352e37a9edeb45548c7b738d98eba07094ffa1c5671f931b132fc0951fe1e
SHA512c31c8bf1cde69e34f5a54b1893c5939ad790adaa39cb6cdcd6dc118e4079b3b6de75d16044e42d170e49a2822a3ae0f34f4f1ab3f7752079f7ef7d44b4999f58
-
Filesize
204B
MD547f6844370da316c29e4c57cefaf8aac
SHA1ac2d08dd7d144be1ea94b916b557c1ea852aa810
SHA25644180543079cf5451dba5d32dde23537cb7d56e3af6bfdbd7edeb836644c5ea7
SHA51251b63a7305e0a32e6292c6315629b7dcc595109b543e7a6dab74db136512a9a68dee50e48625bc0b916341801a434a06c0eb92c7f03af6a76d1df73942e25a7f
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e