Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 18:05
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240708-en
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3940-1-0x0000000000F70000-0x0000000001294000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 5040 SolaraExecutor.exe 3248 SolaraExecutor.exe 1104 SolaraExecutor.exe 4324 SolaraExecutor.exe 2124 SolaraExecutor.exe 3656 SolaraExecutor.exe 1820 SolaraExecutor.exe 1920 SolaraExecutor.exe 3456 SolaraExecutor.exe 4436 SolaraExecutor.exe 3388 SolaraExecutor.exe 3928 SolaraExecutor.exe 4968 SolaraExecutor.exe 528 SolaraExecutor.exe 872 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
Solara.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4364 PING.EXE 1624 PING.EXE 1912 PING.EXE 1908 PING.EXE 4556 PING.EXE 1484 PING.EXE 4664 PING.EXE 1280 PING.EXE 2224 PING.EXE 896 PING.EXE 2684 PING.EXE 3736 PING.EXE 4320 PING.EXE 3592 PING.EXE 3152 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2684 PING.EXE 4320 PING.EXE 3152 PING.EXE 1484 PING.EXE 896 PING.EXE 4364 PING.EXE 3592 PING.EXE 1280 PING.EXE 2224 PING.EXE 1912 PING.EXE 1908 PING.EXE 4556 PING.EXE 1624 PING.EXE 3736 PING.EXE 4664 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4360 schtasks.exe 3548 schtasks.exe 4740 schtasks.exe 4800 schtasks.exe 2832 schtasks.exe 4488 schtasks.exe 4524 schtasks.exe 1872 schtasks.exe 1040 schtasks.exe 2912 schtasks.exe 4112 schtasks.exe 2300 schtasks.exe 2000 schtasks.exe 2240 schtasks.exe 2600 schtasks.exe 3880 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Solara.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 3940 Solara.exe Token: SeDebugPrivilege 5040 SolaraExecutor.exe Token: SeDebugPrivilege 3248 SolaraExecutor.exe Token: SeDebugPrivilege 1104 SolaraExecutor.exe Token: SeDebugPrivilege 4324 SolaraExecutor.exe Token: SeDebugPrivilege 2124 SolaraExecutor.exe Token: SeDebugPrivilege 3656 SolaraExecutor.exe Token: SeDebugPrivilege 1820 SolaraExecutor.exe Token: SeDebugPrivilege 1920 SolaraExecutor.exe Token: SeDebugPrivilege 3456 SolaraExecutor.exe Token: SeDebugPrivilege 4436 SolaraExecutor.exe Token: SeDebugPrivilege 3388 SolaraExecutor.exe Token: SeDebugPrivilege 3928 SolaraExecutor.exe Token: SeDebugPrivilege 4968 SolaraExecutor.exe Token: SeDebugPrivilege 528 SolaraExecutor.exe Token: SeDebugPrivilege 872 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 5040 SolaraExecutor.exe 3248 SolaraExecutor.exe 1104 SolaraExecutor.exe 4324 SolaraExecutor.exe 2124 SolaraExecutor.exe 3656 SolaraExecutor.exe 1820 SolaraExecutor.exe 1920 SolaraExecutor.exe 3456 SolaraExecutor.exe 4436 SolaraExecutor.exe 3388 SolaraExecutor.exe 3928 SolaraExecutor.exe 4968 SolaraExecutor.exe 528 SolaraExecutor.exe 872 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 5040 SolaraExecutor.exe 3248 SolaraExecutor.exe 1104 SolaraExecutor.exe 4324 SolaraExecutor.exe 2124 SolaraExecutor.exe 3656 SolaraExecutor.exe 1820 SolaraExecutor.exe 1920 SolaraExecutor.exe 3456 SolaraExecutor.exe 4436 SolaraExecutor.exe 3388 SolaraExecutor.exe 3928 SolaraExecutor.exe 4968 SolaraExecutor.exe 528 SolaraExecutor.exe 872 SolaraExecutor.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SolaraExecutor.exepid process 4968 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Solara.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 3940 wrote to memory of 1040 3940 Solara.exe schtasks.exe PID 3940 wrote to memory of 1040 3940 Solara.exe schtasks.exe PID 3940 wrote to memory of 5040 3940 Solara.exe SolaraExecutor.exe PID 3940 wrote to memory of 5040 3940 Solara.exe SolaraExecutor.exe PID 5040 wrote to memory of 4360 5040 SolaraExecutor.exe schtasks.exe PID 5040 wrote to memory of 4360 5040 SolaraExecutor.exe schtasks.exe PID 5040 wrote to memory of 3468 5040 SolaraExecutor.exe cmd.exe PID 5040 wrote to memory of 3468 5040 SolaraExecutor.exe cmd.exe PID 3468 wrote to memory of 5084 3468 cmd.exe chcp.com PID 3468 wrote to memory of 5084 3468 cmd.exe chcp.com PID 3468 wrote to memory of 2684 3468 cmd.exe PING.EXE PID 3468 wrote to memory of 2684 3468 cmd.exe PING.EXE PID 3468 wrote to memory of 3248 3468 cmd.exe SolaraExecutor.exe PID 3468 wrote to memory of 3248 3468 cmd.exe SolaraExecutor.exe PID 3248 wrote to memory of 4488 3248 SolaraExecutor.exe schtasks.exe PID 3248 wrote to memory of 4488 3248 SolaraExecutor.exe schtasks.exe PID 3248 wrote to memory of 1208 3248 SolaraExecutor.exe cmd.exe PID 3248 wrote to memory of 1208 3248 SolaraExecutor.exe cmd.exe PID 1208 wrote to memory of 4280 1208 cmd.exe chcp.com PID 1208 wrote to memory of 4280 1208 cmd.exe chcp.com PID 1208 wrote to memory of 1912 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 1912 1208 cmd.exe PING.EXE PID 1208 wrote to memory of 1104 1208 cmd.exe SolaraExecutor.exe PID 1208 wrote to memory of 1104 1208 cmd.exe SolaraExecutor.exe PID 1104 wrote to memory of 2912 1104 SolaraExecutor.exe schtasks.exe PID 1104 wrote to memory of 2912 1104 SolaraExecutor.exe schtasks.exe PID 1104 wrote to memory of 3920 1104 SolaraExecutor.exe cmd.exe PID 1104 wrote to memory of 3920 1104 SolaraExecutor.exe cmd.exe PID 3920 wrote to memory of 1904 3920 cmd.exe chcp.com PID 3920 wrote to memory of 1904 3920 cmd.exe chcp.com PID 3920 wrote to memory of 4320 3920 cmd.exe PING.EXE PID 3920 wrote to memory of 4320 3920 cmd.exe PING.EXE PID 3920 wrote to memory of 4324 3920 cmd.exe SolaraExecutor.exe PID 3920 wrote to memory of 4324 3920 cmd.exe SolaraExecutor.exe PID 4324 wrote to memory of 2300 4324 SolaraExecutor.exe schtasks.exe PID 4324 wrote to memory of 2300 4324 SolaraExecutor.exe schtasks.exe PID 4324 wrote to memory of 2232 4324 SolaraExecutor.exe cmd.exe PID 4324 wrote to memory of 2232 4324 SolaraExecutor.exe cmd.exe PID 2232 wrote to memory of 1084 2232 cmd.exe chcp.com PID 2232 wrote to memory of 1084 2232 cmd.exe chcp.com PID 2232 wrote to memory of 4364 2232 cmd.exe PING.EXE PID 2232 wrote to memory of 4364 2232 cmd.exe PING.EXE PID 2232 wrote to memory of 2124 2232 cmd.exe SolaraExecutor.exe PID 2232 wrote to memory of 2124 2232 cmd.exe SolaraExecutor.exe PID 2124 wrote to memory of 2000 2124 SolaraExecutor.exe schtasks.exe PID 2124 wrote to memory of 2000 2124 SolaraExecutor.exe schtasks.exe PID 2124 wrote to memory of 4712 2124 SolaraExecutor.exe cmd.exe PID 2124 wrote to memory of 4712 2124 SolaraExecutor.exe cmd.exe PID 4712 wrote to memory of 392 4712 cmd.exe chcp.com PID 4712 wrote to memory of 392 4712 cmd.exe chcp.com PID 4712 wrote to memory of 3152 4712 cmd.exe PING.EXE PID 4712 wrote to memory of 3152 4712 cmd.exe PING.EXE PID 4712 wrote to memory of 3656 4712 cmd.exe SolaraExecutor.exe PID 4712 wrote to memory of 3656 4712 cmd.exe SolaraExecutor.exe PID 3656 wrote to memory of 2240 3656 SolaraExecutor.exe schtasks.exe PID 3656 wrote to memory of 2240 3656 SolaraExecutor.exe schtasks.exe PID 3656 wrote to memory of 4536 3656 SolaraExecutor.exe cmd.exe PID 3656 wrote to memory of 4536 3656 SolaraExecutor.exe cmd.exe PID 4536 wrote to memory of 2824 4536 cmd.exe chcp.com PID 4536 wrote to memory of 2824 4536 cmd.exe chcp.com PID 4536 wrote to memory of 3736 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 3736 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 1820 4536 cmd.exe SolaraExecutor.exe PID 4536 wrote to memory of 1820 4536 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1040 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z4M5kiPTYYyu.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:5084
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4488 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10NkFlgz8mo3.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4280
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1912 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2912 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Yl9PML3brQU.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1904
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4320 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2300 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2bIukoWT1E3.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1084
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4364 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2000 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fFHYGP0vUWNx.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:392
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3152 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l7PwLQ4u8UkO.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2824
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3736 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1820 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2600 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7VUJLkZOHxXU.bat" "15⤵PID:1384
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4028
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1908 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3548 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i96WVCWjJemA.bat" "17⤵PID:3916
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3804
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4556 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3456 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h7QxbW05AjZj.bat" "19⤵PID:4532
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2400
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1484 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pdklk7DMGvcO.bat" "21⤵PID:1088
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1412
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1624 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3388 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMaTqvpRpLak.bat" "23⤵PID:4360
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3372
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4664 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3928 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3880 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUgUil5dJDin.bat" "25⤵PID:3844
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3864
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3592 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iXguQ6uo2gzG.bat" "27⤵PID:4516
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4744
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1280 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:528 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2832 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D22bRPcIhzjU.bat" "29⤵PID:2416
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2320
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2224 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\53694SMDEX20.bat" "31⤵PID:5004
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2364
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
204B
MD540621cf419a4da2c974786fe716f5dad
SHA1dbab41c31e99da0ae6786fa30df847750385e90e
SHA2565afa70b6da475661b86e4a02dd414b4c2c441a468b021d55aa0abf685781fa1d
SHA51238a243bbb6a0495dd9b3eab9f996acb61acef2ed17a06d75809aa040fdd96e8532f58d68b9ebc60d00f9b9c847e03d496bb1dfce11baa7938c40c585768da8ee
-
Filesize
204B
MD56fdc4c06c7ac498106ee58807f233e52
SHA172a0ad95df4389358b2e45f7956c5c0d5fe2fa7d
SHA256032f0593c8cb21039121b0521da9521b924d71f8a30cc13d9dd4a54d47e89d9d
SHA512d1d01bef23b3f9d3bf59a4c78902ef2fe215b63782146a7c6c96957150bbcad562bc59ae42fcc6a9c385f319194dfbf4a31baab61851977d37ba122ddc2c7970
-
Filesize
204B
MD5266e0d962bf3b8926a98c0e03aba1987
SHA1c052a3186f1e074bcff2334c99abec2311e96448
SHA2565d7268d9723281442ec3e7105607acbac7d701ca9446375bcfe1fb500e72a600
SHA512934d5ba14c01f9184532ca646e041c49f7af8bbc39087bb43e4b74ebf8ac514a93454d14307a443f28d34c624e5aee552e0ed1ba5eeb6773adeb841757a41157
-
Filesize
204B
MD59c6b4678c45b47807860741d61b85531
SHA113c3fed0c66254152edc41c5eb29aaf1c9d61405
SHA256a4c66ce82dcc0bc69cce517506652c6908f9f92390f2bc728eb9e2da21a646eb
SHA512d4774040a60aa5ef8f22bda643cf5190242f858309073e403c79777f1f9eddd914094c4a6d954e117ad932796b43a2d7bba6ba6b7f6bfa3e6bc19bcc8bd2bade
-
Filesize
204B
MD59fb104d375e27264d2fb51bfca5d2aeb
SHA1071c29ba9a55b3e32f414305aa1895df9f5e0db1
SHA256e8f5dd2779730c5ac6c95000ec5fa523d1544131d7f7edd6614ddc74be6b850b
SHA512b1f7f2753309db5445b34dc0385f65666d54c4fea1840ed4817db7d430fa986a36d12a223e84242819331e961040922b3e01ca44f91da366673bd134e0de0596
-
Filesize
204B
MD59271c2f9c5914c0d4a5804729fc1d8c3
SHA1f0de19e1d621b8a4b4bb01da01cbde82488c7db8
SHA256f5fd50f295a7cedf1dbd65e55b5c50ff659e7f535936e7217a4a26121f14e3cd
SHA51267901d17ff82314d9bd6ccc8a9acc8c37a60cf3147b61c66140842a0c5c9b92ac8451365bb49ed6728402e4d376f811c624d164de8988b3570fd33677c373f04
-
Filesize
204B
MD51dc82f664339780b43b89f6d438f5f21
SHA174e93982973c30a55816bddb811f5d31b21656c3
SHA25652439343a42346116db2808fb910008a897c7b2debb1140caf29e9cbd5b304ea
SHA51276ae33f03fd6a502a6bf67d760501d9f2059182d7efed299d5ca345d708f2a51e7d4b8781394f46128af5d2879e2e9141a201a2ae1c2c4d2130344d73ad5d89f
-
Filesize
204B
MD55f12e4f1fc7a02bb25bdc6f7dfbb67d4
SHA184a718bcfd75cd19a3cd6d28f94d822a0d04f417
SHA25683dabee4f84c010d09503f0a4458c3e31647580cc0f3eb88c07899184f97dfaa
SHA512305ba9ac515cf8e967af4e189b043f2f07a570cb2b66385b5f6f60816dffa412c8f7f20025fa04edd022fe1233b995b978e8107a2676feb6ffe5588fa41f5416
-
Filesize
204B
MD585851258bfa4af7aa35f54f8237e91fd
SHA1d3dd2aced058c232a2ffd040efa0403dc548e437
SHA256cc47f4d079efa584701ca208f295b61c8d3bad42ad14cb1b822890206aced61d
SHA512bf6c60b42bc09108093a9f51781e6f8be6012695dbfe2bcf579f5d3e4b8ae4c6936693959611b989217c74bd7362b7a75e0da77002aed68877cc29f61aa6862a
-
Filesize
204B
MD594e8a8ecdae8f6ea3954eefe7602f29c
SHA1d891466fd7ce6ffbecd097032541b44f63c41655
SHA256a6deff2f2958f25caed2d578588e8cb1b15bc7161158df63c14d3d280c1ac4fe
SHA5126a73c7463cfa852133fd562085d63c58efdb2ed1c346194fab921e19d5d7e088d46a571ba5635d117872290fa875250b605c0fb0a8e9926e9c814a89aaf07f19
-
Filesize
204B
MD5cbfef2c0646910d07a4b9fa0bd900bb3
SHA15c74b9445d34199e34d56ef402b11f8ec7f006ca
SHA256090892bc31ac0c5c95d5178d6df6829bc2cf87603d988fde52805e98d41f9c07
SHA51203533a9a04fb89b9d47d4c444209c02b021e0fd8d5311efe9ef418ef553178d97fac38e0cb92bea011169245a6e2b4967e495c4cefc0878321558d50f39ca1ac
-
Filesize
204B
MD5737f717a98dea834fa13e428cba42364
SHA145a33731948bce15cc41025d742c73aa3dafc266
SHA256bc273305d5229737f83608447fd0128b268b81799789b0c1128617e7c037cab8
SHA512ad2070636f72e1657b3e7c106ab5304f971b1ea9019640407c6a0c165d9e61a50a875be5b7cbbe5a2e5b13f13a55b69ee16d69db89ca49e7c91d1875e9c5545a
-
Filesize
204B
MD5a9add417e62a366f1b42c49fc695ebd5
SHA1721d138f07bbe3f01e75916c3841497f639a4ee0
SHA2568a9be57a7fae7201ffff1e35b37e7dbe05fc5999b91af462541cae3ced5561e3
SHA5125f53efd9b846c66b9829d4e1781c9d1ba9882941c533611bb0d568dcf16520d204d9a34e9dc0dadf74512ceed7baedaea9278649dafa8a68f890e58c4bfdb8be
-
Filesize
204B
MD593dff2489a392214aefa251575914f06
SHA107a5087bc077f40772d43aabb07f338f3ba78ac6
SHA25640e876b8d3b6a036b1175c3fa35a9077cc58feee312d5fd9428c9272f92abca2
SHA5125d42b0e6a4048197b609b65bccabc03d1e20e6f214dd3ca7af3cb5b59ba4cee4eba0a2b03aa87d48e85e9997c4aea1a98812364d2f9f3c9f0b6e978b7ee911e8
-
Filesize
204B
MD5ec3b0e7eb36030290b8d71927a1ccb62
SHA13330a58b2abbf9673adb80761f1ae2d365770e20
SHA256f97917fee1d8a6df63dd32a6dd194fafc6fa21a62e459dc1ac039cde97dd5a98
SHA512eaa92554b51f40746b5bf6f3629b6fe8c44e945ce02029c455c8c0586ac3c993b5ff3caecfecc0a5b6c02cb119a535bd9c5ba57f0380e6126522990583e79e6b
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd