Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 18:13
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240708-en
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3992-1-0x0000000000880000-0x0000000000BA4000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 5076 SolaraExecutor.exe 2004 SolaraExecutor.exe 3824 SolaraExecutor.exe 2008 SolaraExecutor.exe 1216 SolaraExecutor.exe 1516 SolaraExecutor.exe 2584 SolaraExecutor.exe 2732 SolaraExecutor.exe 4940 SolaraExecutor.exe 2716 SolaraExecutor.exe 4748 SolaraExecutor.exe 452 SolaraExecutor.exe 4376 SolaraExecutor.exe 2720 SolaraExecutor.exe 1212 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
Solara.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4956 PING.EXE 3648 PING.EXE 4312 PING.EXE 4516 PING.EXE 3404 PING.EXE 4520 PING.EXE 3680 PING.EXE 3280 PING.EXE 2912 PING.EXE 5052 PING.EXE 1716 PING.EXE 4780 PING.EXE 4488 PING.EXE 2016 PING.EXE 4324 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4956 PING.EXE 3404 PING.EXE 4324 PING.EXE 4488 PING.EXE 2016 PING.EXE 3680 PING.EXE 5052 PING.EXE 4312 PING.EXE 3648 PING.EXE 3280 PING.EXE 1716 PING.EXE 4516 PING.EXE 4520 PING.EXE 2912 PING.EXE 4780 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2920 schtasks.exe 2916 schtasks.exe 2292 schtasks.exe 756 schtasks.exe 3532 schtasks.exe 632 schtasks.exe 1144 schtasks.exe 4560 schtasks.exe 3756 schtasks.exe 756 schtasks.exe 940 schtasks.exe 5044 schtasks.exe 4368 schtasks.exe 1132 schtasks.exe 3624 schtasks.exe 924 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Solara.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 3992 Solara.exe Token: SeDebugPrivilege 5076 SolaraExecutor.exe Token: SeDebugPrivilege 2004 SolaraExecutor.exe Token: SeDebugPrivilege 3824 SolaraExecutor.exe Token: SeDebugPrivilege 2008 SolaraExecutor.exe Token: SeDebugPrivilege 1216 SolaraExecutor.exe Token: SeDebugPrivilege 1516 SolaraExecutor.exe Token: SeDebugPrivilege 2584 SolaraExecutor.exe Token: SeDebugPrivilege 2732 SolaraExecutor.exe Token: SeDebugPrivilege 4940 SolaraExecutor.exe Token: SeDebugPrivilege 2716 SolaraExecutor.exe Token: SeDebugPrivilege 4748 SolaraExecutor.exe Token: SeDebugPrivilege 452 SolaraExecutor.exe Token: SeDebugPrivilege 4376 SolaraExecutor.exe Token: SeDebugPrivilege 2720 SolaraExecutor.exe Token: SeDebugPrivilege 1212 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 5076 SolaraExecutor.exe 2004 SolaraExecutor.exe 3824 SolaraExecutor.exe 2008 SolaraExecutor.exe 1216 SolaraExecutor.exe 1516 SolaraExecutor.exe 2584 SolaraExecutor.exe 2732 SolaraExecutor.exe 4940 SolaraExecutor.exe 2716 SolaraExecutor.exe 4748 SolaraExecutor.exe 452 SolaraExecutor.exe 4376 SolaraExecutor.exe 2720 SolaraExecutor.exe 1212 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 5076 SolaraExecutor.exe 2004 SolaraExecutor.exe 3824 SolaraExecutor.exe 2008 SolaraExecutor.exe 1216 SolaraExecutor.exe 1516 SolaraExecutor.exe 2584 SolaraExecutor.exe 2732 SolaraExecutor.exe 4940 SolaraExecutor.exe 2716 SolaraExecutor.exe 4748 SolaraExecutor.exe 452 SolaraExecutor.exe 4376 SolaraExecutor.exe 2720 SolaraExecutor.exe 1212 SolaraExecutor.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exepid process 2720 SolaraExecutor.exe 1212 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Solara.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 3992 wrote to memory of 940 3992 Solara.exe schtasks.exe PID 3992 wrote to memory of 940 3992 Solara.exe schtasks.exe PID 3992 wrote to memory of 5076 3992 Solara.exe SolaraExecutor.exe PID 3992 wrote to memory of 5076 3992 Solara.exe SolaraExecutor.exe PID 5076 wrote to memory of 924 5076 SolaraExecutor.exe schtasks.exe PID 5076 wrote to memory of 924 5076 SolaraExecutor.exe schtasks.exe PID 5076 wrote to memory of 5044 5076 SolaraExecutor.exe cmd.exe PID 5076 wrote to memory of 5044 5076 SolaraExecutor.exe cmd.exe PID 5044 wrote to memory of 4720 5044 cmd.exe chcp.com PID 5044 wrote to memory of 4720 5044 cmd.exe chcp.com PID 5044 wrote to memory of 4520 5044 cmd.exe PING.EXE PID 5044 wrote to memory of 4520 5044 cmd.exe PING.EXE PID 5044 wrote to memory of 2004 5044 cmd.exe SolaraExecutor.exe PID 5044 wrote to memory of 2004 5044 cmd.exe SolaraExecutor.exe PID 2004 wrote to memory of 3532 2004 SolaraExecutor.exe schtasks.exe PID 2004 wrote to memory of 3532 2004 SolaraExecutor.exe schtasks.exe PID 2004 wrote to memory of 2908 2004 SolaraExecutor.exe cmd.exe PID 2004 wrote to memory of 2908 2004 SolaraExecutor.exe cmd.exe PID 2908 wrote to memory of 4012 2908 cmd.exe chcp.com PID 2908 wrote to memory of 4012 2908 cmd.exe chcp.com PID 2908 wrote to memory of 2016 2908 cmd.exe PING.EXE PID 2908 wrote to memory of 2016 2908 cmd.exe PING.EXE PID 2908 wrote to memory of 3824 2908 cmd.exe SolaraExecutor.exe PID 2908 wrote to memory of 3824 2908 cmd.exe SolaraExecutor.exe PID 3824 wrote to memory of 756 3824 SolaraExecutor.exe schtasks.exe PID 3824 wrote to memory of 756 3824 SolaraExecutor.exe schtasks.exe PID 3824 wrote to memory of 3628 3824 SolaraExecutor.exe cmd.exe PID 3824 wrote to memory of 3628 3824 SolaraExecutor.exe cmd.exe PID 3628 wrote to memory of 1940 3628 cmd.exe chcp.com PID 3628 wrote to memory of 1940 3628 cmd.exe chcp.com PID 3628 wrote to memory of 3680 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 3680 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 2008 3628 cmd.exe SolaraExecutor.exe PID 3628 wrote to memory of 2008 3628 cmd.exe SolaraExecutor.exe PID 2008 wrote to memory of 3624 2008 SolaraExecutor.exe schtasks.exe PID 2008 wrote to memory of 3624 2008 SolaraExecutor.exe schtasks.exe PID 2008 wrote to memory of 628 2008 SolaraExecutor.exe cmd.exe PID 2008 wrote to memory of 628 2008 SolaraExecutor.exe cmd.exe PID 628 wrote to memory of 968 628 cmd.exe chcp.com PID 628 wrote to memory of 968 628 cmd.exe chcp.com PID 628 wrote to memory of 3280 628 cmd.exe PING.EXE PID 628 wrote to memory of 3280 628 cmd.exe PING.EXE PID 628 wrote to memory of 1216 628 cmd.exe SolaraExecutor.exe PID 628 wrote to memory of 1216 628 cmd.exe SolaraExecutor.exe PID 1216 wrote to memory of 2920 1216 SolaraExecutor.exe schtasks.exe PID 1216 wrote to memory of 2920 1216 SolaraExecutor.exe schtasks.exe PID 1216 wrote to memory of 688 1216 SolaraExecutor.exe cmd.exe PID 1216 wrote to memory of 688 1216 SolaraExecutor.exe cmd.exe PID 688 wrote to memory of 2692 688 cmd.exe chcp.com PID 688 wrote to memory of 2692 688 cmd.exe chcp.com PID 688 wrote to memory of 5052 688 cmd.exe PING.EXE PID 688 wrote to memory of 5052 688 cmd.exe PING.EXE PID 688 wrote to memory of 1516 688 cmd.exe SolaraExecutor.exe PID 688 wrote to memory of 1516 688 cmd.exe SolaraExecutor.exe PID 1516 wrote to memory of 1132 1516 SolaraExecutor.exe schtasks.exe PID 1516 wrote to memory of 1132 1516 SolaraExecutor.exe schtasks.exe PID 1516 wrote to memory of 2536 1516 SolaraExecutor.exe cmd.exe PID 1516 wrote to memory of 2536 1516 SolaraExecutor.exe cmd.exe PID 2536 wrote to memory of 4700 2536 cmd.exe chcp.com PID 2536 wrote to memory of 4700 2536 cmd.exe chcp.com PID 2536 wrote to memory of 1716 2536 cmd.exe PING.EXE PID 2536 wrote to memory of 1716 2536 cmd.exe PING.EXE PID 2536 wrote to memory of 2584 2536 cmd.exe SolaraExecutor.exe PID 2536 wrote to memory of 2584 2536 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:940 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5QFkUt3cDapL.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4720
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4520 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:3532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BmAPOcdQF39.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4012
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2016 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R8tZY8snGbl3.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1940
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3680 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jJcuK8sLY2HQ.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:968
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3280 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7Gd0Mm1JUAx.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2692
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5052 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f54mdRJ7DHiv.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4700
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1716 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2584 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOWhqt9EUo4V.bat" "15⤵PID:4452
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1616
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2912 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2732 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cRQLj3y7txvC.bat" "17⤵PID:2156
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4604
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4312 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4940 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1144 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G0tqoFsdUxFn.bat" "19⤵PID:3464
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1292
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4516 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4560 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZZS3DYp0DMv8.bat" "21⤵PID:4720
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1280
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4956 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4748 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KC0MNA3b7FyV.bat" "23⤵PID:700
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3432
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3648 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:452 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:5044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWUMf2QesGEc.bat" "25⤵PID:4428
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4332
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4780 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4376 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6cM2Kk1JMd6n.bat" "27⤵PID:684
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3480
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3404 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2292 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcBduRfB5F3C.bat" "29⤵PID:4784
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2264
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4324 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4368 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ThJkxFEg4FoF.bat" "31⤵PID:4080
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4348
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
204B
MD5db9984b04057b514bc356dd572a5bd34
SHA122a9d7e4bd3d1b89bd0207334765ebde0eaf2fd4
SHA2565d4831801ef77c4baeb250c9144b061dc3fead873956218c2b4ec31db29fd70f
SHA512397a7b14812dc109fe59466dd2a200f9e121418c5765c16840c26493e5f843a6d63ff7377077519e7e753abdec72ebfd56bf019c93778876cd647fe0cb60c2af
-
Filesize
204B
MD5983379afa0dd79113b9fac276ad5f12d
SHA1f4b893c8cc8521faf4ad17f386e6bb5476a5b563
SHA256f31f94a1c8ab9ff4d9e54a26a0b127073080ae0849adb9845683ac78a17297f7
SHA51207d2716f73c696481030966b3408ff9c23b9ba7ec9f196301aa092951b7696e6f078df9ee9db447299c82d10b9977f2940296935102a14537da63ca17a823b6d
-
Filesize
204B
MD51e4d438d8dd74c02329e6c7379ef2522
SHA1621a1cb8c977b61094afb146e5b74ab6a16654c4
SHA256ff91acc7b62ad10f3a0d3a6ad51428a1ba5b0cd06f5b340e9b582f38079cf73d
SHA512c9818c9887405eba495f9df8ed2c853a0b65503dfb6a527d44daae74fc90e89f629daa9ebd29d35929b4118df10b8d5b2fec19fc57cf96327d35a2e121b57cbf
-
Filesize
204B
MD52cee91dd84cc2b5fa9b03fbdf704fdfa
SHA17e70af61e417300b90f43b598db247bffd72538a
SHA256a37ee2fa99b4eed7633602b54a8b9597321bd342a71f4befb67a16e200545d18
SHA5124601fb2b960ff4516cf9b1fac42953dbee4abbcb1b9d4cd47e0655b3b75f7a0ae04649e461ffc5f5514baec94cd321ee8f76af30b994cbc6001530e1d4e1c591
-
Filesize
204B
MD5e10d804fba7c4a951086d5ec88e37f12
SHA1c09ff3274aec0579132eabf2ba4beba777b774f7
SHA25683a7cb4a425911ee5a958ff669ce8355240ae1dcbafcc399bf31920e4b4e8b65
SHA5126fb4c18faac4f0caff16f5bcbacc1927c7e8d5894e316bf4627a8d7525c4809bbaac4a0d884ec752a40b2b06d37d572dcfe878a9d06d218f84a6a893d5d11063
-
Filesize
204B
MD53f02d67f17216e8bc461ebbf5fe92ab1
SHA1e5f849e5c223487a64665c0b3eacd6f419d25999
SHA2561482aa81fd394f03b0f8d0dfdeaab1b337ffa9271c2a0112ec7ce80297630273
SHA512777cc29c50cc38e7129f379128343d2185bcfaca809a97d68ac1edf73d9a6853cb0c3965627b5541bd7a4b237b179a01f5895eb571b242366ace255f3d5ffbb9
-
Filesize
204B
MD542c7afb1a2ecc0840e55a37f194fa4d8
SHA143a99b787b266a943eadf4065462fda06de96496
SHA256fc63d1a87a7214383e367883ea4833f7c02d0d58c30ac82dacca500097c545c7
SHA512f954a78806d79d1406f5aa4407fbfa64808fe18df67a909d2549ea0004cb391f7ad5868c13e6c613fedbd4e6bfa55c813cede3286cbc5ae45fd40684e5d187c3
-
Filesize
204B
MD50a6dedfcabb794a2e3c18367fe37f27e
SHA11d0af4482e9dd52b9ba75e8c650f6f1e71c1afb7
SHA2562c2d1196b18bc8f6632c9d84a8afd41c55906bb78741dc4d5a6a035e4b0e8bf0
SHA51257e5cce3775c38216841b09728b53e44aa313bc86b001bea5cd9d2ada8bf7e015ef65818ea867a5bc486ccb6ab95078e485c94d1172696ba36339ec26e4941b7
-
Filesize
204B
MD506c7d1a0501ce421516cee7db0e21848
SHA105e223ce6a15a7d8ba90cb944c64a2df0a166d48
SHA256fb26e7306345f87f5ef32b65558f0e8bf88a2cc4ea978d84a360024de2dbcb5f
SHA5120bda0d2856b5929a434c89ad6be8b1cc7682a9d1b06156fff84f26cbda3300235e7d5ca41d128fa63b9acb1e34300428ef757a304b59435b2bdd0f46213d7038
-
Filesize
204B
MD562410b43a04d9e63c6c859baba85deb6
SHA1a1be67275321a4dd8547af54bf4c135f11d78f25
SHA256425b1b45a17f9db7af8f92d996e440f5beb41692c7163392760b725d84d3edc0
SHA512c590c8a89297127e93277a377c2e7bc50839f6b63f531ceb09fb4d2724dd8b793dc8856adf05a194c19bbc1b8311b82d70e359b2b71a01dd2c2ec304c206d8f5
-
Filesize
204B
MD59116f5386ffe46bf566259d968716e17
SHA1f335514c887e89fc79cac686936ab63346b499b8
SHA2566dd3f9393bb7a5ce27996d1cc550323bcefc2639687a6cce5480d78768d2ac2a
SHA512fbdb642e2ec590493a55dc8bb73b1865e3e5406f96639f0ac149e8fdcedd649ff773a459457f2880776cd3f983a228f29956a3e73d21bdfd42d44cb9e79a83ad
-
Filesize
204B
MD5402b17874ee4e6d5633b945caa1a7578
SHA157f03126d072d361e5e0bed08ba32cec29692099
SHA2562eb4c59e96a5bca8567af7a2071fc4fcf20e59c9ae425a868e3e550a856c67bf
SHA512806012c4352fabfe8d2b14ac3deda18650842b741955c7caa22f70dd2eb7f5eec4f7dcbd45d857e2902e5eb0ff1d6c62c880599ac7dca7f9e5a99e177573f561
-
Filesize
204B
MD564e11a48fedb332a828dabfc6a70df30
SHA1ce38f364b6bca79d74e002a02def9456000088a1
SHA256b0b755afc034dd33424fd5c37e65d561b764ec46d17c042eac13ea373c6ecf87
SHA5123a3597b00cee290517580a8739b66a1efb45b02efe9ed196dda1b1df6c9b0d4519eae9d004864dfa4fbfd06d771a2798f4e1f3e5bfdfabf84ffcf3328b3f246e
-
Filesize
204B
MD547ca068d93f19a24059657dab90b7ea9
SHA1df1899263becdecc377c38747793e12aa590d369
SHA2568432c2aa5d085f3e392aace208df244ee7d023b0cfad2428e6b13ab89fb46ad5
SHA5123c0936f0a87ad22dfe7e48d51efecb38dae9823034dbdf9a5dbd160212b80c04955cb05d4bd950fe1bf34699d7144828073fcc2e7fcf9cdf92891ba0624986c6
-
Filesize
204B
MD59aa1805e9d75b45073cc4317ef319553
SHA1a90a5180440c1c04a82bd67af2db67d9d0cd4374
SHA25669e595b03a313c6d9dbff37de82c69ece7073dd357506632c7c3d837cbbf3b19
SHA51278775542c1e1e023134f332ee6b217477901a2e177303b1c4ac16e0f58411a1c586a091c170444953ba118b2b01a0b4d6d90e82bbe4f9ac77cbca7241ebcc5cc
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd