Malware Analysis Report

2024-10-23 21:24

Sample ID 240803-wtrjka1cll
Target Solara.exe
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

Threat Level: Known bad

The file Solara.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar RAT

Quasar family

Quasar payload

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 18:13

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 18:13

Reported

2024-08-03 18:15

Platform

win7-20240708-en

Max time kernel

143s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 1528 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 1528 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\schtasks.exe
PID 1528 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1528 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1528 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3040 wrote to memory of 2792 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 3040 wrote to memory of 2792 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 3040 wrote to memory of 2792 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 3040 wrote to memory of 2876 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3040 wrote to memory of 2876 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3040 wrote to memory of 2876 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2876 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2876 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2876 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2876 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2876 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2876 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2876 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2876 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1676 wrote to memory of 1668 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1676 wrote to memory of 1668 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1676 wrote to memory of 1668 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1676 wrote to memory of 2332 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 2332 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 2332 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2332 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2332 wrote to memory of 664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2332 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2332 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2332 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2332 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2332 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2332 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1712 wrote to memory of 1324 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 1324 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 1324 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 1512 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 1512 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 1512 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1512 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1512 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1512 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1512 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1512 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1512 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1512 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1512 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1512 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 684 wrote to memory of 2944 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 684 wrote to memory of 2944 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 684 wrote to memory of 2944 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 684 wrote to memory of 2276 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 2276 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 2276 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2276 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2276 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2276 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2276 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2276 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2276 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\j4ZIm2q79PQm.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEqlycYOIjew.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ctdHvfJUQrj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\T5ja72VNO0Ao.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9bV0V6rE9Pod.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NW6GmEIm0IiR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EgF7GwxB1GFZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aX5WAmpdNPNR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HijkBihCFRNO.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vvkDfZCmQJS1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yVeCWrgwT9wZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zjbJM0Yyo9OU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xM9IQCUGrp7G.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0tK1QKop3iHL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\atWohEgIoK0l.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 nohchy-47404.portmap.host udp

Files

memory/1528-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

memory/1528-1-0x00000000009F0000-0x0000000000D14000-memory.dmp

memory/1528-2-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/3040-7-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/1528-8-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/3040-9-0x0000000001340000-0x0000000001664000-memory.dmp

memory/3040-10-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j4ZIm2q79PQm.bat

MD5 1ae85b7ad9eae704f6b8377121c27906
SHA1 978ef070c9956a0e8ad21c3bee54978638f91795
SHA256 e1d3a07ba65ab639ba3c38e77273d0d482dbfcb09135e62b05e1e8afe14b1607
SHA512 47e354aaa30b8434e8d25476b3dc11469c90d07f8ee3eac1abf46f6f767840d28e10b9db7807a2ba73d72cb8157b74c2d2a85ce8ef0b36d396946eabcca6376f

memory/3040-20-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TEqlycYOIjew.bat

MD5 57276dcab44c5852c9e4b6edf7c455d8
SHA1 aa483ff2619d19bd316feaf141e210658724af6e
SHA256 b23f32bf77ce242498758057924f443cb8ca6469f820d88d8552e509028113b7
SHA512 e0dbcb48b22dbdbd12e0607ef504d182ceec4a1f87d0555dcd81b0a24f9ae974053c965ed21a9ced2be59c5c875a69e4e6f8bba1311f5429f55d646d9ba706f1

memory/1712-32-0x0000000000310000-0x0000000000634000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ctdHvfJUQrj.bat

MD5 6c0eb6b81db45eec90df2433ded7e25e
SHA1 17cd19b0dae654ae717fe6f8c6557dbefd1494e8
SHA256 ddffc9422b9f0bdca7e99da78eaef7bc3fe265de8399cae52138ea1a628638f3
SHA512 f7830377b1b3bbc21eccde9cb99f60da1cb8744f516b8eab6ccf4b60c6737b3a3b700102e2d757c939422f8f9cdd24fb8cf3deafa7760aec9a05915dfc04c039

memory/684-43-0x00000000000E0000-0x0000000000404000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\T5ja72VNO0Ao.bat

MD5 754c35adf6dbec8a6cdd9b9cff1b274b
SHA1 1651783687450c6c317b1c4b0d9e2f78a2486ed9
SHA256 eef191ead12765ba80aa33a596012b0c0b65b8b28425379cd80355b95eccc01c
SHA512 f11028b306533e0e3db33a5758d9f672b31281da816ad6d8dbd27424a5bee32c5e6dc547c1c5468ea6d49ed78974d3cbde1cd31726a5637900acc3efdb05e470

memory/1128-55-0x0000000001300000-0x0000000001624000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9bV0V6rE9Pod.bat

MD5 409b5271edb07fdbb22d507578c79aba
SHA1 0c10f878b7a6c81ea2fb178aa455aef50387ab0b
SHA256 551c280be21c249095615039aad7d34dd1aa70b5187064e1d6d5b6e450653441
SHA512 dcdc4d1b8e5a0d2bfa4fdff166deeddeaa3d940a78516c113da74913d12e39706809c248bd193399b9ce1f9e79a8bd2cd2ee651a9941b30ee645ec096af93ff1

C:\Users\Admin\AppData\Local\Temp\NW6GmEIm0IiR.bat

MD5 59d6184a86a395862bac3222e0795b25
SHA1 18fc4f91c094fd0bc2d890983671042e2e42e18b
SHA256 0de8c77e2012368326e3fab0ef83f43351190f7b8ea87c62511897a4decacf8d
SHA512 6f0232697ed3d1e60a2caa82fa0a5ae4714ed5fdbe4ca6f9fefa47f1f58c150f09a1484c7789c041d1ed28abfa12a7482f1367516579b8effc9fb144c336b505

C:\Users\Admin\AppData\Local\Temp\EgF7GwxB1GFZ.bat

MD5 443a2387c249d6d1e54255347688ac0e
SHA1 1f7ae829cb9c3f65e823246dce09c292f33df48e
SHA256 49e40b34550f4f96cb800a59b4c8a75a431edc11e0f2498734940c391a6cf0bb
SHA512 af63485b8f70e8435136618807e7c38162c7593f6c0fedb8a85253302c74950fed346aa9c93e9e4d3ec46b13a67f94a4ce36238c2f4198f03282d3d7d4ac572c

C:\Users\Admin\AppData\Local\Temp\aX5WAmpdNPNR.bat

MD5 df0c45557f79c600853f450db8b08b0b
SHA1 3bc81b9b100fa7ca1c6df2097edc1e764ae49d5c
SHA256 ec0918c76c366f5c5ec0d61e42af8ffb8db54eb84059921422285ee37e8b8b5e
SHA512 ce875b7b16e215f4713682822658212aa5b3b73fd37ba8195349801728bd5da4768a9fe331d3d7c37c808aafe8f6781f141fd52a20782530cf517af88a4cf234

memory/2724-96-0x00000000000F0000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HijkBihCFRNO.bat

MD5 c789fafce38765e6997fc94f61b4b033
SHA1 14ed44521afc26f68ad8dd85f6a0d1849ae54d26
SHA256 82f4c9f8eb73e900777e8c33036efa8927c4314e72319e0d11f990ad9e884ae6
SHA512 1acf2032da901e6c2b783a5af7f1d9c02c86758d401d58c26a95bb3737a8631e95ee03f2df3ab4fe49dc59040bee167a84f18655b3a58b94ee8deeff7dbb9562

memory/1324-108-0x00000000011E0000-0x0000000001504000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vvkDfZCmQJS1.bat

MD5 7dd27d1c93a4bcd71ce4ff5b2c4d1de2
SHA1 29d3bcdfa1646297110e83668e84d5df3d88dd09
SHA256 2d526a8a5be46b9237a9fe47cf314437ac796f4d3d49fa05f92b7601ba4d5435
SHA512 5cc7a3a76f1d9b54c63df382b7aee5056bffacfe15a0f555525589e651e2b86b74295053820f2bdc91ffcad1483e6b65920d0e2cc510f1a12da3ded980b8ecf4

memory/2244-119-0x0000000000030000-0x0000000000354000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yVeCWrgwT9wZ.bat

MD5 2fa21fc29389715b5f6629e48f8cbc99
SHA1 438fd8d10f338313a3fefb974eed2e263d446d4e
SHA256 25e17bfbcaab275b6b4c9ad8e9299d4e7f069c2c7b8c635cd54ce3a9d55fabd7
SHA512 4033294a1a4844f624f6ce778f4f3ebf4b5bf338fb30432c654e91efbe4f37c0dc0c865fea84b4a4aadd147ea22b9957816fc648133e3c53249dfa1915adac17

memory/2340-131-0x0000000000E20000-0x0000000001144000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zjbJM0Yyo9OU.bat

MD5 27ad95411f6b6fff7dabf03bb4f29cf2
SHA1 6ba909350dd88f0eae83b166b2a5e61e7a0d1559
SHA256 73ea208958851eef98508170dc0f880dcde0a6c408e8bbd5465a82f1e6dda60e
SHA512 fe49784aab1535f30b621f7191c5fdf8a43ff68605eb5c0f3ce1fef225ed6496d5dbd024cf8ff77c2991e5f0c0c32938ddb55684ec04755a6b05bf29c60aa90d

memory/1696-142-0x0000000000150000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xM9IQCUGrp7G.bat

MD5 86b95b9bb5742c553faedef171a2c959
SHA1 ea628b5523a4646920bfb22833bfc1bdeba47ca3
SHA256 40b134b644e4205b4fb734e26eed310c1873f1361b7ad33eff13ad22857f217a
SHA512 0dd600603a7317e1b2ace4c5cbce8abf9e4696fab8c68e46e48811d5bb85f8d9248da5bc79e5c75b6db5f376930cbaec2fa15f6b9784b60d495d08ed183059af

C:\Users\Admin\AppData\Local\Temp\0tK1QKop3iHL.bat

MD5 aba5421d8d08bf2dcca99b2a77293b9c
SHA1 1cfe54ca57f55a3a4bb3fedd7ebc62a4c76ca57b
SHA256 15b504c07c0c341a4e7a5d1c9ca88bcb5607c545584ecbb08dcd89c267407dcc
SHA512 2f83cc226b63ec89667cd0267d69a7e5efc18919202afa8571f693387fc5e79887c29fe7a73f15291270690eed5b50d67e8d013762f4f241b4d52bcca778d1fe

memory/2092-164-0x0000000000330000-0x0000000000654000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\atWohEgIoK0l.bat

MD5 8adbfb6bb69099919b6185edbcb85fed
SHA1 a27a886187f9239f8f31f78b5d8accb1bea5e02f
SHA256 6bdc3868ff7e2166dafcc398d70001e46108bee24f149de6727cbe9907c0e5ca
SHA512 2701c210dd2e4d03337383e472fb5118e7b54a995e4b15f22a360997903f63ce1127f3ec393d1104a700dab1518740b13dc82abbe8ef4db1ef6f72cf61093c12

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 18:13

Reported

2024-08-03 18:15

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3992 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3992 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3992 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 5076 wrote to memory of 924 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5076 wrote to memory of 924 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5076 wrote to memory of 5044 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 5044 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 5044 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5044 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5044 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5044 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5044 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 5044 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2004 wrote to memory of 3532 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2004 wrote to memory of 3532 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2004 wrote to memory of 2908 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2004 wrote to memory of 2908 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2908 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2908 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2908 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2908 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2908 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3824 wrote to memory of 756 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3824 wrote to memory of 756 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3824 wrote to memory of 3628 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3824 wrote to memory of 3628 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3628 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3628 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3628 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3628 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3628 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3628 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2008 wrote to memory of 3624 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2008 wrote to memory of 3624 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2008 wrote to memory of 628 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 628 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 628 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 628 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 628 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 628 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 628 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1216 wrote to memory of 2920 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1216 wrote to memory of 2920 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1216 wrote to memory of 688 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 688 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 688 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 688 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 688 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 688 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 688 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 688 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1516 wrote to memory of 1132 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1516 wrote to memory of 1132 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1516 wrote to memory of 2536 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1516 wrote to memory of 2536 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2536 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2536 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2536 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2536 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2536 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5QFkUt3cDapL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BmAPOcdQF39.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R8tZY8snGbl3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jJcuK8sLY2HQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7Gd0Mm1JUAx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f54mdRJ7DHiv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOWhqt9EUo4V.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cRQLj3y7txvC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G0tqoFsdUxFn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZZS3DYp0DMv8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KC0MNA3b7FyV.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWUMf2QesGEc.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6cM2Kk1JMd6n.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcBduRfB5F3C.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ThJkxFEg4FoF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/3992-0-0x00007FFEAD823000-0x00007FFEAD825000-memory.dmp

memory/3992-1-0x0000000000880000-0x0000000000BA4000-memory.dmp

memory/3992-2-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/3992-8-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

memory/5076-9-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

memory/5076-10-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

memory/5076-11-0x000000001C990000-0x000000001C9E0000-memory.dmp

memory/5076-12-0x000000001CAA0000-0x000000001CB52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5QFkUt3cDapL.bat

MD5 db9984b04057b514bc356dd572a5bd34
SHA1 22a9d7e4bd3d1b89bd0207334765ebde0eaf2fd4
SHA256 5d4831801ef77c4baeb250c9144b061dc3fead873956218c2b4ec31db29fd70f
SHA512 397a7b14812dc109fe59466dd2a200f9e121418c5765c16840c26493e5f843a6d63ff7377077519e7e753abdec72ebfd56bf019c93778876cd647fe0cb60c2af

memory/5076-18-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\7BmAPOcdQF39.bat

MD5 1e4d438d8dd74c02329e6c7379ef2522
SHA1 621a1cb8c977b61094afb146e5b74ab6a16654c4
SHA256 ff91acc7b62ad10f3a0d3a6ad51428a1ba5b0cd06f5b340e9b582f38079cf73d
SHA512 c9818c9887405eba495f9df8ed2c853a0b65503dfb6a527d44daae74fc90e89f629daa9ebd29d35929b4118df10b8d5b2fec19fc57cf96327d35a2e121b57cbf

C:\Users\Admin\AppData\Local\Temp\R8tZY8snGbl3.bat

MD5 06c7d1a0501ce421516cee7db0e21848
SHA1 05e223ce6a15a7d8ba90cb944c64a2df0a166d48
SHA256 fb26e7306345f87f5ef32b65558f0e8bf88a2cc4ea978d84a360024de2dbcb5f
SHA512 0bda0d2856b5929a434c89ad6be8b1cc7682a9d1b06156fff84f26cbda3300235e7d5ca41d128fa63b9acb1e34300428ef757a304b59435b2bdd0f46213d7038

C:\Users\Admin\AppData\Local\Temp\jJcuK8sLY2HQ.bat

MD5 47ca068d93f19a24059657dab90b7ea9
SHA1 df1899263becdecc377c38747793e12aa590d369
SHA256 8432c2aa5d085f3e392aace208df244ee7d023b0cfad2428e6b13ab89fb46ad5
SHA512 3c0936f0a87ad22dfe7e48d51efecb38dae9823034dbdf9a5dbd160212b80c04955cb05d4bd950fe1bf34699d7144828073fcc2e7fcf9cdf92891ba0624986c6

C:\Users\Admin\AppData\Local\Temp\D7Gd0Mm1JUAx.bat

MD5 e10d804fba7c4a951086d5ec88e37f12
SHA1 c09ff3274aec0579132eabf2ba4beba777b774f7
SHA256 83a7cb4a425911ee5a958ff669ce8355240ae1dcbafcc399bf31920e4b4e8b65
SHA512 6fb4c18faac4f0caff16f5bcbacc1927c7e8d5894e316bf4627a8d7525c4809bbaac4a0d884ec752a40b2b06d37d572dcfe878a9d06d218f84a6a893d5d11063

C:\Users\Admin\AppData\Local\Temp\f54mdRJ7DHiv.bat

MD5 64e11a48fedb332a828dabfc6a70df30
SHA1 ce38f364b6bca79d74e002a02def9456000088a1
SHA256 b0b755afc034dd33424fd5c37e65d561b764ec46d17c042eac13ea373c6ecf87
SHA512 3a3597b00cee290517580a8739b66a1efb45b02efe9ed196dda1b1df6c9b0d4519eae9d004864dfa4fbfd06d771a2798f4e1f3e5bfdfabf84ffcf3328b3f246e

C:\Users\Admin\AppData\Local\Temp\KOWhqt9EUo4V.bat

MD5 0a6dedfcabb794a2e3c18367fe37f27e
SHA1 1d0af4482e9dd52b9ba75e8c650f6f1e71c1afb7
SHA256 2c2d1196b18bc8f6632c9d84a8afd41c55906bb78741dc4d5a6a035e4b0e8bf0
SHA512 57e5cce3775c38216841b09728b53e44aa313bc86b001bea5cd9d2ada8bf7e015ef65818ea867a5bc486ccb6ab95078e485c94d1172696ba36339ec26e4941b7

C:\Users\Admin\AppData\Local\Temp\cRQLj3y7txvC.bat

MD5 402b17874ee4e6d5633b945caa1a7578
SHA1 57f03126d072d361e5e0bed08ba32cec29692099
SHA256 2eb4c59e96a5bca8567af7a2071fc4fcf20e59c9ae425a868e3e550a856c67bf
SHA512 806012c4352fabfe8d2b14ac3deda18650842b741955c7caa22f70dd2eb7f5eec4f7dcbd45d857e2902e5eb0ff1d6c62c880599ac7dca7f9e5a99e177573f561

C:\Users\Admin\AppData\Local\Temp\G0tqoFsdUxFn.bat

MD5 3f02d67f17216e8bc461ebbf5fe92ab1
SHA1 e5f849e5c223487a64665c0b3eacd6f419d25999
SHA256 1482aa81fd394f03b0f8d0dfdeaab1b337ffa9271c2a0112ec7ce80297630273
SHA512 777cc29c50cc38e7129f379128343d2185bcfaca809a97d68ac1edf73d9a6853cb0c3965627b5541bd7a4b237b179a01f5895eb571b242366ace255f3d5ffbb9

C:\Users\Admin\AppData\Local\Temp\ZZS3DYp0DMv8.bat

MD5 9116f5386ffe46bf566259d968716e17
SHA1 f335514c887e89fc79cac686936ab63346b499b8
SHA256 6dd3f9393bb7a5ce27996d1cc550323bcefc2639687a6cce5480d78768d2ac2a
SHA512 fbdb642e2ec590493a55dc8bb73b1865e3e5406f96639f0ac149e8fdcedd649ff773a459457f2880776cd3f983a228f29956a3e73d21bdfd42d44cb9e79a83ad

C:\Users\Admin\AppData\Local\Temp\KC0MNA3b7FyV.bat

MD5 42c7afb1a2ecc0840e55a37f194fa4d8
SHA1 43a99b787b266a943eadf4065462fda06de96496
SHA256 fc63d1a87a7214383e367883ea4833f7c02d0d58c30ac82dacca500097c545c7
SHA512 f954a78806d79d1406f5aa4407fbfa64808fe18df67a909d2549ea0004cb391f7ad5868c13e6c613fedbd4e6bfa55c813cede3286cbc5ae45fd40684e5d187c3

C:\Users\Admin\AppData\Local\Temp\rWUMf2QesGEc.bat

MD5 9aa1805e9d75b45073cc4317ef319553
SHA1 a90a5180440c1c04a82bd67af2db67d9d0cd4374
SHA256 69e595b03a313c6d9dbff37de82c69ece7073dd357506632c7c3d837cbbf3b19
SHA512 78775542c1e1e023134f332ee6b217477901a2e177303b1c4ac16e0f58411a1c586a091c170444953ba118b2b01a0b4d6d90e82bbe4f9ac77cbca7241ebcc5cc

C:\Users\Admin\AppData\Local\Temp\6cM2Kk1JMd6n.bat

MD5 983379afa0dd79113b9fac276ad5f12d
SHA1 f4b893c8cc8521faf4ad17f386e6bb5476a5b563
SHA256 f31f94a1c8ab9ff4d9e54a26a0b127073080ae0849adb9845683ac78a17297f7
SHA512 07d2716f73c696481030966b3408ff9c23b9ba7ec9f196301aa092951b7696e6f078df9ee9db447299c82d10b9977f2940296935102a14537da63ca17a823b6d

C:\Users\Admin\AppData\Local\Temp\BcBduRfB5F3C.bat

MD5 2cee91dd84cc2b5fa9b03fbdf704fdfa
SHA1 7e70af61e417300b90f43b598db247bffd72538a
SHA256 a37ee2fa99b4eed7633602b54a8b9597321bd342a71f4befb67a16e200545d18
SHA512 4601fb2b960ff4516cf9b1fac42953dbee4abbcb1b9d4cd47e0655b3b75f7a0ae04649e461ffc5f5514baec94cd321ee8f76af30b994cbc6001530e1d4e1c591

C:\Users\Admin\AppData\Local\Temp\ThJkxFEg4FoF.bat

MD5 62410b43a04d9e63c6c859baba85deb6
SHA1 a1be67275321a4dd8547af54bf4c135f11d78f25
SHA256 425b1b45a17f9db7af8f92d996e440f5beb41692c7163392760b725d84d3edc0
SHA512 c590c8a89297127e93277a377c2e7bc50839f6b63f531ceb09fb4d2724dd8b793dc8856adf05a194c19bbc1b8311b82d70e359b2b71a01dd2c2ec304c206d8f5