Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04-08-2024 01:24
Behavioral task
behavioral1
Sample
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
Resource
win7-20240708-en
General
-
Target
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2916-1-0x0000000000EF0000-0x0000000001214000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar behavioral1/memory/2744-8-0x0000000000D20000-0x0000000001044000-memory.dmp family_quasar behavioral1/memory/2200-22-0x0000000000280000-0x00000000005A4000-memory.dmp family_quasar behavioral1/memory/2624-33-0x0000000000030000-0x0000000000354000-memory.dmp family_quasar behavioral1/memory/2168-44-0x0000000001040000-0x0000000001364000-memory.dmp family_quasar behavioral1/memory/1248-56-0x0000000000120000-0x0000000000444000-memory.dmp family_quasar behavioral1/memory/1444-67-0x00000000010F0000-0x0000000001414000-memory.dmp family_quasar behavioral1/memory/340-91-0x00000000011B0000-0x00000000014D4000-memory.dmp family_quasar behavioral1/memory/1632-134-0x00000000000A0000-0x00000000003C4000-memory.dmp family_quasar behavioral1/memory/2064-146-0x0000000001220000-0x0000000001544000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2744 SolaraExecutor.exe 2200 SolaraExecutor.exe 2624 SolaraExecutor.exe 2168 SolaraExecutor.exe 1248 SolaraExecutor.exe 1444 SolaraExecutor.exe 3024 SolaraExecutor.exe 340 SolaraExecutor.exe 2136 SolaraExecutor.exe 912 SolaraExecutor.exe 2372 SolaraExecutor.exe 1632 SolaraExecutor.exe 2064 SolaraExecutor.exe 2852 SolaraExecutor.exe 2172 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2864 PING.EXE 324 PING.EXE 2340 PING.EXE 1008 PING.EXE 760 PING.EXE 2560 PING.EXE 2904 PING.EXE 2868 PING.EXE 2420 PING.EXE 1536 PING.EXE 1908 PING.EXE 1532 PING.EXE 2416 PING.EXE 1252 PING.EXE 1888 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2864 PING.EXE 1532 PING.EXE 1252 PING.EXE 1008 PING.EXE 324 PING.EXE 2340 PING.EXE 2420 PING.EXE 1888 PING.EXE 1908 PING.EXE 2904 PING.EXE 2560 PING.EXE 2416 PING.EXE 1536 PING.EXE 760 PING.EXE 2868 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2132 schtasks.exe 908 schtasks.exe 2512 schtasks.exe 536 schtasks.exe 636 schtasks.exe 1888 schtasks.exe 1588 schtasks.exe 2672 schtasks.exe 2540 schtasks.exe 2816 schtasks.exe 2236 schtasks.exe 2716 schtasks.exe 3008 schtasks.exe 1688 schtasks.exe 2376 schtasks.exe 936 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 2916 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe Token: SeDebugPrivilege 2744 SolaraExecutor.exe Token: SeDebugPrivilege 2200 SolaraExecutor.exe Token: SeDebugPrivilege 2624 SolaraExecutor.exe Token: SeDebugPrivilege 2168 SolaraExecutor.exe Token: SeDebugPrivilege 1248 SolaraExecutor.exe Token: SeDebugPrivilege 1444 SolaraExecutor.exe Token: SeDebugPrivilege 3024 SolaraExecutor.exe Token: SeDebugPrivilege 340 SolaraExecutor.exe Token: SeDebugPrivilege 2136 SolaraExecutor.exe Token: SeDebugPrivilege 912 SolaraExecutor.exe Token: SeDebugPrivilege 2372 SolaraExecutor.exe Token: SeDebugPrivilege 1632 SolaraExecutor.exe Token: SeDebugPrivilege 2064 SolaraExecutor.exe Token: SeDebugPrivilege 2852 SolaraExecutor.exe Token: SeDebugPrivilege 2172 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2744 SolaraExecutor.exe 2200 SolaraExecutor.exe 2624 SolaraExecutor.exe 2168 SolaraExecutor.exe 1248 SolaraExecutor.exe 1444 SolaraExecutor.exe 3024 SolaraExecutor.exe 340 SolaraExecutor.exe 2136 SolaraExecutor.exe 912 SolaraExecutor.exe 2372 SolaraExecutor.exe 1632 SolaraExecutor.exe 2064 SolaraExecutor.exe 2852 SolaraExecutor.exe 2172 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2744 SolaraExecutor.exe 2200 SolaraExecutor.exe 2624 SolaraExecutor.exe 2168 SolaraExecutor.exe 1248 SolaraExecutor.exe 1444 SolaraExecutor.exe 3024 SolaraExecutor.exe 340 SolaraExecutor.exe 2136 SolaraExecutor.exe 912 SolaraExecutor.exe 2372 SolaraExecutor.exe 1632 SolaraExecutor.exe 2064 SolaraExecutor.exe 2852 SolaraExecutor.exe 2172 SolaraExecutor.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exepid process 2744 SolaraExecutor.exe 2200 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 2916 wrote to memory of 1688 2916 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 2916 wrote to memory of 1688 2916 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 2916 wrote to memory of 1688 2916 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 2916 wrote to memory of 2744 2916 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 2916 wrote to memory of 2744 2916 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 2916 wrote to memory of 2744 2916 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 2744 wrote to memory of 2132 2744 SolaraExecutor.exe schtasks.exe PID 2744 wrote to memory of 2132 2744 SolaraExecutor.exe schtasks.exe PID 2744 wrote to memory of 2132 2744 SolaraExecutor.exe schtasks.exe PID 2744 wrote to memory of 2696 2744 SolaraExecutor.exe cmd.exe PID 2744 wrote to memory of 2696 2744 SolaraExecutor.exe cmd.exe PID 2744 wrote to memory of 2696 2744 SolaraExecutor.exe cmd.exe PID 2696 wrote to memory of 2672 2696 cmd.exe chcp.com PID 2696 wrote to memory of 2672 2696 cmd.exe chcp.com PID 2696 wrote to memory of 2672 2696 cmd.exe chcp.com PID 2696 wrote to memory of 2560 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 2560 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 2560 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 2200 2696 cmd.exe SolaraExecutor.exe PID 2696 wrote to memory of 2200 2696 cmd.exe SolaraExecutor.exe PID 2696 wrote to memory of 2200 2696 cmd.exe SolaraExecutor.exe PID 2200 wrote to memory of 636 2200 SolaraExecutor.exe schtasks.exe PID 2200 wrote to memory of 636 2200 SolaraExecutor.exe schtasks.exe PID 2200 wrote to memory of 636 2200 SolaraExecutor.exe schtasks.exe PID 2200 wrote to memory of 2780 2200 SolaraExecutor.exe cmd.exe PID 2200 wrote to memory of 2780 2200 SolaraExecutor.exe cmd.exe PID 2200 wrote to memory of 2780 2200 SolaraExecutor.exe cmd.exe PID 2780 wrote to memory of 2436 2780 cmd.exe chcp.com PID 2780 wrote to memory of 2436 2780 cmd.exe chcp.com PID 2780 wrote to memory of 2436 2780 cmd.exe chcp.com PID 2780 wrote to memory of 2868 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2868 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2868 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2624 2780 cmd.exe SolaraExecutor.exe PID 2780 wrote to memory of 2624 2780 cmd.exe SolaraExecutor.exe PID 2780 wrote to memory of 2624 2780 cmd.exe SolaraExecutor.exe PID 2624 wrote to memory of 2816 2624 SolaraExecutor.exe schtasks.exe PID 2624 wrote to memory of 2816 2624 SolaraExecutor.exe schtasks.exe PID 2624 wrote to memory of 2816 2624 SolaraExecutor.exe schtasks.exe PID 2624 wrote to memory of 288 2624 SolaraExecutor.exe cmd.exe PID 2624 wrote to memory of 288 2624 SolaraExecutor.exe cmd.exe PID 2624 wrote to memory of 288 2624 SolaraExecutor.exe cmd.exe PID 288 wrote to memory of 1364 288 cmd.exe chcp.com PID 288 wrote to memory of 1364 288 cmd.exe chcp.com PID 288 wrote to memory of 1364 288 cmd.exe chcp.com PID 288 wrote to memory of 1532 288 cmd.exe PING.EXE PID 288 wrote to memory of 1532 288 cmd.exe PING.EXE PID 288 wrote to memory of 1532 288 cmd.exe PING.EXE PID 288 wrote to memory of 2168 288 cmd.exe SolaraExecutor.exe PID 288 wrote to memory of 2168 288 cmd.exe SolaraExecutor.exe PID 288 wrote to memory of 2168 288 cmd.exe SolaraExecutor.exe PID 2168 wrote to memory of 1888 2168 SolaraExecutor.exe schtasks.exe PID 2168 wrote to memory of 1888 2168 SolaraExecutor.exe schtasks.exe PID 2168 wrote to memory of 1888 2168 SolaraExecutor.exe schtasks.exe PID 2168 wrote to memory of 2076 2168 SolaraExecutor.exe cmd.exe PID 2168 wrote to memory of 2076 2168 SolaraExecutor.exe cmd.exe PID 2168 wrote to memory of 2076 2168 SolaraExecutor.exe cmd.exe PID 2076 wrote to memory of 2908 2076 cmd.exe chcp.com PID 2076 wrote to memory of 2908 2076 cmd.exe chcp.com PID 2076 wrote to memory of 2908 2076 cmd.exe chcp.com PID 2076 wrote to memory of 324 2076 cmd.exe PING.EXE PID 2076 wrote to memory of 324 2076 cmd.exe PING.EXE PID 2076 wrote to memory of 324 2076 cmd.exe PING.EXE PID 2076 wrote to memory of 1248 2076 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1688 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2132 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\w8lKwKzL6O1o.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2672
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2560 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:636 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\s8cSGWumUXcy.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2436
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2868 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2816 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9a9JatYmIKwD.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1364
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1888 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kSp0LcAZqQIi.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2908
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:324 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:908 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ookcGWi0iaCr.bat" "11⤵PID:1892
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1720
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1444 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2236 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2Gs52dFuOOAc.bat" "13⤵PID:2344
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1464
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2340 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1588 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fHUypsR5cZe8.bat" "15⤵PID:2648
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2928
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1008 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:340 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2672 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\T4RnteHx2LUO.bat" "17⤵PID:2576
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3016
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1252 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2512 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ufVoy4qTmJBg.bat" "19⤵PID:692
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2888
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2420 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:912 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:536 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6wxKarHO4iDi.bat" "21⤵PID:1772
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1288
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1888 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2372 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2376 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XVn1Wk0PyNtH.bat" "23⤵PID:444
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:860
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1536 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2540 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\z0fvVgTurJIq.bat" "25⤵PID:2308
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3036
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:760 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:936 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MhLSwW5PbTD8.bat" "27⤵PID:2936
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1588
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1908 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2716 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XC5vi1IMF8Fy.bat" "29⤵PID:1036
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2252
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2864 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3008 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HV4X7nAPaktd.bat" "31⤵PID:3016
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:764
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD5de8778ddb3c735833bb8129de217f702
SHA185676f9bb246429bb6557c31cdb1f179a8dbab21
SHA256f73c21b4ea8fd4885cc387a5b32a8f6f0103478cd5c52fdecd03390b7006d3d0
SHA5128e9f18c5d5d995ede538aa71c10aadce16784d48597b571f44607e63a3ccbe2f16008bddb2f6d8f2f8b23d460a6e789cd5f60b71df178dcccdbec38dfdd8bd92
-
Filesize
204B
MD5007aece500a3802fa3461e0a7d217e49
SHA1d6d96d15679932570ee589607807e7b7c86a9138
SHA256f6034f9dd5b936c9c62a66073ed0bcb9394bae3dd9f0b0eed64f5e3e42f6e9cb
SHA5124c69f1b067db5b7048e3b6e63997218834b9df722b42de925b6be6c53753721f793346779aa32076ad00b31374d2f8d51d8008f9bd81766c86418ab905fa0b32
-
Filesize
204B
MD5b40ecb22a2201a9d4d8d8681007cf62e
SHA1c19a9da42637d979e1e0024fbaa41ab9f99cc25d
SHA2568cbe2131f43905764537dee5f4c00bf766ed73739d9a014c0bd347cebfb2874c
SHA512ba3ca397e2ee4de281559a89d68cdc7ddd8252225faa3a06fdc9134fdd9e07da7e76eacdf6d0a46b210f51d100061145849010ab5177135047d68c8ed2e2f7a9
-
Filesize
204B
MD52b0ea848d60689f71e36de6acb56c4e9
SHA1ba83f8f1ea87add2b1f47cd5fb3332a6e73c9b52
SHA256dd252e892706c39dd87ada2598677e7078e6b45ebf41ddf3c5a0a27532d1cce0
SHA5125d104c428d428375361204c2cfde6409eeb908dbfc83afb06a6f121d5bfe231a4f8eafd92066180947ab943595e953923822f3e1422dac45eb89d5d51d2806c0
-
Filesize
204B
MD5a2a8dfbfe593f8740fbbaa5a7b4f3993
SHA1a69675e7f25a416ec7cb28ff8b6e8491b60575ca
SHA256348b52fdd349748c3ac31832dfe0d446dbba1e8f585b759096b32abbe076db03
SHA5128b851a1f367d93bb386f3d7c861fa26396e2fd9664d55211556374cb1f7d34064f94d56e9b0815c9f577771c40ad6d8c10c5ba1f179192ca7168042f8d3bf06c
-
Filesize
204B
MD5c85d83fa92faf8eb694431434d33f8d4
SHA115743690e3fdf143e33a2afc5aa20ea5aee13d92
SHA256f5ff779bd4eb9fe6b6313fa68d8b034e53f075231409541122d765548612c221
SHA5128c56b9b51cabacaad6e340b1e4e7f53562c84054fd444927e88856e61b7c7f243e85d75256d2f7bd43eb79c67a07b460fcbaebd29a6b7d0a8762f6f7ae6eeead
-
Filesize
204B
MD55f68362e375bd080ea500a5cdfb1699b
SHA1f68650ea2a35e53cff02d544315f9c6f2af6b849
SHA256443db0cd5795d9ac2e553499003ae813961cc57ab4e22ee6ea41d0345d17b20c
SHA512f5f585560e0e34020cd9ce4fb0628c918389bb54461b3599b57801b95e077072d5bc05f831c328017e3f84b7a365a7c64730661f9e8ba6ab0b143e7dc4fc0ff6
-
Filesize
204B
MD5cb8edf2378050ab1cc2dd5fbe014e9f3
SHA1b65c3e91bb146ea69e25dcdae3ff42958bf4b0be
SHA256c3bea631b92b3854ec53850d77964af26befaa6839f71221f7ecbeab0c357b06
SHA512fb88c19b06b180799e990e3b862a7601b9cc2c8aa142b76a369b8ab2f101f597b28c1956d68ffad21ea9dc5b8c4ad6614ce235c6cc04169e8435e4dc2b8c305f
-
Filesize
204B
MD5f0ee2b391eae0e0620f7a0f2dbedddce
SHA1d4a40d655b5fa9f80a61dd09f9d99c39c1ab5785
SHA256394d8fad0a6ac74e8cf73cea2f667910fb654a9996c80ad729560b22839c93f0
SHA51273484ea613cf8cd9787a018aa6173565075ca0bc16d7ba56ed1448a4df27aee297fdf57bd5f9b7fd8c1ceb85ecf3e15043f54620969abc5646096f82aa906795
-
Filesize
204B
MD56bedd3c7e9b0fb40977706b879ebb724
SHA1ce075859e40ce7acd338a57f6d35bf739f455e8d
SHA25613ca9f2cd94459756d71985964146fa82e546081c39ed276af3d03e717565cb0
SHA5121dd682d606feb7353fc71b8b359a303550c6c89a20ac8035e7e715d386e8400380f7c37555074e1e31d7b8f9c4cbfab488545df0b30d2f522ec5afd20c971bae
-
Filesize
204B
MD5934d079a2a60a12fca0f174ce4e6d8ef
SHA176d9f8ff0397cbd956b3326dbb1caee5517093b8
SHA256231e4645511ebc84e49a1658c129b5eccaac9bace556231d79176e74a937bfce
SHA5124f7c846887eb7960dead87fcbb4323be89ecac59baa8957fc3c9f9f0301f0489f8e8e95b0039a93d037564afe233f8698e067ca785f776f9c020223d8cb452ac
-
Filesize
204B
MD5cbbdfa0bb326f7e63a367fe9be7fd888
SHA12cdcf825e9162be34502052dd37e3c4894a01df6
SHA25632213a5b4f50dbe1e80db42be22d577671826cf47e9ca9ccb1eeb874520c88f1
SHA51229d7b3b7d474cc779fa4d67c47f043873c14812a5d12494960f292c26938d5bb8831fbba79f85ef1763b229f4ac5f4733dea5e7cb4857ecbf72838acb72daf77
-
Filesize
204B
MD5e82c82d014db1cae3e5ea8e8883038f5
SHA1ff72b1f95932c4bebaef8b58ec28d3172fe2d3db
SHA25621a7d1afc096d20036554e927a653822d6fd6d4e12db6260ff7e0a8465eaa11a
SHA512963b69c5c0737f7ed6e935eed596e80005f45ce3eca37890b6ae7981b9b8e44b05c2016c6a5988ba790ce709cfeb2e5c95123fc77b1d3e27ed7f1df0c6a91845
-
Filesize
204B
MD5daddb1b98c2aa9bf6535c7cce995eafb
SHA1774286ebd53cd08f20e739d16895fe66c76b14ff
SHA2567aca139ed0eff45af2911354921132fde1d712363dffe4e7e8f961f056b1b9ee
SHA5122c06abecd9afa7e47631b51dc1af960102f2f68d545ad21fff2615d5763d38c9bb1814d83692aa83580342d75915af281d5f2fa0a8c17a273f8b2d326e573d26
-
Filesize
204B
MD58665de82fa2addcebe13a8cf19f4bd6d
SHA114d247f8486d45925fabc9d83e1f7aec49905ea2
SHA256d2e063ec33888db0afb1e5fa2b05e18592e47a8958bdfeeed9cff3304c17305f
SHA5124c30a1f4c701e2f1c94feabbf73d6854c316e6c7f3dc19f06c55c93226af7e3bceb8175f1a10284d2cc763e6495cac5cbb2e6e77a14114595119d63b5752939d
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e