Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 18:13
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240708-en
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1528-1-0x00000000009F0000-0x0000000000D14000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar behavioral1/memory/3040-9-0x0000000001340000-0x0000000001664000-memory.dmp family_quasar behavioral1/memory/1712-32-0x0000000000310000-0x0000000000634000-memory.dmp family_quasar behavioral1/memory/684-43-0x00000000000E0000-0x0000000000404000-memory.dmp family_quasar behavioral1/memory/1128-55-0x0000000001300000-0x0000000001624000-memory.dmp family_quasar behavioral1/memory/2724-96-0x00000000000F0000-0x0000000000414000-memory.dmp family_quasar behavioral1/memory/1324-108-0x00000000011E0000-0x0000000001504000-memory.dmp family_quasar behavioral1/memory/2244-119-0x0000000000030000-0x0000000000354000-memory.dmp family_quasar behavioral1/memory/2340-131-0x0000000000E20000-0x0000000001144000-memory.dmp family_quasar behavioral1/memory/1696-142-0x0000000000150000-0x0000000000474000-memory.dmp family_quasar behavioral1/memory/2092-164-0x0000000000330000-0x0000000000654000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 3040 SolaraExecutor.exe 1676 SolaraExecutor.exe 1712 SolaraExecutor.exe 684 SolaraExecutor.exe 1128 SolaraExecutor.exe 1524 SolaraExecutor.exe 1888 SolaraExecutor.exe 2028 SolaraExecutor.exe 2724 SolaraExecutor.exe 1324 SolaraExecutor.exe 2244 SolaraExecutor.exe 2340 SolaraExecutor.exe 1696 SolaraExecutor.exe 1884 SolaraExecutor.exe 2092 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
Solara.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1264 PING.EXE 2064 PING.EXE 2084 PING.EXE 2728 PING.EXE 1652 PING.EXE 2152 PING.EXE 2132 PING.EXE 1476 PING.EXE 1476 PING.EXE 1720 PING.EXE 2540 PING.EXE 1496 PING.EXE 2748 PING.EXE 1764 PING.EXE 1532 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2728 PING.EXE 1476 PING.EXE 1532 PING.EXE 1264 PING.EXE 1496 PING.EXE 2748 PING.EXE 2132 PING.EXE 1652 PING.EXE 2540 PING.EXE 2152 PING.EXE 2064 PING.EXE 1720 PING.EXE 1476 PING.EXE 1764 PING.EXE 2084 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3024 schtasks.exe 2512 schtasks.exe 2792 schtasks.exe 2780 schtasks.exe 2428 schtasks.exe 2336 schtasks.exe 2484 schtasks.exe 2944 schtasks.exe 2844 schtasks.exe 2996 schtasks.exe 1668 schtasks.exe 1324 schtasks.exe 2212 schtasks.exe 2828 schtasks.exe 2772 schtasks.exe 1776 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Solara.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 1528 Solara.exe Token: SeDebugPrivilege 3040 SolaraExecutor.exe Token: SeDebugPrivilege 1676 SolaraExecutor.exe Token: SeDebugPrivilege 1712 SolaraExecutor.exe Token: SeDebugPrivilege 684 SolaraExecutor.exe Token: SeDebugPrivilege 1128 SolaraExecutor.exe Token: SeDebugPrivilege 1524 SolaraExecutor.exe Token: SeDebugPrivilege 1888 SolaraExecutor.exe Token: SeDebugPrivilege 2028 SolaraExecutor.exe Token: SeDebugPrivilege 2724 SolaraExecutor.exe Token: SeDebugPrivilege 1324 SolaraExecutor.exe Token: SeDebugPrivilege 2244 SolaraExecutor.exe Token: SeDebugPrivilege 2340 SolaraExecutor.exe Token: SeDebugPrivilege 1696 SolaraExecutor.exe Token: SeDebugPrivilege 1884 SolaraExecutor.exe Token: SeDebugPrivilege 2092 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 3040 SolaraExecutor.exe 1676 SolaraExecutor.exe 1712 SolaraExecutor.exe 684 SolaraExecutor.exe 1128 SolaraExecutor.exe 1524 SolaraExecutor.exe 1888 SolaraExecutor.exe 2028 SolaraExecutor.exe 2724 SolaraExecutor.exe 1324 SolaraExecutor.exe 2244 SolaraExecutor.exe 2340 SolaraExecutor.exe 1696 SolaraExecutor.exe 1884 SolaraExecutor.exe 2092 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 3040 SolaraExecutor.exe 1676 SolaraExecutor.exe 1712 SolaraExecutor.exe 684 SolaraExecutor.exe 1128 SolaraExecutor.exe 1524 SolaraExecutor.exe 1888 SolaraExecutor.exe 2028 SolaraExecutor.exe 2724 SolaraExecutor.exe 1324 SolaraExecutor.exe 2244 SolaraExecutor.exe 2340 SolaraExecutor.exe 1696 SolaraExecutor.exe 1884 SolaraExecutor.exe 2092 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Solara.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 1528 wrote to memory of 2512 1528 Solara.exe schtasks.exe PID 1528 wrote to memory of 2512 1528 Solara.exe schtasks.exe PID 1528 wrote to memory of 2512 1528 Solara.exe schtasks.exe PID 1528 wrote to memory of 3040 1528 Solara.exe SolaraExecutor.exe PID 1528 wrote to memory of 3040 1528 Solara.exe SolaraExecutor.exe PID 1528 wrote to memory of 3040 1528 Solara.exe SolaraExecutor.exe PID 3040 wrote to memory of 2792 3040 SolaraExecutor.exe schtasks.exe PID 3040 wrote to memory of 2792 3040 SolaraExecutor.exe schtasks.exe PID 3040 wrote to memory of 2792 3040 SolaraExecutor.exe schtasks.exe PID 3040 wrote to memory of 2876 3040 SolaraExecutor.exe cmd.exe PID 3040 wrote to memory of 2876 3040 SolaraExecutor.exe cmd.exe PID 3040 wrote to memory of 2876 3040 SolaraExecutor.exe cmd.exe PID 2876 wrote to memory of 2712 2876 cmd.exe chcp.com PID 2876 wrote to memory of 2712 2876 cmd.exe chcp.com PID 2876 wrote to memory of 2712 2876 cmd.exe chcp.com PID 2876 wrote to memory of 2728 2876 cmd.exe PING.EXE PID 2876 wrote to memory of 2728 2876 cmd.exe PING.EXE PID 2876 wrote to memory of 2728 2876 cmd.exe PING.EXE PID 2876 wrote to memory of 1676 2876 cmd.exe SolaraExecutor.exe PID 2876 wrote to memory of 1676 2876 cmd.exe SolaraExecutor.exe PID 2876 wrote to memory of 1676 2876 cmd.exe SolaraExecutor.exe PID 1676 wrote to memory of 1668 1676 SolaraExecutor.exe schtasks.exe PID 1676 wrote to memory of 1668 1676 SolaraExecutor.exe schtasks.exe PID 1676 wrote to memory of 1668 1676 SolaraExecutor.exe schtasks.exe PID 1676 wrote to memory of 2332 1676 SolaraExecutor.exe cmd.exe PID 1676 wrote to memory of 2332 1676 SolaraExecutor.exe cmd.exe PID 1676 wrote to memory of 2332 1676 SolaraExecutor.exe cmd.exe PID 2332 wrote to memory of 664 2332 cmd.exe chcp.com PID 2332 wrote to memory of 664 2332 cmd.exe chcp.com PID 2332 wrote to memory of 664 2332 cmd.exe chcp.com PID 2332 wrote to memory of 1652 2332 cmd.exe PING.EXE PID 2332 wrote to memory of 1652 2332 cmd.exe PING.EXE PID 2332 wrote to memory of 1652 2332 cmd.exe PING.EXE PID 2332 wrote to memory of 1712 2332 cmd.exe SolaraExecutor.exe PID 2332 wrote to memory of 1712 2332 cmd.exe SolaraExecutor.exe PID 2332 wrote to memory of 1712 2332 cmd.exe SolaraExecutor.exe PID 1712 wrote to memory of 1324 1712 SolaraExecutor.exe schtasks.exe PID 1712 wrote to memory of 1324 1712 SolaraExecutor.exe schtasks.exe PID 1712 wrote to memory of 1324 1712 SolaraExecutor.exe schtasks.exe PID 1712 wrote to memory of 1512 1712 SolaraExecutor.exe cmd.exe PID 1712 wrote to memory of 1512 1712 SolaraExecutor.exe cmd.exe PID 1712 wrote to memory of 1512 1712 SolaraExecutor.exe cmd.exe PID 1512 wrote to memory of 832 1512 cmd.exe chcp.com PID 1512 wrote to memory of 832 1512 cmd.exe chcp.com PID 1512 wrote to memory of 832 1512 cmd.exe chcp.com PID 1512 wrote to memory of 1476 1512 cmd.exe PING.EXE PID 1512 wrote to memory of 1476 1512 cmd.exe PING.EXE PID 1512 wrote to memory of 1476 1512 cmd.exe PING.EXE PID 1512 wrote to memory of 684 1512 cmd.exe SolaraExecutor.exe PID 1512 wrote to memory of 684 1512 cmd.exe SolaraExecutor.exe PID 1512 wrote to memory of 684 1512 cmd.exe SolaraExecutor.exe PID 684 wrote to memory of 2944 684 SolaraExecutor.exe schtasks.exe PID 684 wrote to memory of 2944 684 SolaraExecutor.exe schtasks.exe PID 684 wrote to memory of 2944 684 SolaraExecutor.exe schtasks.exe PID 684 wrote to memory of 2276 684 SolaraExecutor.exe cmd.exe PID 684 wrote to memory of 2276 684 SolaraExecutor.exe cmd.exe PID 684 wrote to memory of 2276 684 SolaraExecutor.exe cmd.exe PID 2276 wrote to memory of 2288 2276 cmd.exe chcp.com PID 2276 wrote to memory of 2288 2276 cmd.exe chcp.com PID 2276 wrote to memory of 2288 2276 cmd.exe chcp.com PID 2276 wrote to memory of 2540 2276 cmd.exe PING.EXE PID 2276 wrote to memory of 2540 2276 cmd.exe PING.EXE PID 2276 wrote to memory of 2540 2276 cmd.exe PING.EXE PID 2276 wrote to memory of 1128 2276 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2512 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2792 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\j4ZIm2q79PQm.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2712
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2728 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1668 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TEqlycYOIjew.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:664
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1652 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1324 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8ctdHvfJUQrj.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:832
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1476 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2944 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\T5ja72VNO0Ao.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2288
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2540 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1128 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2844 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9bV0V6rE9Pod.bat" "11⤵PID:2284
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1744
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2152 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2780 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\NW6GmEIm0IiR.bat" "13⤵PID:3036
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2572
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1264 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1888 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2212 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EgF7GwxB1GFZ.bat" "15⤵PID:1720
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3024
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1496 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2828 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aX5WAmpdNPNR.bat" "17⤵PID:2084
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2880
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2748 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2772 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HijkBihCFRNO.bat" "19⤵PID:2904
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2352
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1764 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1324 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2428 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vvkDfZCmQJS1.bat" "21⤵PID:1260
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2936
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1476 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1776 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yVeCWrgwT9wZ.bat" "23⤵PID:444
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2276
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2132 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2340 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2996 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zjbJM0Yyo9OU.bat" "25⤵PID:2476
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1336
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1696 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2336 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xM9IQCUGrp7G.bat" "27⤵PID:2456
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1808
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2064 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1884 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:3024 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0tK1QKop3iHL.bat" "29⤵PID:2868
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2516
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1720 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2092 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2484 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\atWohEgIoK0l.bat" "31⤵PID:2172
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2728
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD5aba5421d8d08bf2dcca99b2a77293b9c
SHA11cfe54ca57f55a3a4bb3fedd7ebc62a4c76ca57b
SHA25615b504c07c0c341a4e7a5d1c9ca88bcb5607c545584ecbb08dcd89c267407dcc
SHA5122f83cc226b63ec89667cd0267d69a7e5efc18919202afa8571f693387fc5e79887c29fe7a73f15291270690eed5b50d67e8d013762f4f241b4d52bcca778d1fe
-
Filesize
204B
MD56c0eb6b81db45eec90df2433ded7e25e
SHA117cd19b0dae654ae717fe6f8c6557dbefd1494e8
SHA256ddffc9422b9f0bdca7e99da78eaef7bc3fe265de8399cae52138ea1a628638f3
SHA512f7830377b1b3bbc21eccde9cb99f60da1cb8744f516b8eab6ccf4b60c6737b3a3b700102e2d757c939422f8f9cdd24fb8cf3deafa7760aec9a05915dfc04c039
-
Filesize
204B
MD5409b5271edb07fdbb22d507578c79aba
SHA10c10f878b7a6c81ea2fb178aa455aef50387ab0b
SHA256551c280be21c249095615039aad7d34dd1aa70b5187064e1d6d5b6e450653441
SHA512dcdc4d1b8e5a0d2bfa4fdff166deeddeaa3d940a78516c113da74913d12e39706809c248bd193399b9ce1f9e79a8bd2cd2ee651a9941b30ee645ec096af93ff1
-
Filesize
204B
MD5443a2387c249d6d1e54255347688ac0e
SHA11f7ae829cb9c3f65e823246dce09c292f33df48e
SHA25649e40b34550f4f96cb800a59b4c8a75a431edc11e0f2498734940c391a6cf0bb
SHA512af63485b8f70e8435136618807e7c38162c7593f6c0fedb8a85253302c74950fed346aa9c93e9e4d3ec46b13a67f94a4ce36238c2f4198f03282d3d7d4ac572c
-
Filesize
204B
MD5c789fafce38765e6997fc94f61b4b033
SHA114ed44521afc26f68ad8dd85f6a0d1849ae54d26
SHA25682f4c9f8eb73e900777e8c33036efa8927c4314e72319e0d11f990ad9e884ae6
SHA5121acf2032da901e6c2b783a5af7f1d9c02c86758d401d58c26a95bb3737a8631e95ee03f2df3ab4fe49dc59040bee167a84f18655b3a58b94ee8deeff7dbb9562
-
Filesize
204B
MD559d6184a86a395862bac3222e0795b25
SHA118fc4f91c094fd0bc2d890983671042e2e42e18b
SHA2560de8c77e2012368326e3fab0ef83f43351190f7b8ea87c62511897a4decacf8d
SHA5126f0232697ed3d1e60a2caa82fa0a5ae4714ed5fdbe4ca6f9fefa47f1f58c150f09a1484c7789c041d1ed28abfa12a7482f1367516579b8effc9fb144c336b505
-
Filesize
204B
MD5754c35adf6dbec8a6cdd9b9cff1b274b
SHA11651783687450c6c317b1c4b0d9e2f78a2486ed9
SHA256eef191ead12765ba80aa33a596012b0c0b65b8b28425379cd80355b95eccc01c
SHA512f11028b306533e0e3db33a5758d9f672b31281da816ad6d8dbd27424a5bee32c5e6dc547c1c5468ea6d49ed78974d3cbde1cd31726a5637900acc3efdb05e470
-
Filesize
204B
MD557276dcab44c5852c9e4b6edf7c455d8
SHA1aa483ff2619d19bd316feaf141e210658724af6e
SHA256b23f32bf77ce242498758057924f443cb8ca6469f820d88d8552e509028113b7
SHA512e0dbcb48b22dbdbd12e0607ef504d182ceec4a1f87d0555dcd81b0a24f9ae974053c965ed21a9ced2be59c5c875a69e4e6f8bba1311f5429f55d646d9ba706f1
-
Filesize
204B
MD5df0c45557f79c600853f450db8b08b0b
SHA13bc81b9b100fa7ca1c6df2097edc1e764ae49d5c
SHA256ec0918c76c366f5c5ec0d61e42af8ffb8db54eb84059921422285ee37e8b8b5e
SHA512ce875b7b16e215f4713682822658212aa5b3b73fd37ba8195349801728bd5da4768a9fe331d3d7c37c808aafe8f6781f141fd52a20782530cf517af88a4cf234
-
Filesize
204B
MD58adbfb6bb69099919b6185edbcb85fed
SHA1a27a886187f9239f8f31f78b5d8accb1bea5e02f
SHA2566bdc3868ff7e2166dafcc398d70001e46108bee24f149de6727cbe9907c0e5ca
SHA5122701c210dd2e4d03337383e472fb5118e7b54a995e4b15f22a360997903f63ce1127f3ec393d1104a700dab1518740b13dc82abbe8ef4db1ef6f72cf61093c12
-
Filesize
204B
MD51ae85b7ad9eae704f6b8377121c27906
SHA1978ef070c9956a0e8ad21c3bee54978638f91795
SHA256e1d3a07ba65ab639ba3c38e77273d0d482dbfcb09135e62b05e1e8afe14b1607
SHA51247e354aaa30b8434e8d25476b3dc11469c90d07f8ee3eac1abf46f6f767840d28e10b9db7807a2ba73d72cb8157b74c2d2a85ce8ef0b36d396946eabcca6376f
-
Filesize
204B
MD57dd27d1c93a4bcd71ce4ff5b2c4d1de2
SHA129d3bcdfa1646297110e83668e84d5df3d88dd09
SHA2562d526a8a5be46b9237a9fe47cf314437ac796f4d3d49fa05f92b7601ba4d5435
SHA5125cc7a3a76f1d9b54c63df382b7aee5056bffacfe15a0f555525589e651e2b86b74295053820f2bdc91ffcad1483e6b65920d0e2cc510f1a12da3ded980b8ecf4
-
Filesize
204B
MD586b95b9bb5742c553faedef171a2c959
SHA1ea628b5523a4646920bfb22833bfc1bdeba47ca3
SHA25640b134b644e4205b4fb734e26eed310c1873f1361b7ad33eff13ad22857f217a
SHA5120dd600603a7317e1b2ace4c5cbce8abf9e4696fab8c68e46e48811d5bb85f8d9248da5bc79e5c75b6db5f376930cbaec2fa15f6b9784b60d495d08ed183059af
-
Filesize
204B
MD52fa21fc29389715b5f6629e48f8cbc99
SHA1438fd8d10f338313a3fefb974eed2e263d446d4e
SHA25625e17bfbcaab275b6b4c9ad8e9299d4e7f069c2c7b8c635cd54ce3a9d55fabd7
SHA5124033294a1a4844f624f6ce778f4f3ebf4b5bf338fb30432c654e91efbe4f37c0dc0c865fea84b4a4aadd147ea22b9957816fc648133e3c53249dfa1915adac17
-
Filesize
204B
MD527ad95411f6b6fff7dabf03bb4f29cf2
SHA16ba909350dd88f0eae83b166b2a5e61e7a0d1559
SHA25673ea208958851eef98508170dc0f880dcde0a6c408e8bbd5465a82f1e6dda60e
SHA512fe49784aab1535f30b621f7191c5fdf8a43ff68605eb5c0f3ce1fef225ed6496d5dbd024cf8ff77c2991e5f0c0c32938ddb55684ec04755a6b05bf29c60aa90d
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e