Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2024 16:51
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240705-en
General
-
Target
Solara.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4960-1-0x00000000001A0000-0x00000000004C4000-memory.dmp family_quasar C:\Windows\system32\SubDir\SolaraExecutor.exe family_quasar -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe -
Executes dropped EXE 4 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 232 SolaraExecutor.exe 4144 SolaraExecutor.exe 3168 SolaraExecutor.exe 4968 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
Solara.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe Solara.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEpid process 3860 PING.EXE 4812 PING.EXE 3548 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 3860 PING.EXE 4812 PING.EXE 3548 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3636 schtasks.exe 4332 schtasks.exe 2668 schtasks.exe 4752 schtasks.exe 4628 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Solara.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 4960 Solara.exe Token: SeDebugPrivilege 232 SolaraExecutor.exe Token: SeDebugPrivilege 4144 SolaraExecutor.exe Token: SeDebugPrivilege 3168 SolaraExecutor.exe Token: SeDebugPrivilege 4968 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 232 SolaraExecutor.exe 4144 SolaraExecutor.exe 3168 SolaraExecutor.exe 4968 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 232 SolaraExecutor.exe 4144 SolaraExecutor.exe 3168 SolaraExecutor.exe 4968 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Solara.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.exedescription pid process target process PID 4960 wrote to memory of 4332 4960 Solara.exe schtasks.exe PID 4960 wrote to memory of 4332 4960 Solara.exe schtasks.exe PID 4960 wrote to memory of 232 4960 Solara.exe SolaraExecutor.exe PID 4960 wrote to memory of 232 4960 Solara.exe SolaraExecutor.exe PID 232 wrote to memory of 2668 232 SolaraExecutor.exe schtasks.exe PID 232 wrote to memory of 2668 232 SolaraExecutor.exe schtasks.exe PID 232 wrote to memory of 2748 232 SolaraExecutor.exe cmd.exe PID 232 wrote to memory of 2748 232 SolaraExecutor.exe cmd.exe PID 2748 wrote to memory of 3232 2748 cmd.exe chcp.com PID 2748 wrote to memory of 3232 2748 cmd.exe chcp.com PID 2748 wrote to memory of 3860 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 3860 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 4144 2748 cmd.exe SolaraExecutor.exe PID 2748 wrote to memory of 4144 2748 cmd.exe SolaraExecutor.exe PID 4144 wrote to memory of 4752 4144 SolaraExecutor.exe schtasks.exe PID 4144 wrote to memory of 4752 4144 SolaraExecutor.exe schtasks.exe PID 4144 wrote to memory of 2820 4144 SolaraExecutor.exe cmd.exe PID 4144 wrote to memory of 2820 4144 SolaraExecutor.exe cmd.exe PID 2820 wrote to memory of 448 2820 cmd.exe chcp.com PID 2820 wrote to memory of 448 2820 cmd.exe chcp.com PID 2820 wrote to memory of 4812 2820 cmd.exe PING.EXE PID 2820 wrote to memory of 4812 2820 cmd.exe PING.EXE PID 2820 wrote to memory of 3168 2820 cmd.exe SolaraExecutor.exe PID 2820 wrote to memory of 3168 2820 cmd.exe SolaraExecutor.exe PID 3168 wrote to memory of 4628 3168 SolaraExecutor.exe schtasks.exe PID 3168 wrote to memory of 4628 3168 SolaraExecutor.exe schtasks.exe PID 3168 wrote to memory of 4676 3168 SolaraExecutor.exe cmd.exe PID 3168 wrote to memory of 4676 3168 SolaraExecutor.exe cmd.exe PID 4676 wrote to memory of 332 4676 cmd.exe chcp.com PID 4676 wrote to memory of 332 4676 cmd.exe chcp.com PID 4676 wrote to memory of 3548 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 3548 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 4968 4676 cmd.exe SolaraExecutor.exe PID 4676 wrote to memory of 4968 4676 cmd.exe SolaraExecutor.exe PID 4968 wrote to memory of 3636 4968 SolaraExecutor.exe schtasks.exe PID 4968 wrote to memory of 3636 4968 SolaraExecutor.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4332 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ROHiET42FcS.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3232
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3860 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWlkQLIJg1Gk.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:448
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4812 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4628 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h2E6UD4IKvcY.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:332
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3548 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsXrOeSVWF5l.bat" "9⤵PID:4836
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:5020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
204B
MD51bafa3c591b129c6a61e4f0ca5f8e490
SHA14e38e209563ffe58460f66cb72e2af2f0614910f
SHA2561bae0cd6f2ce8a62e530ee35e5001985142540f55ac9b02ba32e94911375eef5
SHA512c1a57a411095c8250a57c3e831eb209ca1423a78ff308070e522879c4869ffa8c96285f2d847898702ffc5308f9b9fcee1c39254f845ec48d99354528940166c
-
Filesize
204B
MD5bcabf8a1b8d7f802cd9f301120ca6f97
SHA15a8bcdb5621ea7c1294a893cc1599153f1cb617a
SHA2567007c19e4f70d5c20ea7dc2a5829211de20531e853e0210f97216c92494dc8cd
SHA512d4ea871a8130a1613c008bba7f0c346079d30e7466964b6d96e7d24827b9fb6d07f535c359f514be7703dc0d5665ef54854369690da1766205391a0dcb108637
-
Filesize
204B
MD54d1b203483cc980460a9da61bff80cc7
SHA120f26c0423cd2fe545f1da13f2d9befa2e9164ae
SHA2565e7d8f0600258fcaa2dc30657c7b1a6a7fc91c37b3da5a120624523dde05074b
SHA5128c14b216c915d8a7c3e154794a9ecf789dc44ca6b62a22400062b0f77e416f74c82b3153e5a3f11a613f7d139854de8dad5e47b272357b88bc64d1ad874ffa35
-
Filesize
204B
MD5c20b910c00a2c4e9257b9496d00eac2f
SHA12e8a8db0b8c422cf3e6a2771932779e921a9a78e
SHA256fd3243cc779803fa7b85895a3b204f116a50f0c8d92414ff6fbea9d9089cfe97
SHA5127845b6455844b71e4e26e179fd6da438fb285d2b289294807ddb6946ff707093053ff9639192503007abc839b8abfef6139161e3f23efe95e6fa9b581f4bbe94
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd