Analysis
-
max time kernel
36s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
04-08-2024 16:51
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240705-en
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2864-1-0x0000000000DA0000-0x00000000010C4000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar behavioral1/memory/2104-9-0x00000000011B0000-0x00000000014D4000-memory.dmp family_quasar behavioral1/memory/2504-22-0x0000000000050000-0x0000000000374000-memory.dmp family_quasar behavioral1/memory/1584-33-0x0000000000A70000-0x0000000000D94000-memory.dmp family_quasar behavioral1/memory/2412-45-0x0000000000B50000-0x0000000000E74000-memory.dmp family_quasar -
Executes dropped EXE 4 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2104 SolaraExecutor.exe 2504 SolaraExecutor.exe 1584 SolaraExecutor.exe 2412 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
Solara.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2756 PING.EXE 2908 PING.EXE 2208 PING.EXE 2840 PING.EXE -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2840 PING.EXE 2756 PING.EXE 2908 PING.EXE 2208 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2804 schtasks.exe 2764 schtasks.exe 2712 schtasks.exe 316 schtasks.exe 1028 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Solara.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 2864 Solara.exe Token: SeDebugPrivilege 2104 SolaraExecutor.exe Token: SeDebugPrivilege 2504 SolaraExecutor.exe Token: SeDebugPrivilege 1584 SolaraExecutor.exe Token: SeDebugPrivilege 2412 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2104 SolaraExecutor.exe 2504 SolaraExecutor.exe 1584 SolaraExecutor.exe 2412 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2104 SolaraExecutor.exe 2504 SolaraExecutor.exe 1584 SolaraExecutor.exe 2412 SolaraExecutor.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SolaraExecutor.exepid process 2104 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
Solara.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 2864 wrote to memory of 2804 2864 Solara.exe schtasks.exe PID 2864 wrote to memory of 2804 2864 Solara.exe schtasks.exe PID 2864 wrote to memory of 2804 2864 Solara.exe schtasks.exe PID 2864 wrote to memory of 2104 2864 Solara.exe SolaraExecutor.exe PID 2864 wrote to memory of 2104 2864 Solara.exe SolaraExecutor.exe PID 2864 wrote to memory of 2104 2864 Solara.exe SolaraExecutor.exe PID 2104 wrote to memory of 2764 2104 SolaraExecutor.exe schtasks.exe PID 2104 wrote to memory of 2764 2104 SolaraExecutor.exe schtasks.exe PID 2104 wrote to memory of 2764 2104 SolaraExecutor.exe schtasks.exe PID 2104 wrote to memory of 2604 2104 SolaraExecutor.exe cmd.exe PID 2104 wrote to memory of 2604 2104 SolaraExecutor.exe cmd.exe PID 2104 wrote to memory of 2604 2104 SolaraExecutor.exe cmd.exe PID 2604 wrote to memory of 2740 2604 cmd.exe chcp.com PID 2604 wrote to memory of 2740 2604 cmd.exe chcp.com PID 2604 wrote to memory of 2740 2604 cmd.exe chcp.com PID 2604 wrote to memory of 2756 2604 cmd.exe PING.EXE PID 2604 wrote to memory of 2756 2604 cmd.exe PING.EXE PID 2604 wrote to memory of 2756 2604 cmd.exe PING.EXE PID 2604 wrote to memory of 2504 2604 cmd.exe SolaraExecutor.exe PID 2604 wrote to memory of 2504 2604 cmd.exe SolaraExecutor.exe PID 2604 wrote to memory of 2504 2604 cmd.exe SolaraExecutor.exe PID 2504 wrote to memory of 2712 2504 SolaraExecutor.exe schtasks.exe PID 2504 wrote to memory of 2712 2504 SolaraExecutor.exe schtasks.exe PID 2504 wrote to memory of 2712 2504 SolaraExecutor.exe schtasks.exe PID 2504 wrote to memory of 2900 2504 SolaraExecutor.exe cmd.exe PID 2504 wrote to memory of 2900 2504 SolaraExecutor.exe cmd.exe PID 2504 wrote to memory of 2900 2504 SolaraExecutor.exe cmd.exe PID 2900 wrote to memory of 2904 2900 cmd.exe chcp.com PID 2900 wrote to memory of 2904 2900 cmd.exe chcp.com PID 2900 wrote to memory of 2904 2900 cmd.exe chcp.com PID 2900 wrote to memory of 2908 2900 cmd.exe PING.EXE PID 2900 wrote to memory of 2908 2900 cmd.exe PING.EXE PID 2900 wrote to memory of 2908 2900 cmd.exe PING.EXE PID 2900 wrote to memory of 1584 2900 cmd.exe SolaraExecutor.exe PID 2900 wrote to memory of 1584 2900 cmd.exe SolaraExecutor.exe PID 2900 wrote to memory of 1584 2900 cmd.exe SolaraExecutor.exe PID 1584 wrote to memory of 316 1584 SolaraExecutor.exe schtasks.exe PID 1584 wrote to memory of 316 1584 SolaraExecutor.exe schtasks.exe PID 1584 wrote to memory of 316 1584 SolaraExecutor.exe schtasks.exe PID 1584 wrote to memory of 2224 1584 SolaraExecutor.exe cmd.exe PID 1584 wrote to memory of 2224 1584 SolaraExecutor.exe cmd.exe PID 1584 wrote to memory of 2224 1584 SolaraExecutor.exe cmd.exe PID 2224 wrote to memory of 576 2224 cmd.exe chcp.com PID 2224 wrote to memory of 576 2224 cmd.exe chcp.com PID 2224 wrote to memory of 576 2224 cmd.exe chcp.com PID 2224 wrote to memory of 2208 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 2208 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 2208 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 2412 2224 cmd.exe SolaraExecutor.exe PID 2224 wrote to memory of 2412 2224 cmd.exe SolaraExecutor.exe PID 2224 wrote to memory of 2412 2224 cmd.exe SolaraExecutor.exe PID 2412 wrote to memory of 1028 2412 SolaraExecutor.exe schtasks.exe PID 2412 wrote to memory of 1028 2412 SolaraExecutor.exe schtasks.exe PID 2412 wrote to memory of 1028 2412 SolaraExecutor.exe schtasks.exe PID 2412 wrote to memory of 832 2412 SolaraExecutor.exe cmd.exe PID 2412 wrote to memory of 832 2412 SolaraExecutor.exe cmd.exe PID 2412 wrote to memory of 832 2412 SolaraExecutor.exe cmd.exe PID 832 wrote to memory of 2848 832 cmd.exe chcp.com PID 832 wrote to memory of 2848 832 cmd.exe chcp.com PID 832 wrote to memory of 2848 832 cmd.exe chcp.com PID 832 wrote to memory of 2840 832 cmd.exe PING.EXE PID 832 wrote to memory of 2840 832 cmd.exe PING.EXE PID 832 wrote to memory of 2840 832 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2804 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2764 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CT6bXt5CxLas.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2740
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2756 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2712 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WIxghe6J72A2.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2904
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2908 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:316 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zQzrVRLuH4Ji.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:576
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2208 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1028 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dg1ilPiU5AO4.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2848
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD572784a64b54490cf9ffbc141a8b703c4
SHA1af9a995f006f512291557ceb6585411941171398
SHA2563a7a32da0359cb46da4fc2310d2d73911ebf62ec6d499361dba9c4ce9ff7c6dd
SHA512ddc1c27522f0e6a4c79c34b86d81ced9696face7f0d2112c05ac827c227959ca6eee8ff21f6270a3ccf9733b1b489b2e8ae1638d83568b8a919555325c1050cc
-
Filesize
204B
MD5fb193cbcd311baec3e9695fa7f5640a3
SHA193d2fa858588e5a91d65572ae33680a0cbbe7d52
SHA256fadf49cca7a3f97a3073ce268dc9b79e97c5dda71c9777b0ca5cd450198c21e4
SHA512151d781d6ad516e9e021961adc5b0f9a3327369924e658c606035eddd8fcbfc2e83e3497dce22f02be4c4a7e96fa68fde3c2551e65add7e80435186bda50ffed
-
Filesize
204B
MD587ef57f858c352289f7abdc012e205e1
SHA133aea67f466be2ade4dc177e9fb467f15a916899
SHA256cb13ff6c981929279123c8ca13f2cfba14d8d17dcfe5b7a627771f3376240298
SHA51233390cfaad0eaa9c0126f36acaa689061540b0ba8025de91ff741c8784d8158a9c1952ba34e59a983752cbb69c5e79a629fa63e121eddd3dbd96596e1189a0ed
-
Filesize
204B
MD5ed31c75270cd65af903344433d60dfc6
SHA13f30eeb1f05f76146d0252e796e5c9f28c215e86
SHA2565fce4e4297baf948fca351365ecb09a848d02676967a754459995e9a6048fef3
SHA512c6e11d14a3f0255585bf940600cad03d5098637599fd48adc22e19e1f8c9624446fd94e560cb14521962bceac0b05dcb2d44cff7c79b1ffbe38da5c09a1839c5
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e