Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2024 01:24
Behavioral task
behavioral1
Sample
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
Resource
win7-20240708-en
General
-
Target
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/688-1-0x0000000000D80000-0x00000000010A4000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 4540 SolaraExecutor.exe 1260 SolaraExecutor.exe 2724 SolaraExecutor.exe 3876 SolaraExecutor.exe 496 SolaraExecutor.exe 4144 SolaraExecutor.exe 2708 SolaraExecutor.exe 3440 SolaraExecutor.exe 1988 SolaraExecutor.exe 3696 SolaraExecutor.exe 2052 SolaraExecutor.exe 1872 SolaraExecutor.exe 5036 SolaraExecutor.exe 3400 SolaraExecutor.exe 4904 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4152 PING.EXE 3460 PING.EXE 4472 PING.EXE 1936 PING.EXE 2092 PING.EXE 4860 PING.EXE 2716 PING.EXE 2296 PING.EXE 1300 PING.EXE 3088 PING.EXE 1764 PING.EXE 3768 PING.EXE 1560 PING.EXE 828 PING.EXE 4396 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4860 PING.EXE 1560 PING.EXE 3088 PING.EXE 2092 PING.EXE 3768 PING.EXE 2296 PING.EXE 4472 PING.EXE 1300 PING.EXE 1764 PING.EXE 2716 PING.EXE 1936 PING.EXE 828 PING.EXE 3460 PING.EXE 4396 PING.EXE 4152 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2572 schtasks.exe 3948 schtasks.exe 4608 schtasks.exe 4028 schtasks.exe 2444 schtasks.exe 4380 schtasks.exe 4608 schtasks.exe 4816 schtasks.exe 1752 schtasks.exe 1776 schtasks.exe 876 schtasks.exe 1420 schtasks.exe 1984 schtasks.exe 2264 schtasks.exe 4416 schtasks.exe 660 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 688 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe Token: SeDebugPrivilege 4540 SolaraExecutor.exe Token: SeDebugPrivilege 1260 SolaraExecutor.exe Token: SeDebugPrivilege 2724 SolaraExecutor.exe Token: SeDebugPrivilege 3876 SolaraExecutor.exe Token: SeDebugPrivilege 496 SolaraExecutor.exe Token: SeDebugPrivilege 4144 SolaraExecutor.exe Token: SeDebugPrivilege 2708 SolaraExecutor.exe Token: SeDebugPrivilege 3440 SolaraExecutor.exe Token: SeDebugPrivilege 1988 SolaraExecutor.exe Token: SeDebugPrivilege 3696 SolaraExecutor.exe Token: SeDebugPrivilege 2052 SolaraExecutor.exe Token: SeDebugPrivilege 1872 SolaraExecutor.exe Token: SeDebugPrivilege 5036 SolaraExecutor.exe Token: SeDebugPrivilege 3400 SolaraExecutor.exe Token: SeDebugPrivilege 4904 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 4540 SolaraExecutor.exe 1260 SolaraExecutor.exe 2724 SolaraExecutor.exe 3876 SolaraExecutor.exe 496 SolaraExecutor.exe 4144 SolaraExecutor.exe 2708 SolaraExecutor.exe 3440 SolaraExecutor.exe 1988 SolaraExecutor.exe 3696 SolaraExecutor.exe 2052 SolaraExecutor.exe 1872 SolaraExecutor.exe 5036 SolaraExecutor.exe 3400 SolaraExecutor.exe 4904 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 4540 SolaraExecutor.exe 1260 SolaraExecutor.exe 2724 SolaraExecutor.exe 3876 SolaraExecutor.exe 496 SolaraExecutor.exe 4144 SolaraExecutor.exe 2708 SolaraExecutor.exe 3440 SolaraExecutor.exe 1988 SolaraExecutor.exe 3696 SolaraExecutor.exe 2052 SolaraExecutor.exe 1872 SolaraExecutor.exe 5036 SolaraExecutor.exe 3400 SolaraExecutor.exe 4904 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 688 wrote to memory of 1984 688 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 688 wrote to memory of 1984 688 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 688 wrote to memory of 4540 688 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 688 wrote to memory of 4540 688 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 4540 wrote to memory of 2572 4540 SolaraExecutor.exe schtasks.exe PID 4540 wrote to memory of 2572 4540 SolaraExecutor.exe schtasks.exe PID 4540 wrote to memory of 4764 4540 SolaraExecutor.exe cmd.exe PID 4540 wrote to memory of 4764 4540 SolaraExecutor.exe cmd.exe PID 4764 wrote to memory of 4760 4764 cmd.exe chcp.com PID 4764 wrote to memory of 4760 4764 cmd.exe chcp.com PID 4764 wrote to memory of 1764 4764 cmd.exe PING.EXE PID 4764 wrote to memory of 1764 4764 cmd.exe PING.EXE PID 4764 wrote to memory of 1260 4764 cmd.exe SolaraExecutor.exe PID 4764 wrote to memory of 1260 4764 cmd.exe SolaraExecutor.exe PID 1260 wrote to memory of 4608 1260 SolaraExecutor.exe schtasks.exe PID 1260 wrote to memory of 4608 1260 SolaraExecutor.exe schtasks.exe PID 1260 wrote to memory of 2836 1260 SolaraExecutor.exe cmd.exe PID 1260 wrote to memory of 2836 1260 SolaraExecutor.exe cmd.exe PID 2836 wrote to memory of 492 2836 cmd.exe chcp.com PID 2836 wrote to memory of 492 2836 cmd.exe chcp.com PID 2836 wrote to memory of 3460 2836 cmd.exe PING.EXE PID 2836 wrote to memory of 3460 2836 cmd.exe PING.EXE PID 2836 wrote to memory of 2724 2836 cmd.exe SolaraExecutor.exe PID 2836 wrote to memory of 2724 2836 cmd.exe SolaraExecutor.exe PID 2724 wrote to memory of 3948 2724 SolaraExecutor.exe schtasks.exe PID 2724 wrote to memory of 3948 2724 SolaraExecutor.exe schtasks.exe PID 2724 wrote to memory of 572 2724 SolaraExecutor.exe cmd.exe PID 2724 wrote to memory of 572 2724 SolaraExecutor.exe cmd.exe PID 572 wrote to memory of 2844 572 cmd.exe chcp.com PID 572 wrote to memory of 2844 572 cmd.exe chcp.com PID 572 wrote to memory of 2092 572 cmd.exe PING.EXE PID 572 wrote to memory of 2092 572 cmd.exe PING.EXE PID 572 wrote to memory of 3876 572 cmd.exe SolaraExecutor.exe PID 572 wrote to memory of 3876 572 cmd.exe SolaraExecutor.exe PID 3876 wrote to memory of 2264 3876 SolaraExecutor.exe schtasks.exe PID 3876 wrote to memory of 2264 3876 SolaraExecutor.exe schtasks.exe PID 3876 wrote to memory of 3892 3876 SolaraExecutor.exe cmd.exe PID 3876 wrote to memory of 3892 3876 SolaraExecutor.exe cmd.exe PID 3892 wrote to memory of 4012 3892 cmd.exe chcp.com PID 3892 wrote to memory of 4012 3892 cmd.exe chcp.com PID 3892 wrote to memory of 3768 3892 cmd.exe PING.EXE PID 3892 wrote to memory of 3768 3892 cmd.exe PING.EXE PID 3892 wrote to memory of 496 3892 cmd.exe SolaraExecutor.exe PID 3892 wrote to memory of 496 3892 cmd.exe SolaraExecutor.exe PID 496 wrote to memory of 4416 496 SolaraExecutor.exe schtasks.exe PID 496 wrote to memory of 4416 496 SolaraExecutor.exe schtasks.exe PID 496 wrote to memory of 2236 496 SolaraExecutor.exe cmd.exe PID 496 wrote to memory of 2236 496 SolaraExecutor.exe cmd.exe PID 2236 wrote to memory of 1204 2236 cmd.exe chcp.com PID 2236 wrote to memory of 1204 2236 cmd.exe chcp.com PID 2236 wrote to memory of 2716 2236 cmd.exe PING.EXE PID 2236 wrote to memory of 2716 2236 cmd.exe PING.EXE PID 2236 wrote to memory of 4144 2236 cmd.exe SolaraExecutor.exe PID 2236 wrote to memory of 4144 2236 cmd.exe SolaraExecutor.exe PID 4144 wrote to memory of 4816 4144 SolaraExecutor.exe schtasks.exe PID 4144 wrote to memory of 4816 4144 SolaraExecutor.exe schtasks.exe PID 4144 wrote to memory of 3900 4144 SolaraExecutor.exe cmd.exe PID 4144 wrote to memory of 3900 4144 SolaraExecutor.exe cmd.exe PID 3900 wrote to memory of 4964 3900 cmd.exe chcp.com PID 3900 wrote to memory of 4964 3900 cmd.exe chcp.com PID 3900 wrote to memory of 2296 3900 cmd.exe PING.EXE PID 3900 wrote to memory of 2296 3900 cmd.exe PING.EXE PID 3900 wrote to memory of 2708 3900 cmd.exe SolaraExecutor.exe PID 3900 wrote to memory of 2708 3900 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1984 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2572 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEiMixRgKeO7.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4760
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1764 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XpLHk3Hs7XBf.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:492
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3460 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCHBOAdpeJ8p.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2844
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2092 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkOzK3FNaL4n.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4012
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3768 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSM2RpwG6zqP.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1204
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2716 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4816 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kthY9GZZm3ST.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4964
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2296 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0aumOzGJsyg.bat" "15⤵PID:2676
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3800
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4860 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZItkk5tp8pos.bat" "17⤵PID:4836
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2780
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4472 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:660 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rd9vnoVRQ0f3.bat" "19⤵PID:2276
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3952
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1936 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3696 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JPyMkjlwUBG2.bat" "21⤵PID:3984
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3564
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:828 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uv5BxCS2lg1P.bat" "23⤵PID:4876
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3512
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4396 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11nIkY2H48r8.bat" "25⤵PID:2680
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:780
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1300 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5036 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VLKi7rizViNE.bat" "27⤵PID:4116
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3572
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1560 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3400 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vzfUcSVf3UPK.bat" "29⤵PID:4532
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2104
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3088 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2444 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6Nkl14ERROP.bat" "31⤵PID:3728
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1524
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
204B
MD54be3c3830fafdd9e59739a963f01e732
SHA12ebb309fba805acffc04c39e3348f86357d73197
SHA256014b3a0e614cb8f84e7c10694d5ffd34f1c6fbac48e3a0f62cd62bfe334c1d5b
SHA512aa1179d5d1935cfd41d6b8c6cbbaf5079d3dacb86316f88c1ef20e2092d265396ae5060f46f95b68813b10fe2757c25975227a0c38e3d5a0b240bd2e04a2c8f9
-
Filesize
204B
MD5859d1460ab539a4b17cd9a26980b1d1f
SHA17ea6cd43a918bc0fb8cf4d951cde704d7e4791ab
SHA25636a3c002c15862618e614f56c3e8c6981197ff2b28cc2314378b1f38b9fe0805
SHA512edb7b2bf4df03237d308a70fe3f1be02c6c3f364286ba3e6a6262f529095dfd0adeb820c5ecf337be7b9a715a8ded4839b9d02a10a07293e22463c349727ad99
-
Filesize
204B
MD55bcb25f5bede1e6184ad61d0830f68b6
SHA13c4631c4b676fdefcb65fbda105c746e2da9d582
SHA25619218a4ea6235183801c0dacefc484d05f1ab28bd83d6cf92e87fe1874b1bb73
SHA512844820830fbaca4a285e796f36157f4530d8ed1d70e21a301a1d39ef706eb946e8c6558c1048542f79b51e4df6b25a9df9c74cac7cf9d3a6d228619d25d33d9a
-
Filesize
204B
MD5f0a09af6ca076e5e37836617792cc796
SHA1eafe86de9e2be233fd453f8b888ea148a306ec13
SHA256496e5f2f4b7d6b452be18caefc7e13c25884329187dfe3046b3773c32eb02c22
SHA5123a242f27a94f6a66065ed5819be3efa32f95c55c531c142f4ad758d54cde000035de3536b525032a7beece69bb40a599df5d966d5dbb204de67c1d4f44e1de77
-
Filesize
204B
MD5e20ebba8fd437d264f67f69c6e9848fd
SHA13fafec2ce87b05f07081264b55c0856247184104
SHA256d24ccdaf66395e37c21df5760c0a0c676e43da2750e6cb3fb857a10955007b62
SHA51290e7bfab85dff2899f29a7c5ca1706f282538fb3ac0d6af27e69b25f020ec540391619cb3d63de2433fc6b0c3b96a0af6778d624a2f0d6f0bff2746e7d222577
-
Filesize
204B
MD5dff6999fdddb4a56a64d75018d53ce16
SHA141f00a0119ed620c7194ebc697f744b2b7524c7b
SHA25666659e7e9ee01488e5b021fdb5aad2f4478a4dee1fc26816d93c8d0ad557d279
SHA512ff50a577cf3744ded1b43f6d9792cfec7dde9da2ff2b4e231d36f42c603ba9c378bdd25a0c661147ce1749602054ba20d29c81e1a339592d155b7414e10abc11
-
Filesize
204B
MD56bf0858535d56f2819a0f44ee05230bb
SHA18fea9629e64221743d4a2f2c7bc6de37e212a991
SHA256db5392aebdae516481aef0772119dd53449c3d25c88aa2c7d16416bb7b475067
SHA512b386b2e6e793431e2e98963c9b93800d780f4775ef2b3ba224fa3a48656ef5824a65a94f7b12c311a97c36c1f45f04555ab1e4c150037d533322640154d65240
-
Filesize
204B
MD53b71f11952579b56a9f26b1f827a8e66
SHA1b70617f3452056cc67d17f1225ed286d5f84d1f0
SHA2567dd256daac279e02bb906b5c21536244df1a4cbf162d2c9e61c089634c36a998
SHA5123a49ddc591b93e5196790c24e51b0abfc9b1ccf4b705222d722c95eebf9bc9448a9939e2025cecf5da76dd72dd9173c66c22c7dfa6cdfada433ab716de17ec74
-
Filesize
204B
MD5de9d9500f42a85e22f61f9c07afc9832
SHA1a00e0fd17b5e3cc5e40774846c2eee6e221998c3
SHA256b1e26154369bcd2d7c2ffba531df1fec9b9b6441c2b2b14eff84bcb4da067ce1
SHA5122f826500fd10a4c57118f95eb2e62c0707aac80609dd4b7c471d827d860275dc80627fb701d524dc48aba07fc3939914e0d3281894f0df3315fb80b08f4680c4
-
Filesize
204B
MD5c0d2a4ea1af7ce956918fc60c16f21e5
SHA1e4cf43c0dd7b38cacb882b1b5af58df19db03659
SHA2560501af29d41773ca7e40989086b119645929637657fcb215ba2e1b3e441716f6
SHA512115eb761f632b2e7ecf9047f53006ed04c1c6a0cedbc066f4f2665f95899521764454657fd2f86cecbe57b431859b86a8fe6e80794f4377f57fa6462a40d2bb8
-
Filesize
204B
MD5b20d6c9ba0f8515fd11a40e7934d6c71
SHA1b234088f05a36df05533ab6c7118e64cf97a27e4
SHA256f914611f571d63b90d8f01089c423a2ef9a6428d3f8007ca4f035ba15326f2ff
SHA5127c356438dd1088d9424f33bd1ab1908a0feeddc970439f081ca78e7700e99f2fe324639bf2478d954efd95e9f602fa618d1c4b4962827ac74c3da42db9f1417e
-
Filesize
204B
MD54b59ab7474b334e9b5aed7ccc8657f17
SHA1d4250e7e09908130b974917623628175d20584a4
SHA256c576f58864fa1370391c7f6ec9f5df81f370c0b6258f00f942ebca051ba5ccb3
SHA5124e5198f98c4c1f21939e29b71402762bdd105e8e765ac76f9e2a7f1303580f4cca4714cc9b8ea1e7a0c1f85e4b14032528d68ecc04a5f6148605d1d3568e9a82
-
Filesize
204B
MD5cde1253873cf461daf76480611ea07a7
SHA1e31aee396d57b6311b81eff7b6b498f91f63da84
SHA256d2e6d64720b9045858f090a21f984aad25baefc06a4ed1677224f02fd9deb1b5
SHA5129e22650adc068cf092ed949680391578243274815e8f192b80cb05a46f0cb18b82526b574fd7ced9b0ff186f8c1dbb205de46245a73e9f60e49d8e7d52a2f809
-
Filesize
204B
MD5846752e5aed00b8b9c78bb32f8f3147d
SHA1567c6f30bbe5ea74e349d025fabe35c128d73a88
SHA2562fc56b3b0d23a18fbf4726aa4098ead2a8115f720e54dc52bc5ae4cfe334be85
SHA512d9b32fd7184d869429f7b23567b8676e100c14ec4b5ef6f1f61bf1b5824da202730cdaf70fd8bb7210223f82d77b8aaa7e962b939b6074b612e9214f195895af
-
Filesize
204B
MD557a4750864386885c761299f305886be
SHA141bf58dcbfe011b3ba9952bee5ee0980c4e2d7f0
SHA25620596e82147ba33182ae5f0b3d461e4236c103fc7bd99fc21db3760d4b15d247
SHA5120c35fce3f7e6e96e416da3f555b62c354493d03efc7b196b8e4572855aab8a52e66a6b492b214a2ac5e4f6a8c8b09c3d67b2391fec98f0116dfcec030aee6443
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd