Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 01:22
Behavioral task
behavioral1
Sample
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
Resource
win7-20240705-en
General
-
Target
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2460-1-0x0000000000F10000-0x0000000001234000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar behavioral1/memory/2152-9-0x0000000000A00000-0x0000000000D24000-memory.dmp family_quasar behavioral1/memory/2688-22-0x0000000000240000-0x0000000000564000-memory.dmp family_quasar behavioral1/memory/2852-33-0x0000000000170000-0x0000000000494000-memory.dmp family_quasar behavioral1/memory/1656-45-0x00000000010D0000-0x00000000013F4000-memory.dmp family_quasar behavioral1/memory/2348-56-0x0000000000300000-0x0000000000624000-memory.dmp family_quasar behavioral1/memory/1956-67-0x0000000000F90000-0x00000000012B4000-memory.dmp family_quasar behavioral1/memory/2644-99-0x00000000012C0000-0x00000000015E4000-memory.dmp family_quasar behavioral1/memory/948-110-0x0000000000350000-0x0000000000674000-memory.dmp family_quasar behavioral1/memory/1116-122-0x0000000001160000-0x0000000001484000-memory.dmp family_quasar behavioral1/memory/1920-145-0x00000000003F0000-0x0000000000714000-memory.dmp family_quasar behavioral1/memory/1944-156-0x0000000000D60000-0x0000000001084000-memory.dmp family_quasar behavioral1/memory/2884-168-0x0000000001370000-0x0000000001694000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2152 SolaraExecutor.exe 2688 SolaraExecutor.exe 2852 SolaraExecutor.exe 1656 SolaraExecutor.exe 2348 SolaraExecutor.exe 1956 SolaraExecutor.exe 1580 SolaraExecutor.exe 1152 SolaraExecutor.exe 2644 SolaraExecutor.exe 948 SolaraExecutor.exe 1116 SolaraExecutor.exe 792 SolaraExecutor.exe 1920 SolaraExecutor.exe 1944 SolaraExecutor.exe 2884 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2748 PING.EXE 2200 PING.EXE 1456 PING.EXE 1500 PING.EXE 3016 PING.EXE 1044 PING.EXE 2440 PING.EXE 1712 PING.EXE 1628 PING.EXE 1876 PING.EXE 988 PING.EXE 2016 PING.EXE 2360 PING.EXE 2408 PING.EXE 2948 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2016 PING.EXE 2408 PING.EXE 1628 PING.EXE 2748 PING.EXE 1500 PING.EXE 1044 PING.EXE 1876 PING.EXE 988 PING.EXE 2948 PING.EXE 2440 PING.EXE 1712 PING.EXE 2200 PING.EXE 3016 PING.EXE 2360 PING.EXE 1456 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2364 schtasks.exe 1328 schtasks.exe 3032 schtasks.exe 2648 schtasks.exe 2580 schtasks.exe 2352 schtasks.exe 2416 schtasks.exe 2860 schtasks.exe 2316 schtasks.exe 500 schtasks.exe 2940 schtasks.exe 1152 schtasks.exe 3064 schtasks.exe 2740 schtasks.exe 2584 schtasks.exe 2992 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 2460 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe Token: SeDebugPrivilege 2152 SolaraExecutor.exe Token: SeDebugPrivilege 2688 SolaraExecutor.exe Token: SeDebugPrivilege 2852 SolaraExecutor.exe Token: SeDebugPrivilege 1656 SolaraExecutor.exe Token: SeDebugPrivilege 2348 SolaraExecutor.exe Token: SeDebugPrivilege 1956 SolaraExecutor.exe Token: SeDebugPrivilege 1580 SolaraExecutor.exe Token: SeDebugPrivilege 1152 SolaraExecutor.exe Token: SeDebugPrivilege 2644 SolaraExecutor.exe Token: SeDebugPrivilege 948 SolaraExecutor.exe Token: SeDebugPrivilege 1116 SolaraExecutor.exe Token: SeDebugPrivilege 792 SolaraExecutor.exe Token: SeDebugPrivilege 1920 SolaraExecutor.exe Token: SeDebugPrivilege 1944 SolaraExecutor.exe Token: SeDebugPrivilege 2884 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2152 SolaraExecutor.exe 2688 SolaraExecutor.exe 2852 SolaraExecutor.exe 1656 SolaraExecutor.exe 2348 SolaraExecutor.exe 1956 SolaraExecutor.exe 1580 SolaraExecutor.exe 1152 SolaraExecutor.exe 2644 SolaraExecutor.exe 948 SolaraExecutor.exe 1116 SolaraExecutor.exe 792 SolaraExecutor.exe 1920 SolaraExecutor.exe 1944 SolaraExecutor.exe 2884 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 2152 SolaraExecutor.exe 2688 SolaraExecutor.exe 2852 SolaraExecutor.exe 1656 SolaraExecutor.exe 2348 SolaraExecutor.exe 1956 SolaraExecutor.exe 1580 SolaraExecutor.exe 1152 SolaraExecutor.exe 2644 SolaraExecutor.exe 948 SolaraExecutor.exe 1116 SolaraExecutor.exe 792 SolaraExecutor.exe 1920 SolaraExecutor.exe 1944 SolaraExecutor.exe 2884 SolaraExecutor.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 948 SolaraExecutor.exe 792 SolaraExecutor.exe 1944 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 2460 wrote to memory of 2940 2460 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 2460 wrote to memory of 2940 2460 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 2460 wrote to memory of 2940 2460 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 2460 wrote to memory of 2152 2460 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 2460 wrote to memory of 2152 2460 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 2460 wrote to memory of 2152 2460 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 2152 wrote to memory of 1152 2152 SolaraExecutor.exe schtasks.exe PID 2152 wrote to memory of 1152 2152 SolaraExecutor.exe schtasks.exe PID 2152 wrote to memory of 1152 2152 SolaraExecutor.exe schtasks.exe PID 2152 wrote to memory of 2656 2152 SolaraExecutor.exe cmd.exe PID 2152 wrote to memory of 2656 2152 SolaraExecutor.exe cmd.exe PID 2152 wrote to memory of 2656 2152 SolaraExecutor.exe cmd.exe PID 2656 wrote to memory of 2812 2656 cmd.exe chcp.com PID 2656 wrote to memory of 2812 2656 cmd.exe chcp.com PID 2656 wrote to memory of 2812 2656 cmd.exe chcp.com PID 2656 wrote to memory of 2748 2656 cmd.exe PING.EXE PID 2656 wrote to memory of 2748 2656 cmd.exe PING.EXE PID 2656 wrote to memory of 2748 2656 cmd.exe PING.EXE PID 2656 wrote to memory of 2688 2656 cmd.exe SolaraExecutor.exe PID 2656 wrote to memory of 2688 2656 cmd.exe SolaraExecutor.exe PID 2656 wrote to memory of 2688 2656 cmd.exe SolaraExecutor.exe PID 2688 wrote to memory of 2580 2688 SolaraExecutor.exe schtasks.exe PID 2688 wrote to memory of 2580 2688 SolaraExecutor.exe schtasks.exe PID 2688 wrote to memory of 2580 2688 SolaraExecutor.exe schtasks.exe PID 2688 wrote to memory of 2184 2688 SolaraExecutor.exe cmd.exe PID 2688 wrote to memory of 2184 2688 SolaraExecutor.exe cmd.exe PID 2688 wrote to memory of 2184 2688 SolaraExecutor.exe cmd.exe PID 2184 wrote to memory of 1716 2184 cmd.exe chcp.com PID 2184 wrote to memory of 1716 2184 cmd.exe chcp.com PID 2184 wrote to memory of 1716 2184 cmd.exe chcp.com PID 2184 wrote to memory of 1500 2184 cmd.exe PING.EXE PID 2184 wrote to memory of 1500 2184 cmd.exe PING.EXE PID 2184 wrote to memory of 1500 2184 cmd.exe PING.EXE PID 2184 wrote to memory of 2852 2184 cmd.exe SolaraExecutor.exe PID 2184 wrote to memory of 2852 2184 cmd.exe SolaraExecutor.exe PID 2184 wrote to memory of 2852 2184 cmd.exe SolaraExecutor.exe PID 2852 wrote to memory of 2584 2852 SolaraExecutor.exe schtasks.exe PID 2852 wrote to memory of 2584 2852 SolaraExecutor.exe schtasks.exe PID 2852 wrote to memory of 2584 2852 SolaraExecutor.exe schtasks.exe PID 2852 wrote to memory of 2844 2852 SolaraExecutor.exe cmd.exe PID 2852 wrote to memory of 2844 2852 SolaraExecutor.exe cmd.exe PID 2852 wrote to memory of 2844 2852 SolaraExecutor.exe cmd.exe PID 2844 wrote to memory of 1080 2844 cmd.exe chcp.com PID 2844 wrote to memory of 1080 2844 cmd.exe chcp.com PID 2844 wrote to memory of 1080 2844 cmd.exe chcp.com PID 2844 wrote to memory of 1044 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 1044 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 1044 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 1656 2844 cmd.exe SolaraExecutor.exe PID 2844 wrote to memory of 1656 2844 cmd.exe SolaraExecutor.exe PID 2844 wrote to memory of 1656 2844 cmd.exe SolaraExecutor.exe PID 1656 wrote to memory of 2352 1656 SolaraExecutor.exe schtasks.exe PID 1656 wrote to memory of 2352 1656 SolaraExecutor.exe schtasks.exe PID 1656 wrote to memory of 2352 1656 SolaraExecutor.exe schtasks.exe PID 1656 wrote to memory of 2504 1656 SolaraExecutor.exe cmd.exe PID 1656 wrote to memory of 2504 1656 SolaraExecutor.exe cmd.exe PID 1656 wrote to memory of 2504 1656 SolaraExecutor.exe cmd.exe PID 2504 wrote to memory of 880 2504 cmd.exe chcp.com PID 2504 wrote to memory of 880 2504 cmd.exe chcp.com PID 2504 wrote to memory of 880 2504 cmd.exe chcp.com PID 2504 wrote to memory of 1876 2504 cmd.exe PING.EXE PID 2504 wrote to memory of 1876 2504 cmd.exe PING.EXE PID 2504 wrote to memory of 1876 2504 cmd.exe PING.EXE PID 2504 wrote to memory of 2348 2504 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2940 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1152 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\L7sBEjbHQdxN.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2812
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2748 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2580 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\d9hsAOnd4HyZ.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1716
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1500 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2584 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UDToL1N0H78L.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1080
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2352 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0ygmK23w7iA9.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:880
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1876 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2348 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2416 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3TguxC4Ul1Wk.bat" "11⤵PID:608
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1304
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2200 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1956 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2860 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2Ku9NUao0RCr.bat" "13⤵PID:2488
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1392
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:988 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1580 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2316 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Li0JO1LK19fK.bat" "15⤵PID:2956
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1648
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2016 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1152 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2648 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3uTqsouO5Mmx.bat" "17⤵PID:2548
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2864
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3016 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2644 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:500 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2lhNmCNHvCa4.bat" "19⤵PID:1740
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1476
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2360 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:948 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2992 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Z019MF8Sq4xM.bat" "21⤵PID:328
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2844
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2408 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1116 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1328 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eEAn0qcaD6Aq.bat" "23⤵PID:1496
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1132
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2948 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:792 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3032 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KDOf3zF5H1Wg.bat" "25⤵PID:2200
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2392
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2440 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2364 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5zDbpDGkiedn.bat" "27⤵PID:876
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1788
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1712 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1944 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:3064 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DD5qZdC2v0he.bat" "29⤵PID:2228
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2196
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1456 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2884 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2740 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\nwBAUhCBqxYP.bat" "31⤵PID:2896
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2656
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD52910f681fd312bc4c1f340fa1ba9d939
SHA1a0cd81040e4ee72dfb373bc28a8d30e189db7ab4
SHA25636dbeb626bcb2a73fd119cc660df804f291afa4095c047223848b23aaa872a59
SHA51245c9387dc8b34d042e65ca9cf994982edfa8cd0e33eae95e23520a248c70eec7cd96150ee214372d594e5ec4db4f51edf2d83b4fec805c933ccf74c1fc844d91
-
Filesize
204B
MD555b53992d2888712b8145e27b10a97e1
SHA100affca3f39529319666371369d648ef64f72c1a
SHA256ce9fb051707888c7119c2eb30accd4f3445b3535639776884c22d52b322920d7
SHA512ac9ff08632d54986c3e11e8d023c48e461d62b4c49319110f408b7c0371b821e1069ab325901078be23cd5eb1828daebb6366d8545f3c5930fb82193e99ebb2c
-
Filesize
204B
MD5e798cdd9b01b5b6661ef9395c3c8d5a7
SHA110cba84d01ba0ecd234229efa8fb15fc813e8030
SHA2565ec221ea7fdcbd59cc42ea8b67a95220764c993850bad68d59860cb7fd0130f0
SHA512f3c542fe746889a84e88fa731232d0bce0146504da2f655bb546b57166f7eeefb904a4cd29d85bf376663da1204e6df127233d1f979297f48ed9d01400226eb0
-
Filesize
204B
MD523af2385aa23cdac85077c257c8a0cb6
SHA18ecaf8d174649fbbf2f708261980f8f64deace6f
SHA256a669ed36f2bf733f3ecd1b5c093b5e867c6cb302a48b6670b2007b4179f0a749
SHA5126382fcc0de552e2fc8d20d89f0e6ff1f97483f5dd54df9e3ab1f91766c60d81787459af76d2453c552118c19de7816dc27eaa417851e33cf31f156fef33d0806
-
Filesize
204B
MD5f40bb1a30cf1b526f040f5944b87d544
SHA1312247b9771a11bd1410319eb22d3a9cf15e6b80
SHA256488a9f6d852061798a85092e5331711c300d60912ef2579939198a3649780731
SHA512a9412d44865ec3c54f816a87f5b0f14f3350959f74278f70f38bbb79cf0e981cb84bfec91b1d0525f6119b12909382655d1affff6e91123f2181a8547746e675
-
Filesize
204B
MD561a3ef50a55be54bbb71be14037941ad
SHA19bd2c451b466db9382cb91c9183786ca6312bfb9
SHA25698533b2b338db80c96e2405a283d5b02a621c962f3a698677b8433eb7249eb4a
SHA5121445fe697d5bc5f074b6194b5de21b710b05a347a60a619c75eecf8cfd613088168acdda77dcbd598660907ea023077ce24b0fbb0e8c5874c5a549a0c7169946
-
Filesize
204B
MD5da9c1996b70db0228d90a2ce3d3cc341
SHA19112f3d4cc458483e50c1d6495b3e0a78f7ce250
SHA2566bc8a6709e0d94e540235f834b1f838a31218076c802865050b50d2d833ebdb6
SHA512426d03f3256600777acf7f3f1c3587cb5b597af42e665f59924da5819ccf3637ad487442c2f6207aaad0c8233859ded30731f650d67b9829a05764de7d4b6e78
-
Filesize
204B
MD540393af952536ef306d6c0cd07c78cb3
SHA1c055b267c6b184114f622c8a1f1c7f66d856051a
SHA256f5faae36cc1057e04f1f38c93dcddaa99e6faeeb7903b343e17beaa98445d19d
SHA512ce1f61f222a5d4ad66656606f44a40f52bc61c6d423bcb38c6be3e0de1a27703fb1c783776aeba1bd551fcf221d96f949332d57c9b1f9e9950d49f4accc7a29e
-
Filesize
204B
MD5feca430d7239917c3a250ead322ef646
SHA1200a75d043ca2a26de3683e2e7cbad601f700d2b
SHA256ca4d0ce614b201c2e9a23d041e57a3075d96359c2729384090b9ca1ef7304b85
SHA51296ff23169cc7552d437e95181c81c0c3896838d64da5a8fabba3ae7cfa6c2c349c3814c727cb980999deece7aa1637bd182d7f18a4a47ca105fbf3552174854c
-
Filesize
204B
MD53015a387064a6d27cbec6b91abe71400
SHA1ac91d1b9d5cf2594850dba04194075b1ef78941e
SHA256c0870fdaeca46b93ae8c87b75c83ccfbe88b40a9224624a75b268b8cb849949c
SHA512b12472ebcab69b74890ecef8628d4f77957f68127097e24fda1375ae671aac1a1055f1114ebcfedbc40399a223f2261be9ca6df674be4d8c65adceaeded81e49
-
Filesize
204B
MD5c31761c97ab416bd13307fb85c968c6f
SHA1a866e13196002b237104a10532657374d25787bc
SHA2560b2cf460b38f057a206d2ffb0af27a967c7460211e1d782e4bbf1127e02356b9
SHA5126414333d6011d52b7d94fc5e3dacb994b4b30d18c52041c3421b02ed5e658242f2865731bcbfab742c47d4c3d53fa26ca555130ec4153d2ff568178796d807d1
-
Filesize
204B
MD5c5b5aff27893b3c59e91fe53fd2d85b3
SHA1475e4643f4b245f6a99a502b3f9bfa2fd26a3e10
SHA25676241c77e3244001109a2de1a0a716314bf8a4feb039799e40c1b9183780976d
SHA512ddbd3f2a191f58d57a3cb5fb088c7ff608caa22e900c9f28e2c7c489a6930a6c979394f03787fb799d0dc9ebd36f447b1604fc7d69287883bb57229cac01d69e
-
Filesize
204B
MD5f0274196c3a44503b95f41f1ac1f208f
SHA1cb9ddcf0d846d4a0a19e8df04be4eb3fdcf7589f
SHA2563103b81aa120c2b04df7f9183614caa8dd9bde36a53dd6ff05d796faa171cea1
SHA51282d100dc28abc9b6856be7c3cc33ee35da539fe32330921a2aadd23a789256db8983555d754ad9fa92279ccab72b98ed56962adcad33fa89c5d5880d7cb74fa4
-
Filesize
204B
MD5d4bc36b5dab9beca2ead75e55cdcb568
SHA14f48bec8f6d0a9e50f8863cdcbb8ea594eff1eda
SHA256861b0259a45455737e263cb115fcbc79a5668862d3f153e4ac02bb57582e84b1
SHA512eb6186664beabf8a18708a14e301bd3fb3affafb88abdb01cc969992bb47bc9ed09faf2303eb658fd3229a0ba47998aa7e2fbf993b646b90bded37c0aea07218
-
Filesize
204B
MD5fbec21052fda9416016a3d874523135e
SHA11a1fffc73247bd90bed690a0b04c94a9cbc0225d
SHA256c9379c25e78ab8548c8fdc146d70cbca15f783bbf208a20712e85fc41564dc39
SHA512ad9d7a89d8c84b43b24f9e0a7b70950cd76f0554dc402e820032943ae40998aeb0efbf7a59baddc04604f76db8800c6ca3953651cc21e25c3eeb904d7c759e44
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e