Malware Analysis Report

2024-10-23 21:24

Sample ID 240803-wpmd2s1bjn
Target Solara.exe
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
Tags
quasar office04 discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

Threat Level: Known bad

The file Solara.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 discovery spyware trojan

Quasar RAT

Quasar family

Quasar payload

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 18:05

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 18:05

Reported

2024-08-03 18:08

Platform

win7-20240708-en

Max time kernel

143s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 1620 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 1620 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 1620 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1620 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1620 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2368 wrote to memory of 2452 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2368 wrote to memory of 2452 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2368 wrote to memory of 2452 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2368 wrote to memory of 3036 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3036 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3036 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3036 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3036 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3036 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3036 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3036 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3036 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3036 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3036 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3036 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2640 wrote to memory of 2604 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2604 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2604 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2400 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2400 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2400 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2400 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2400 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2400 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2400 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2400 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2400 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2400 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2400 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2400 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1176 wrote to memory of 2876 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1176 wrote to memory of 2876 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1176 wrote to memory of 2876 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1176 wrote to memory of 1984 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 1984 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 1984 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1984 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1984 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1984 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1984 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1984 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1984 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1984 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1984 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1848 wrote to memory of 2944 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1848 wrote to memory of 2944 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1848 wrote to memory of 2944 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1848 wrote to memory of 2956 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1848 wrote to memory of 2956 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1848 wrote to memory of 2956 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2956 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2956 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2956 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2956 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2956 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2956 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\moLlStjofTS9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lRglklHhE4bX.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSi7EoyLOKiS.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rHC7h9zfLSQx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOPFxnNRDr2O.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7sjQBkStnEuj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7XncvzNxmQRJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fxx3to9kAoj2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YcCOkuwfGPER.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9bWzBUkDZOQl.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\p1x4pjtB8tpf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9DhqK0XZEwWR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1xXAEkPyZz11.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jhwnjh8vXAUZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\itQWUOBR8mtC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 nohchy-47404.portmap.host udp

Files

memory/1620-0-0x000007FEF5D63000-0x000007FEF5D64000-memory.dmp

memory/1620-1-0x0000000000F50000-0x0000000001274000-memory.dmp

memory/1620-2-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/2368-8-0x00000000001A0000-0x00000000004C4000-memory.dmp

memory/1620-7-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

memory/2368-9-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

memory/2368-10-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\moLlStjofTS9.bat

MD5 a6a8a007d3d70a1d71c3ccdc8a4af65e
SHA1 b2620c000f276af57cf0dd790b90e3254111a299
SHA256 2474d9804237af78918f78c1e87546c103d97cbaeec4957700968aed8c656a04
SHA512 99b6fb2cb850fe95e8c89b3cd7c6462eb2a4cce5f7f0bd153d4f95367d6f1cf6f45310e16b7a6e7bd1d8bb6f81241ea7279beee315be65748301d7b1de81150b

memory/2368-19-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

memory/2640-22-0x0000000000BF0000-0x0000000000F14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lRglklHhE4bX.bat

MD5 c504f46305974f4f1f5f4cdc8e47b542
SHA1 13d155f4f6714bf6f7fa9a360cf3c61b6cbb5a27
SHA256 237d5a253e5eccc83f70f9ccbb53b824ccda2c006b895a234eab5a648dc2c9df
SHA512 12d3696c04776b70a98ec348dc092491a1769e86c1ad01098ff214d00799bf28855f64868db28e3449f717fda1bb24d0acbe281e863db9d39ef178473b976127

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\FSi7EoyLOKiS.bat

MD5 6a6bf01af96ab275a8491dd3a24f4c29
SHA1 e29ade8ac3b7663ce4f5c43ecbba9d474c465bdf
SHA256 3dcf978a150753ba9552e9ef6e6b2d03a513adfbc99eb329622c3e123ed0f021
SHA512 931f6acfd090ceac793f3a476304efe6635e11472c121be3d1fc623c6dee648c16f66ebdea3b054c9bf4eec26e5abcf38c9fed2bdaee2c20b426d78681b58a45

memory/1848-44-0x0000000000140000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rHC7h9zfLSQx.bat

MD5 47f6844370da316c29e4c57cefaf8aac
SHA1 ac2d08dd7d144be1ea94b916b557c1ea852aa810
SHA256 44180543079cf5451dba5d32dde23537cb7d56e3af6bfdbd7edeb836644c5ea7
SHA512 51b63a7305e0a32e6292c6315629b7dcc595109b543e7a6dab74db136512a9a68dee50e48625bc0b916341801a434a06c0eb92c7f03af6a76d1df73942e25a7f

memory/628-55-0x0000000000900000-0x0000000000C24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SOPFxnNRDr2O.bat

MD5 140a6051d5288d090a95c4356dd0aeb1
SHA1 438f6280ea66590fcaeda4f000c57ae76be4a7f5
SHA256 1dcd5a0a75b0903ef3fc5d33710a5e763952e033a1864e785c76963aab1e0e84
SHA512 f1eaf056533d417731ded0087654348a2c7af881fb7f34c2d2f07e92ef3f7623eb788fb52e466b4ba20feb189f57e5ca0b0b0c8917614823d4e7850d89e7e29f

memory/1736-67-0x0000000000110000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7sjQBkStnEuj.bat

MD5 7a1b656d02969666948de373c851da2c
SHA1 34410f44fd461b47cd5c0e2dac2d983eed44fd83
SHA256 f37e2d86cff7625a5310c46c920ff4393b2fc3a7bd57071b360f94e8a0805a71
SHA512 400145e2d85eb54a04f69ed2c44624a67bfef2fa5c46237707f5528ca7e427e5bdc5ef9a05f9214b3b9bf477be9e4b1552895117285313a0eb9d8bf91ff2c6e6

memory/2148-78-0x0000000000CF0000-0x0000000001014000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7XncvzNxmQRJ.bat

MD5 bd3c7fc042804fcbc3f8a2fe2abb6f0c
SHA1 ba4f0b74e97dbb4500965f33b2afec36f404aad9
SHA256 4e2b06e82e3a593c5edecac0b27dc07f8e578bec918f4e6513506cb66ba5930d
SHA512 d73e352931ca9e6453370fe042d7263f43428d95c71e19560dacf500de7c56ec8e13271531261a49fbe21ac08a0ffeb98e4c7e5b8f3443c5e7d39d6020342b3c

memory/2544-90-0x00000000012F0000-0x0000000001614000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fxx3to9kAoj2.bat

MD5 1d5963b75d0a5443dce734c11112685a
SHA1 c4b70e28371598c6f2a9e4213b090086f0b825e0
SHA256 1a681d742ed10613228ea28cb2e5f8aa31907083f63064bfb2d4b70141b29d43
SHA512 8c97a8efb5eb250e7b986ac817ffd2c6d119c29d077e2495688bee69a56148a39876fc0fb00d76593b87849d5432e937de26f459c76312272fc1d4cc93aa818a

C:\Users\Admin\AppData\Local\Temp\YcCOkuwfGPER.bat

MD5 669a627e4edab7a8e3bd252b1ddc600a
SHA1 a7003a2bbea36961b3052511a9d019fbbf0a5774
SHA256 49d3787117a065f1b3dbb3b3a715b3e052b25b8699b59cb192fe248373dc1c20
SHA512 e45d824b6c06b621e6525a83b5c895906c5a1d44a928c056bc8f3f4b1b6190731ecc25c223cbacb840da083bf1b4d634fffda16737652890d4f82824e6000b5f

C:\Users\Admin\AppData\Local\Temp\9bWzBUkDZOQl.bat

MD5 065a999b55ebbe10f9a3e12821879de6
SHA1 2a7c15a966aded3b9c0b520cc78f2f2ac5951163
SHA256 246d399efea56710048699622c51c218de0bcc75524a641a41a2b85b5011dcdb
SHA512 e419d405d9b59cd0a89313350a3bf9af97794803827eb299b7918d323eb71715f7ec14e112cb26917afe7199004284a93b31936597a7bdbbb7324988f9f9a2ac

C:\Users\Admin\AppData\Local\Temp\p1x4pjtB8tpf.bat

MD5 6785f4f898bfc376ce63d88ee9c25822
SHA1 2eb8c0c9eec37fde827698529d001dab976a4cbe
SHA256 78d352e37a9edeb45548c7b738d98eba07094ffa1c5671f931b132fc0951fe1e
SHA512 c31c8bf1cde69e34f5a54b1893c5939ad790adaa39cb6cdcd6dc118e4079b3b6de75d16044e42d170e49a2822a3ae0f34f4f1ab3f7752079f7ef7d44b4999f58

memory/2968-132-0x0000000000220000-0x0000000000544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9DhqK0XZEwWR.bat

MD5 74d095baf709e371cea45bd601bba1e8
SHA1 4c20ffed811a17d2d1d9d0f1a8216271a5bc5323
SHA256 e786e1a43d400e1a36e19f5b0f1728fd30007eeead26f36adb6a89ba7c1cb923
SHA512 c16219f606d99d4b7dd3573a122c9d966dab905203b72e165570efaf8cda8de114dea0d628b2e4d4ae2dcfc39dc30fe295bb3fee8449958f8633ab72c70a68f7

memory/2996-143-0x00000000008E0000-0x0000000000C04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1xXAEkPyZz11.bat

MD5 fb8bf7e8daf16ccf4c0448a79ba5fc47
SHA1 c4e44705889b03b5a6d631dbe498ab5bd75b55c5
SHA256 7c504213dbe624a7e46f310524e3e1d948786630488d69167649772dcb425d11
SHA512 e9940c2a7c0aecb2ee9440f15f8da41b56e493e9a027dca15d760146df34fd8d9c209f8f3ef1e87aabef0e01ee61b83192054c24f1e8f0bbd6b416cade3d85e0

memory/740-154-0x0000000001210000-0x0000000001534000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhwnjh8vXAUZ.bat

MD5 1ebe8fbe88a2b248f67a842c4efa451a
SHA1 db2d803644273b750ca40c49b257863f1475e4cf
SHA256 b7d81befeb5727a8522f1baeef1c5507643edcd426cd909b42a0a173ce33ca4d
SHA512 70e839f1f5c0109a3eee22e31681d578ce61128e41b9f67db64348b9229caae7c8407d9aae420b90ad5ed4b04d4e746db917de43eb8f29a4b11ba12f4dc4c00a

memory/584-165-0x0000000000070000-0x0000000000394000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\itQWUOBR8mtC.bat

MD5 3a29fe0c6e4251e9f60bcb6b126d4809
SHA1 5e825fb7e758555cc3a711e0649797c881491bef
SHA256 3ec75d5801f47cccf048f45e7622536d837188ed392fd017979f20575c48c4fb
SHA512 e85bc319c30193cd5a3c5dd020181a6075e07e92b1625b8ec3bdff5cea74171012edc4e92654628aec12b76e3695c5d026e0781191d128e61864d461e5be499e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 18:05

Reported

2024-08-03 18:08

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3940 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3940 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3940 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 5040 wrote to memory of 4360 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5040 wrote to memory of 4360 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5040 wrote to memory of 3468 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 3468 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3468 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3468 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3468 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3468 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3468 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3248 wrote to memory of 4488 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3248 wrote to memory of 4488 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3248 wrote to memory of 1208 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3248 wrote to memory of 1208 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1208 wrote to memory of 4280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1208 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1208 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1208 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1208 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1104 wrote to memory of 2912 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1104 wrote to memory of 2912 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1104 wrote to memory of 3920 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 3920 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3920 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3920 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3920 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3920 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3920 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3920 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4324 wrote to memory of 2300 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4324 wrote to memory of 2300 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4324 wrote to memory of 2232 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4324 wrote to memory of 2232 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2232 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2232 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2232 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2232 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2232 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2124 wrote to memory of 2000 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2124 wrote to memory of 2000 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2124 wrote to memory of 4712 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 4712 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4712 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4712 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4712 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4712 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4712 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4712 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3656 wrote to memory of 2240 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3656 wrote to memory of 2240 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3656 wrote to memory of 4536 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 4536 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4536 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4536 wrote to memory of 3736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4536 wrote to memory of 3736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4536 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4536 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z4M5kiPTYYyu.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10NkFlgz8mo3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Yl9PML3brQU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2bIukoWT1E3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fFHYGP0vUWNx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l7PwLQ4u8UkO.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7VUJLkZOHxXU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i96WVCWjJemA.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h7QxbW05AjZj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pdklk7DMGvcO.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMaTqvpRpLak.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUgUil5dJDin.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iXguQ6uo2gzG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D22bRPcIhzjU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\53694SMDEX20.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 38.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp

Files

memory/3940-0-0x00007FFACED13000-0x00007FFACED15000-memory.dmp

memory/3940-1-0x0000000000F70000-0x0000000001294000-memory.dmp

memory/3940-2-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/3940-8-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/5040-9-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/5040-10-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/5040-11-0x000000001BC20000-0x000000001BC70000-memory.dmp

memory/5040-12-0x000000001BD30000-0x000000001BDE2000-memory.dmp

memory/5040-17-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z4M5kiPTYYyu.bat

MD5 1dc82f664339780b43b89f6d438f5f21
SHA1 74e93982973c30a55816bddb811f5d31b21656c3
SHA256 52439343a42346116db2808fb910008a897c7b2debb1140caf29e9cbd5b304ea
SHA512 76ae33f03fd6a502a6bf67d760501d9f2059182d7efed299d5ca345d708f2a51e7d4b8781394f46128af5d2879e2e9141a201a2ae1c2c4d2130344d73ad5d89f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\10NkFlgz8mo3.bat

MD5 40621cf419a4da2c974786fe716f5dad
SHA1 dbab41c31e99da0ae6786fa30df847750385e90e
SHA256 5afa70b6da475661b86e4a02dd414b4c2c441a468b021d55aa0abf685781fa1d
SHA512 38a243bbb6a0495dd9b3eab9f996acb61acef2ed17a06d75809aa040fdd96e8532f58d68b9ebc60d00f9b9c847e03d496bb1dfce11baa7938c40c585768da8ee

C:\Users\Admin\AppData\Local\Temp\8Yl9PML3brQU.bat

MD5 9c6b4678c45b47807860741d61b85531
SHA1 13c3fed0c66254152edc41c5eb29aaf1c9d61405
SHA256 a4c66ce82dcc0bc69cce517506652c6908f9f92390f2bc728eb9e2da21a646eb
SHA512 d4774040a60aa5ef8f22bda643cf5190242f858309073e403c79777f1f9eddd914094c4a6d954e117ad932796b43a2d7bba6ba6b7f6bfa3e6bc19bcc8bd2bade

C:\Users\Admin\AppData\Local\Temp\s2bIukoWT1E3.bat

MD5 ec3b0e7eb36030290b8d71927a1ccb62
SHA1 3330a58b2abbf9673adb80761f1ae2d365770e20
SHA256 f97917fee1d8a6df63dd32a6dd194fafc6fa21a62e459dc1ac039cde97dd5a98
SHA512 eaa92554b51f40746b5bf6f3629b6fe8c44e945ce02029c455c8c0586ac3c993b5ff3caecfecc0a5b6c02cb119a535bd9c5ba57f0380e6126522990583e79e6b

C:\Users\Admin\AppData\Local\Temp\fFHYGP0vUWNx.bat

MD5 5f12e4f1fc7a02bb25bdc6f7dfbb67d4
SHA1 84a718bcfd75cd19a3cd6d28f94d822a0d04f417
SHA256 83dabee4f84c010d09503f0a4458c3e31647580cc0f3eb88c07899184f97dfaa
SHA512 305ba9ac515cf8e967af4e189b043f2f07a570cb2b66385b5f6f60816dffa412c8f7f20025fa04edd022fe1233b995b978e8107a2676feb6ffe5588fa41f5416

C:\Users\Admin\AppData\Local\Temp\l7PwLQ4u8UkO.bat

MD5 737f717a98dea834fa13e428cba42364
SHA1 45a33731948bce15cc41025d742c73aa3dafc266
SHA256 bc273305d5229737f83608447fd0128b268b81799789b0c1128617e7c037cab8
SHA512 ad2070636f72e1657b3e7c106ab5304f971b1ea9019640407c6a0c165d9e61a50a875be5b7cbbe5a2e5b13f13a55b69ee16d69db89ca49e7c91d1875e9c5545a

C:\Users\Admin\AppData\Local\Temp\7VUJLkZOHxXU.bat

MD5 266e0d962bf3b8926a98c0e03aba1987
SHA1 c052a3186f1e074bcff2334c99abec2311e96448
SHA256 5d7268d9723281442ec3e7105607acbac7d701ca9446375bcfe1fb500e72a600
SHA512 934d5ba14c01f9184532ca646e041c49f7af8bbc39087bb43e4b74ebf8ac514a93454d14307a443f28d34c624e5aee552e0ed1ba5eeb6773adeb841757a41157

C:\Users\Admin\AppData\Local\Temp\i96WVCWjJemA.bat

MD5 94e8a8ecdae8f6ea3954eefe7602f29c
SHA1 d891466fd7ce6ffbecd097032541b44f63c41655
SHA256 a6deff2f2958f25caed2d578588e8cb1b15bc7161158df63c14d3d280c1ac4fe
SHA512 6a73c7463cfa852133fd562085d63c58efdb2ed1c346194fab921e19d5d7e088d46a571ba5635d117872290fa875250b605c0fb0a8e9926e9c814a89aaf07f19

C:\Users\Admin\AppData\Local\Temp\h7QxbW05AjZj.bat

MD5 85851258bfa4af7aa35f54f8237e91fd
SHA1 d3dd2aced058c232a2ffd040efa0403dc548e437
SHA256 cc47f4d079efa584701ca208f295b61c8d3bad42ad14cb1b822890206aced61d
SHA512 bf6c60b42bc09108093a9f51781e6f8be6012695dbfe2bcf579f5d3e4b8ae4c6936693959611b989217c74bd7362b7a75e0da77002aed68877cc29f61aa6862a

C:\Users\Admin\AppData\Local\Temp\pdklk7DMGvcO.bat

MD5 a9add417e62a366f1b42c49fc695ebd5
SHA1 721d138f07bbe3f01e75916c3841497f639a4ee0
SHA256 8a9be57a7fae7201ffff1e35b37e7dbe05fc5999b91af462541cae3ced5561e3
SHA512 5f53efd9b846c66b9829d4e1781c9d1ba9882941c533611bb0d568dcf16520d204d9a34e9dc0dadf74512ceed7baedaea9278649dafa8a68f890e58c4bfdb8be

C:\Users\Admin\AppData\Local\Temp\rMaTqvpRpLak.bat

MD5 93dff2489a392214aefa251575914f06
SHA1 07a5087bc077f40772d43aabb07f338f3ba78ac6
SHA256 40e876b8d3b6a036b1175c3fa35a9077cc58feee312d5fd9428c9272f92abca2
SHA512 5d42b0e6a4048197b609b65bccabc03d1e20e6f214dd3ca7af3cb5b59ba4cee4eba0a2b03aa87d48e85e9997c4aea1a98812364d2f9f3c9f0b6e978b7ee911e8

C:\Users\Admin\AppData\Local\Temp\QUgUil5dJDin.bat

MD5 9271c2f9c5914c0d4a5804729fc1d8c3
SHA1 f0de19e1d621b8a4b4bb01da01cbde82488c7db8
SHA256 f5fd50f295a7cedf1dbd65e55b5c50ff659e7f535936e7217a4a26121f14e3cd
SHA512 67901d17ff82314d9bd6ccc8a9acc8c37a60cf3147b61c66140842a0c5c9b92ac8451365bb49ed6728402e4d376f811c624d164de8988b3570fd33677c373f04

C:\Users\Admin\AppData\Local\Temp\iXguQ6uo2gzG.bat

MD5 cbfef2c0646910d07a4b9fa0bd900bb3
SHA1 5c74b9445d34199e34d56ef402b11f8ec7f006ca
SHA256 090892bc31ac0c5c95d5178d6df6829bc2cf87603d988fde52805e98d41f9c07
SHA512 03533a9a04fb89b9d47d4c444209c02b021e0fd8d5311efe9ef418ef553178d97fac38e0cb92bea011169245a6e2b4967e495c4cefc0878321558d50f39ca1ac

C:\Users\Admin\AppData\Local\Temp\D22bRPcIhzjU.bat

MD5 9fb104d375e27264d2fb51bfca5d2aeb
SHA1 071c29ba9a55b3e32f414305aa1895df9f5e0db1
SHA256 e8f5dd2779730c5ac6c95000ec5fa523d1544131d7f7edd6614ddc74be6b850b
SHA512 b1f7f2753309db5445b34dc0385f65666d54c4fea1840ed4817db7d430fa986a36d12a223e84242819331e961040922b3e01ca44f91da366673bd134e0de0596

C:\Users\Admin\AppData\Local\Temp\53694SMDEX20.bat

MD5 6fdc4c06c7ac498106ee58807f233e52
SHA1 72a0ad95df4389358b2e45f7956c5c0d5fe2fa7d
SHA256 032f0593c8cb21039121b0521da9521b924d71f8a30cc13d9dd4a54d47e89d9d
SHA512 d1d01bef23b3f9d3bf59a4c78902ef2fe215b63782146a7c6c96957150bbcad562bc59ae42fcc6a9c385f319194dfbf4a31baab61851977d37ba122ddc2c7970