Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 01:22
Behavioral task
behavioral1
Sample
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
Resource
win7-20240705-en
General
-
Target
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
-
Size
3.1MB
-
MD5
3cf4f19b7c69135acb3c4c9bb9cdfb90
-
SHA1
e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
-
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
-
SHA512
4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd
-
SSDEEP
49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee
Malware Config
Extracted
quasar
1.4.1
Office04
nohchy-47404.portmap.host:47404
1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9
-
encryption_key
795CDD46D2CDD422BE523F263B64E03D8B6AAD42
-
install_name
SolaraExecutor.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
RtkAudUService64
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4664-1-0x0000000000A30000-0x0000000000D54000-memory.dmp family_quasar C:\Windows\System32\SubDir\SolaraExecutor.exe family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SolaraExecutor.exe -
Executes dropped EXE 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 1784 SolaraExecutor.exe 4524 SolaraExecutor.exe 4272 SolaraExecutor.exe 2652 SolaraExecutor.exe 2472 SolaraExecutor.exe 2364 SolaraExecutor.exe 3984 SolaraExecutor.exe 4496 SolaraExecutor.exe 3528 SolaraExecutor.exe 4044 SolaraExecutor.exe 4800 SolaraExecutor.exe 892 SolaraExecutor.exe 684 SolaraExecutor.exe 4648 SolaraExecutor.exe 876 SolaraExecutor.exe -
Drops file in System32 directory 2 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exedescription ioc process File created C:\Windows\system32\SubDir\SolaraExecutor.exe 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 568 PING.EXE 4736 PING.EXE 2188 PING.EXE 2376 PING.EXE 3652 PING.EXE 4864 PING.EXE 2224 PING.EXE 220 PING.EXE 1044 PING.EXE 2216 PING.EXE 4380 PING.EXE 4572 PING.EXE 1324 PING.EXE 3328 PING.EXE 3680 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4572 PING.EXE 4864 PING.EXE 4736 PING.EXE 3652 PING.EXE 1044 PING.EXE 2216 PING.EXE 1324 PING.EXE 2188 PING.EXE 3680 PING.EXE 4380 PING.EXE 3328 PING.EXE 220 PING.EXE 568 PING.EXE 2224 PING.EXE 2376 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 468 schtasks.exe 4500 schtasks.exe 4868 schtasks.exe 4392 schtasks.exe 3756 schtasks.exe 4656 schtasks.exe 4896 schtasks.exe 5112 schtasks.exe 2784 schtasks.exe 3884 schtasks.exe 2388 schtasks.exe 1520 schtasks.exe 4948 schtasks.exe 4188 schtasks.exe 4752 schtasks.exe 5036 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exedescription pid process Token: SeDebugPrivilege 4664 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe Token: SeDebugPrivilege 1784 SolaraExecutor.exe Token: SeDebugPrivilege 4524 SolaraExecutor.exe Token: SeDebugPrivilege 4272 SolaraExecutor.exe Token: SeDebugPrivilege 2652 SolaraExecutor.exe Token: SeDebugPrivilege 2472 SolaraExecutor.exe Token: SeDebugPrivilege 2364 SolaraExecutor.exe Token: SeDebugPrivilege 3984 SolaraExecutor.exe Token: SeDebugPrivilege 4496 SolaraExecutor.exe Token: SeDebugPrivilege 3528 SolaraExecutor.exe Token: SeDebugPrivilege 4044 SolaraExecutor.exe Token: SeDebugPrivilege 4800 SolaraExecutor.exe Token: SeDebugPrivilege 892 SolaraExecutor.exe Token: SeDebugPrivilege 684 SolaraExecutor.exe Token: SeDebugPrivilege 4648 SolaraExecutor.exe Token: SeDebugPrivilege 876 SolaraExecutor.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 1784 SolaraExecutor.exe 4524 SolaraExecutor.exe 4272 SolaraExecutor.exe 2652 SolaraExecutor.exe 2472 SolaraExecutor.exe 2364 SolaraExecutor.exe 3984 SolaraExecutor.exe 4496 SolaraExecutor.exe 3528 SolaraExecutor.exe 4044 SolaraExecutor.exe 4800 SolaraExecutor.exe 892 SolaraExecutor.exe 684 SolaraExecutor.exe 4648 SolaraExecutor.exe 876 SolaraExecutor.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
SolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exeSolaraExecutor.exepid process 1784 SolaraExecutor.exe 4524 SolaraExecutor.exe 4272 SolaraExecutor.exe 2652 SolaraExecutor.exe 2472 SolaraExecutor.exe 2364 SolaraExecutor.exe 3984 SolaraExecutor.exe 4496 SolaraExecutor.exe 3528 SolaraExecutor.exe 4044 SolaraExecutor.exe 4800 SolaraExecutor.exe 892 SolaraExecutor.exe 684 SolaraExecutor.exe 4648 SolaraExecutor.exe 876 SolaraExecutor.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SolaraExecutor.exepid process 4524 SolaraExecutor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exeSolaraExecutor.execmd.exedescription pid process target process PID 4664 wrote to memory of 5036 4664 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 4664 wrote to memory of 5036 4664 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe schtasks.exe PID 4664 wrote to memory of 1784 4664 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 4664 wrote to memory of 1784 4664 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe SolaraExecutor.exe PID 1784 wrote to memory of 2784 1784 SolaraExecutor.exe schtasks.exe PID 1784 wrote to memory of 2784 1784 SolaraExecutor.exe schtasks.exe PID 1784 wrote to memory of 4572 1784 SolaraExecutor.exe cmd.exe PID 1784 wrote to memory of 4572 1784 SolaraExecutor.exe cmd.exe PID 4572 wrote to memory of 2216 4572 cmd.exe chcp.com PID 4572 wrote to memory of 2216 4572 cmd.exe chcp.com PID 4572 wrote to memory of 2224 4572 cmd.exe PING.EXE PID 4572 wrote to memory of 2224 4572 cmd.exe PING.EXE PID 4572 wrote to memory of 4524 4572 cmd.exe SolaraExecutor.exe PID 4572 wrote to memory of 4524 4572 cmd.exe SolaraExecutor.exe PID 4524 wrote to memory of 1520 4524 SolaraExecutor.exe schtasks.exe PID 4524 wrote to memory of 1520 4524 SolaraExecutor.exe schtasks.exe PID 4524 wrote to memory of 1008 4524 SolaraExecutor.exe cmd.exe PID 4524 wrote to memory of 1008 4524 SolaraExecutor.exe cmd.exe PID 1008 wrote to memory of 3736 1008 cmd.exe chcp.com PID 1008 wrote to memory of 3736 1008 cmd.exe chcp.com PID 1008 wrote to memory of 4736 1008 cmd.exe PING.EXE PID 1008 wrote to memory of 4736 1008 cmd.exe PING.EXE PID 1008 wrote to memory of 4272 1008 cmd.exe SolaraExecutor.exe PID 1008 wrote to memory of 4272 1008 cmd.exe SolaraExecutor.exe PID 4272 wrote to memory of 4868 4272 SolaraExecutor.exe schtasks.exe PID 4272 wrote to memory of 4868 4272 SolaraExecutor.exe schtasks.exe PID 4272 wrote to memory of 4644 4272 SolaraExecutor.exe cmd.exe PID 4272 wrote to memory of 4644 4272 SolaraExecutor.exe cmd.exe PID 4644 wrote to memory of 1272 4644 cmd.exe chcp.com PID 4644 wrote to memory of 1272 4644 cmd.exe chcp.com PID 4644 wrote to memory of 2188 4644 cmd.exe PING.EXE PID 4644 wrote to memory of 2188 4644 cmd.exe PING.EXE PID 4644 wrote to memory of 2652 4644 cmd.exe SolaraExecutor.exe PID 4644 wrote to memory of 2652 4644 cmd.exe SolaraExecutor.exe PID 2652 wrote to memory of 4500 2652 SolaraExecutor.exe schtasks.exe PID 2652 wrote to memory of 4500 2652 SolaraExecutor.exe schtasks.exe PID 2652 wrote to memory of 4756 2652 SolaraExecutor.exe cmd.exe PID 2652 wrote to memory of 4756 2652 SolaraExecutor.exe cmd.exe PID 4756 wrote to memory of 1876 4756 cmd.exe chcp.com PID 4756 wrote to memory of 1876 4756 cmd.exe chcp.com PID 4756 wrote to memory of 2376 4756 cmd.exe PING.EXE PID 4756 wrote to memory of 2376 4756 cmd.exe PING.EXE PID 4756 wrote to memory of 2472 4756 cmd.exe SolaraExecutor.exe PID 4756 wrote to memory of 2472 4756 cmd.exe SolaraExecutor.exe PID 2472 wrote to memory of 2388 2472 SolaraExecutor.exe schtasks.exe PID 2472 wrote to memory of 2388 2472 SolaraExecutor.exe schtasks.exe PID 2472 wrote to memory of 5088 2472 SolaraExecutor.exe cmd.exe PID 2472 wrote to memory of 5088 2472 SolaraExecutor.exe cmd.exe PID 5088 wrote to memory of 3244 5088 cmd.exe chcp.com PID 5088 wrote to memory of 3244 5088 cmd.exe chcp.com PID 5088 wrote to memory of 3328 5088 cmd.exe PING.EXE PID 5088 wrote to memory of 3328 5088 cmd.exe PING.EXE PID 5088 wrote to memory of 2364 5088 cmd.exe SolaraExecutor.exe PID 5088 wrote to memory of 2364 5088 cmd.exe SolaraExecutor.exe PID 2364 wrote to memory of 468 2364 SolaraExecutor.exe schtasks.exe PID 2364 wrote to memory of 468 2364 SolaraExecutor.exe schtasks.exe PID 2364 wrote to memory of 3316 2364 SolaraExecutor.exe cmd.exe PID 2364 wrote to memory of 3316 2364 SolaraExecutor.exe cmd.exe PID 3316 wrote to memory of 4636 3316 cmd.exe chcp.com PID 3316 wrote to memory of 4636 3316 cmd.exe chcp.com PID 3316 wrote to memory of 3652 3316 cmd.exe PING.EXE PID 3316 wrote to memory of 3652 3316 cmd.exe PING.EXE PID 3316 wrote to memory of 3984 3316 cmd.exe SolaraExecutor.exe PID 3316 wrote to memory of 3984 3316 cmd.exe SolaraExecutor.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:5036 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2784 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W7lUz8pWMPpn.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2216
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2224 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1520 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16ZVFvTZz0CJ.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3736
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4736 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iPU1zKcBXY2l.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1272
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2188 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4500 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfD9octdj03C.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1876
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2376 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCudxH9lkNFr.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3244
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3328 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeFbEV00Wwzy.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4636
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3652 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3984 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:3884 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fytIjLcgCjOP.bat" "15⤵PID:3412
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2100
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3680 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4496 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2EPZmyYmsYuF.bat" "17⤵PID:748
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4176
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:220 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3528 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wC8XrhgPClRM.bat" "19⤵PID:2952
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:564
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:568 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26O8SILkCMi4.bat" "21⤵PID:4848
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:5096
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:4948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SvgLupwUcALz.bat" "23⤵PID:4660
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1340
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2216 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:892 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hux1T2XIq2Bb.bat" "25⤵PID:3840
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:740
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4380 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:684 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:5112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWKuUjNHFXWj.bat" "27⤵PID:3700
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4840
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4572 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4648 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiE7ZcOOcVUd.bat" "29⤵PID:432
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2176
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4864 -
C:\Windows\system32\SubDir\SolaraExecutor.exe"C:\Windows\system32\SubDir\SolaraExecutor.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsjMQ4qbaTkr.bat" "31⤵PID:368
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:736
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
204B
MD542a16d2653c8301d7a440acec0d7c599
SHA10ccdec5d54d22335cdc18e26b32ad3248b83249b
SHA2567947e8abd5bae56cb3980ca9f8b7942895836ec4d5ce7841f6f1f5565c857a7e
SHA512fa220b3e5b734420f4eb4a856102118897f4e426c55cc88b8b00c1111a5c77fc97207f2c9d1e2a7d47e0f7e379c9257783665b497b256a8524917a374d081390
-
Filesize
204B
MD5440b296784dc2f4e831d12bf2c3c28ef
SHA188c9efb2d7003be87665f66bd0c488ca738f3930
SHA256852f0865045eb7d2e78a8478dd92560076da0b23edc693c45658f7459f876993
SHA512d7e75e1a95d9fdbc80bd72157ce65bc25d9a51d62384bd840b5d572f548585f45d20e2bd4525753640f8cdd60f355a8b3b349683160fc3742619953bc735ac87
-
Filesize
204B
MD50c88452007f4908fd748306a01446a90
SHA14440a55bb618485a0c9b3e0902ac38d589f5ac07
SHA2560d25afaf76d52870d770930a184d14256aaaebe1ae711bb941953bbf34611c37
SHA512f1d9ff78dcbd0f2a70cb8808d5e95fe684682766fa570a900298289d0ebaf62e65b40b2d1a00fd0888e26a17205feb6ea8a9db66000a94f0d66032cea575ccd7
-
Filesize
204B
MD548a08052aec2100a51a55ec2c4246d69
SHA159c7271cbf6c76d984b37145072649837ba42b7d
SHA25668c194cbf1607b0a2ce4ee26e4942f6e6fcdbfcb0b528dac52f4dbfa4714e2cf
SHA512b629faa78b9ce2b08dc84d6ca38852d10fafa4bcaa5927a4743e892189b9db3202266b6baae11645077393fb88e95a8d4c6d87920724f913cd4976a9d69c1daa
-
Filesize
204B
MD55ecf5ae4ced512ea6e0d5b3cc700f62a
SHA1325fb18e5120320ad930852cbf1a3fd3d2da284c
SHA2564709a7fb3d85b793563be539465b84fd02cd292042e6368116ef6ab0ffae7a4d
SHA51296367156b534afb36783c7397b8f1d6f5b69096dc201ac54050ea003e793b7f1f6ca33a864168bf7c270be078c2d18383b09dc0a9da633d5727ac7c4439b9d3a
-
Filesize
204B
MD566ef3d7e3bdaaac4ec44542d6821b2ea
SHA128928bb1c2f16223268f332f88b40e69a0f529fe
SHA25659ad232060eb121284110bfe0be3d5eca0123a30367e6933e9f739f6e73a0746
SHA51253541d7c23de5bdc75eab66e5845c31f964c574c9ecf715588f5c0f041c7e1bfaad43288478c83fe62ded4134b7a59647b0f0e47140d727b718b9c047c58bc3a
-
Filesize
204B
MD59775265be84061192297a83a83403c1f
SHA113cc01f0044b636c9876ae15a0d85ab87f1a0822
SHA256f3f9c0e7d87c8841df93c0dfb817b4726bb6556a409b9d3b86636d068c57fff0
SHA512a5821c4b1f6a7d580936cb9aafe16774099f5651044abd24bbde3bd6ccb7b37228876ab94538bf69750d64923c3ed4806db07017e1b7810880473445d143a378
-
Filesize
204B
MD5aeb6b9875c59a725915266ef4b1dfbac
SHA1a64b0a1ee69047552f76b55af392c815dc97b43f
SHA256d53c36330516ccac7b1de8c7dd4ff7376878790d279fb3ced62c378a81d744e1
SHA512eedb0662f7094afbf7c8d69e72f65d84083309d72779e0e36855ee69efa6667e18ef746ec83a94262983915726c306923a46ca7106b56a5b0caab256fdd1940f
-
Filesize
204B
MD538193cab429c33fc2679e7431003f4f3
SHA1f57888f8e7749cb09425fc57898fc47f310383c3
SHA2567bf72f15b7f4a85791b9ef5363ee2dad93be666babb569e6d2a3d57cdba2a702
SHA5126019ec08d9be7ed9e375f92ffbef7461a909507a63fa038e5311dc89deca666a722448172ec8f21a6fb39cb45719097ca56a8f519f4916d99505f4d5cc95d199
-
Filesize
204B
MD5070549048e8e636c807b7712d810adec
SHA1e0f480cd300d6ae877e6b40d3eafb83e13c75534
SHA256b72fbb8bcc31061d001943a29d685c0a7beec4e9083f1eb563fa4a42c59e6058
SHA51260ad384d83f78aa5a3d04005bf444536477f024483db23c75cebbf53545eac0d79670faddbdfe0f7f219d49eb50bcf9ffa4cd4ec071dce749e191b0932f7ff76
-
Filesize
204B
MD53df43601304ffce256a6f3b418b03434
SHA1b8537bc4a1a3c738ee27a15720b64910ce8e2254
SHA25678bcbcc7a87d14a8d98c4bd0a7b62858503f1d6033326b4b514c2eb1f9bbff38
SHA512ddb103014a88fdcaeff8ee2a8cbfecb791ac91fce61b0d1bd47acee9589d98a141356a94e7308c516f46c5d394a18ecc2eec812a1eb2fde69aa5c102c9c1886b
-
Filesize
204B
MD587568cd9af95148d9b35dbba41b8f330
SHA125d04d31440b93b3e2b502d2a7380d6303fdc41c
SHA2567f480b1ab30645eb49bbe4505732eb606e777c64a8051f225998be48442f0fb6
SHA512d94103999c3dd72c6d600fad0d7e93d57759a539d4a02c89126604bfe240f496ad8f6d87fd0963f3c8c9a87bc826730269339fae874fc2af56cdc3dc4d991c88
-
Filesize
204B
MD5eb10acb7880f5e49f7837b539522a971
SHA1d1dcc55ecaaf875a65c4c303d4af750ff5ff9e7b
SHA256c4a10a643f041b610ef1d84539b39c973d2f859e62f2016ecd17c3386d86c75b
SHA512ce147a19da372b976833cc8d41ca0915b7313115c0622c27431eec7e66539e65e7464530d4d8a27a91bcee492c795a43d15f42736b60bf59f95d4ee8bc6acb48
-
Filesize
204B
MD5f155d0c10d4fc156fba3581f56d4807f
SHA135d7f4cd53ec3109ac508e228961c48fa811beb6
SHA25646a9d4698abf34d87d53f13fec2b7bd2094fe5a5f2191f383faed25084241753
SHA512257b8f2e2487e0f0033433e86a8245deef60557b4d2fbf24aa130c3e939cfd9b03c1150c3a4f57325fc396c607c74b2addeff3448dd80d51eb31216c5691c396
-
Filesize
204B
MD5d60f1414ba53f0445c10e5c8de3a33b8
SHA15a22ec80c0e547fd9c137968f150d20c95536d45
SHA256a82122a55d481c0c5e3babec8aa201cd025f9f01fa6a7b6174ac2af9de7b0061
SHA512c6c760ea0bfb13208a1e0313cf4df76be9516198be3bd29689879c7aca0255562444b5208e83bc285306159b88515882c1653fd4f0be27bc6ede7c3a424dcf4c
-
Filesize
3.1MB
MD53cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA2566aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA5124b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd