quasar | af28db66812bd93b8680039d629844fa8821c0f205285051a50ed4a3bcc7623d

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

3.1MB
MD5

777ed5284b4e0d4305e912b99f618141
SHA1

87453944e39401ceec173a996f88a38af7d70eab
SHA256

af28db66812bd93b8680039d629844fa8821c0f205285051a50ed4a3bcc7623d
SHA512

d5d7e0c0174714b70c642ba4122f2b8f5b6b77fa5b3e291364688c02ddfc3c5c9a3fedd011985779d93a15d7ac018259d33aa1e011e5edca1bd29bf5961727ad
SSDEEP

49152:bvvlL26AaNeWgPhlmVqvMQ7XSKA+RJ6obR3LoGdWTHHB72eh2NT:bv9L26AaNeWgPhlmVqkQ7XSKA+RJ6C

Score

10^/10

quasar nigger discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

nigger

r1ght-46976.portmap.host:46976

Mutex

f9a96516-997d-4ba6-a575-b223308bc6c2

Attributes

encryption_key
2FDC75D59897C5B7FB6BF58E34770B96CFDB9669
install_name
SolaraBootstrapper.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/3012-1-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016c5c-6.dat	family_quasar
behavioral1/memory/1536-10-0x0000000000F10000-0x0000000001234000-memory.dmp	family_quasar
behavioral1/memory/2852-23-0x0000000000280000-0x00000000005A4000-memory.dmp	family_quasar
behavioral1/memory/1672-34-0x0000000000890000-0x0000000000BB4000-memory.dmp	family_quasar
behavioral1/memory/1852-45-0x0000000000B00000-0x0000000000E24000-memory.dmp	family_quasar
behavioral1/memory/2088-66-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
behavioral1/memory/2160-77-0x00000000011A0000-0x00000000014C4000-memory.dmp	family_quasar
behavioral1/memory/2692-99-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral1/memory/2000-110-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral1/memory/1140-121-0x0000000000A40000-0x0000000000D64000-memory.dmp	family_quasar
behavioral1/memory/2076-133-0x0000000001230000-0x0000000001554000-memory.dmp	family_quasar
behavioral1/memory/1008-144-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/memory/2508-155-0x00000000008B0000-0x0000000000BD4000-memory.dmp	family_quasar
behavioral1/memory/576-166-0x0000000000900000-0x0000000000C24000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1536	SolaraBootstrapper.exe
2852	SolaraBootstrapper.exe
1672	SolaraBootstrapper.exe
1852	SolaraBootstrapper.exe
612	SolaraBootstrapper.exe
2088	SolaraBootstrapper.exe
2160	SolaraBootstrapper.exe
2876	SolaraBootstrapper.exe
2692	SolaraBootstrapper.exe
2000	SolaraBootstrapper.exe
1140	SolaraBootstrapper.exe
2076	SolaraBootstrapper.exe
1008	SolaraBootstrapper.exe
2508	SolaraBootstrapper.exe
576	SolaraBootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
884	PING.EXE
1320	PING.EXE
316	PING.EXE
2156	PING.EXE
2756	PING.EXE
1940	PING.EXE
2124	PING.EXE
2968	PING.EXE
3060	PING.EXE
288	PING.EXE
1144	PING.EXE
2280	PING.EXE
264	PING.EXE
1972	PING.EXE
1044	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1940	PING.EXE
2968	PING.EXE
884	PING.EXE
1320	PING.EXE
2156	PING.EXE
288	PING.EXE
2756	PING.EXE
1044	PING.EXE
2280	PING.EXE
2124	PING.EXE
264	PING.EXE
1972	PING.EXE
3060	PING.EXE
316	PING.EXE
1144	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
3040	schtasks.exe
2332	schtasks.exe
2692	schtasks.exe
1092	schtasks.exe
2572	schtasks.exe
2136	schtasks.exe
2940	schtasks.exe
2956	schtasks.exe
2876	schtasks.exe
2480	schtasks.exe
1604	schtasks.exe
2124	schtasks.exe
2588	schtasks.exe
656	schtasks.exe
1592	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1536	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2852	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1672	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1852	SolaraBootstrapper.exe
Token: SeDebugPrivilege	612	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2088	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2160	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2876	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2692	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2000	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1140	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2076	SolaraBootstrapper.exe
Token: SeDebugPrivilege	1008	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2508	SolaraBootstrapper.exe
Token: SeDebugPrivilege	576	SolaraBootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2124	3012	SolaraBootstrapper.exe	30
PID 3012 wrote to memory of 2124	3012	SolaraBootstrapper.exe	30
PID 3012 wrote to memory of 2124	3012	SolaraBootstrapper.exe	30
PID 3012 wrote to memory of 1536	3012	SolaraBootstrapper.exe	32
PID 3012 wrote to memory of 1536	3012	SolaraBootstrapper.exe	32
PID 3012 wrote to memory of 1536	3012	SolaraBootstrapper.exe	32
PID 1536 wrote to memory of 2876	1536	SolaraBootstrapper.exe	33
PID 1536 wrote to memory of 2876	1536	SolaraBootstrapper.exe	33
PID 1536 wrote to memory of 2876	1536	SolaraBootstrapper.exe	33
PID 1536 wrote to memory of 3004	1536	SolaraBootstrapper.exe	35
PID 1536 wrote to memory of 3004	1536	SolaraBootstrapper.exe	35
PID 1536 wrote to memory of 3004	1536	SolaraBootstrapper.exe	35
PID 3004 wrote to memory of 2820	3004	cmd.exe	37
PID 3004 wrote to memory of 2820	3004	cmd.exe	37
PID 3004 wrote to memory of 2820	3004	cmd.exe	37
PID 3004 wrote to memory of 1144	3004	cmd.exe	38
PID 3004 wrote to memory of 1144	3004	cmd.exe	38
PID 3004 wrote to memory of 1144	3004	cmd.exe	38
PID 3004 wrote to memory of 2852	3004	cmd.exe	40
PID 3004 wrote to memory of 2852	3004	cmd.exe	40
PID 3004 wrote to memory of 2852	3004	cmd.exe	40
PID 2852 wrote to memory of 2692	2852	SolaraBootstrapper.exe	41
PID 2852 wrote to memory of 2692	2852	SolaraBootstrapper.exe	41
PID 2852 wrote to memory of 2692	2852	SolaraBootstrapper.exe	41
PID 2852 wrote to memory of 2580	2852	SolaraBootstrapper.exe	43
PID 2852 wrote to memory of 2580	2852	SolaraBootstrapper.exe	43
PID 2852 wrote to memory of 2580	2852	SolaraBootstrapper.exe	43
PID 2580 wrote to memory of 1500	2580	cmd.exe	45
PID 2580 wrote to memory of 1500	2580	cmd.exe	45
PID 2580 wrote to memory of 1500	2580	cmd.exe	45
PID 2580 wrote to memory of 2756	2580	cmd.exe	46
PID 2580 wrote to memory of 2756	2580	cmd.exe	46
PID 2580 wrote to memory of 2756	2580	cmd.exe	46
PID 2580 wrote to memory of 1672	2580	cmd.exe	47
PID 2580 wrote to memory of 1672	2580	cmd.exe	47
PID 2580 wrote to memory of 1672	2580	cmd.exe	47
PID 1672 wrote to memory of 1092	1672	SolaraBootstrapper.exe	48
PID 1672 wrote to memory of 1092	1672	SolaraBootstrapper.exe	48
PID 1672 wrote to memory of 1092	1672	SolaraBootstrapper.exe	48
PID 1672 wrote to memory of 1664	1672	SolaraBootstrapper.exe	50
PID 1672 wrote to memory of 1664	1672	SolaraBootstrapper.exe	50
PID 1672 wrote to memory of 1664	1672	SolaraBootstrapper.exe	50
PID 1664 wrote to memory of 1620	1664	cmd.exe	52
PID 1664 wrote to memory of 1620	1664	cmd.exe	52
PID 1664 wrote to memory of 1620	1664	cmd.exe	52
PID 1664 wrote to memory of 1940	1664	cmd.exe	53
PID 1664 wrote to memory of 1940	1664	cmd.exe	53
PID 1664 wrote to memory of 1940	1664	cmd.exe	53
PID 1664 wrote to memory of 1852	1664	cmd.exe	54
PID 1664 wrote to memory of 1852	1664	cmd.exe	54
PID 1664 wrote to memory of 1852	1664	cmd.exe	54
PID 1852 wrote to memory of 2572	1852	SolaraBootstrapper.exe	55
PID 1852 wrote to memory of 2572	1852	SolaraBootstrapper.exe	55
PID 1852 wrote to memory of 2572	1852	SolaraBootstrapper.exe	55
PID 1852 wrote to memory of 292	1852	SolaraBootstrapper.exe	57
PID 1852 wrote to memory of 292	1852	SolaraBootstrapper.exe	57
PID 1852 wrote to memory of 292	1852	SolaraBootstrapper.exe	57
PID 292 wrote to memory of 2644	292	cmd.exe	59
PID 292 wrote to memory of 2644	292	cmd.exe	59
PID 292 wrote to memory of 2644	292	cmd.exe	59
PID 292 wrote to memory of 1972	292	cmd.exe	60
PID 292 wrote to memory of 1972	292	cmd.exe	60
PID 292 wrote to memory of 1972	292	cmd.exe	60
PID 292 wrote to memory of 612	292	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2124
- C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2876
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\AYJAqGckrE2r.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2820
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1144
  - - C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rhkq5xFwuXwi.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1500
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2756
      - C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\az5sSKCfsO2d.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K1fesERM3Kdo.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3I8hZeS7Xc27.bat" "
        11⤵
        
        PID:908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tFKiQoBts8Bp.bat" "
        13⤵
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CVSpTZMxl9bn.bat" "
        15⤵
        
        PID:1276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MOsj6qHWTXzK.bat" "
        17⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vBMua8ssQCVY.bat" "
        19⤵
        
        PID:1496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uXLuhI8WcbWu.bat" "
        21⤵
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9zU0vcnGlhnW.bat" "
        23⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zr2tZgtJMhAu.bat" "
        25⤵
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pZR07w21zfBS.bat" "
        27⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1lEGJiEHhMM2.bat" "
        29⤵
        
        PID:1564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yLAKskA4v26y.bat" "
        31⤵
        
        PID:2440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1lEGJiEHhMM2.bat

Filesize
219B

MD5
8a4a44764fc5c0be46409ad45d5592b1

SHA1
47d99a58b349e814334d07ecba91a07f3d1795ec

SHA256
3818bc682a333fbdf0adab51199e0ce3e623fa904383514c551edb3315e1ecf2

SHA512
f912bcd7ba373bc97b9395aa764c1b1e78a7c7d0b1d1c50c353307de96d3164b37f44cc570e0e003c6a0fe138b4ea058cf5d904c0ae1cd09b93eefc5aba1d75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3I8hZeS7Xc27.bat

Filesize
219B

MD5
d50ab502774659cb69f3c12cc403e8bb

SHA1
b5baf5c9139e613f04b62728a1fbdaf9f2c7e59e

SHA256
aa25835c7f0124cb1e71eacf5fc2f2d0c93e4d4bde72dcb9faded11a80bfe819

SHA512
afae75dc5eee1f983c26f5aeb8f57486d10089b3b8fb1a1c601e70489033bf406f5cabb0f238f3e05975c963b66fa2773e2e8d2e3dbaf96c6f8a41308ea6ef49

Download Submit
C:\Users\Admin\AppData\Local\Temp\9zU0vcnGlhnW.bat

Filesize
219B

MD5
fbeb1e343cb95b914675b678504e8119

SHA1
124317490640a3e4d5b4e1be37c77eef0ebb97df

SHA256
998a9ebe7f71da261d0f1d75883d33a59b97504d87d94b300f3b7aab8bfd8852

SHA512
191ec42987bcf3dce109e10155eb0d4047f5f076a18eae91a658d29698ce6aac27e5a43df0771edcbc59119490a0ef41798d8b5f0282c9b7628d367ab8ed5255

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYJAqGckrE2r.bat

Filesize
219B

MD5
a89239ee7d70dabf0d8762fb4041aaee

SHA1
6ab1039797c438cb92abd0c3bbddf1fd3a8c8680

SHA256
098241af705d40bf5f420691bfd84243fe386456ac88d2db7a8067dea15a7174

SHA512
faeb78222c596c5bf9dd5fff27d5ab0930ac6a13800cd97a1f9a33845e06b1370cd0639649dbf191f55132a1bb72217c0f8ab06833e412f02e7f5188fe18bc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVSpTZMxl9bn.bat

Filesize
219B

MD5
b06134c1ebfb172f7c17953fd5dd9e71

SHA1
8b8d973adb96d4a779766ed5fead8e90cc184286

SHA256
510b44fb33aecb579c3ddd958de570364609a9a80f463bbbe34752f669d65579

SHA512
2d86fdb528e5214a2fb1ad038d9b85ec9e7266c54183a1dbc92052ac2e75c39fa67079d94e2e75a52ae28866fd33d0be66ddc8dca7b81603b8e76fa65ad3cdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\K1fesERM3Kdo.bat

Filesize
219B

MD5
f98648f63607cbbcafd9b8ed07b73607

SHA1
da5d592f25b4d8ce227937da3299f52206cfd61e

SHA256
06659bd7ccbc76eabb2a6bf4f4e69e832490ae273a988992ff31a27b31e96ab1

SHA512
36f8afdfbb77c78f7675ca222f356ea99d15b405ba63b0b12e40f19d7a1153ac68ffda9b68604fbd18ed48eed172df56d50223ae818f61f4754c028e8fb384c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOsj6qHWTXzK.bat

Filesize
219B

MD5
d20254fc624f78e2b49a7fcef44000cf

SHA1
f0b58884572b3eb5b730c5352a923b12ae8af2da

SHA256
2504dacb17641257154be3873d35ab0faccbf588487c3e4fb8aefd9fce823376

SHA512
4d21c290623342a06e6539137df81f067f28a23101ba18d4492c9d91f84a85abdfe1d305b46fdb0b4c3cb2c1bd57a1fdccaa62851b7d6d30d3443379c5252734

Download Submit
C:\Users\Admin\AppData\Local\Temp\az5sSKCfsO2d.bat

Filesize
219B

MD5
e3ba64d03eacae9fadfb3141aca0db5c

SHA1
e2ff6cbb961aea4c7f3288c8d05bf0b52b243ea7

SHA256
c22fb2aeeae210345f59e66f1398bf18bca5b4e4e3a698e65b69675a8be65cc4

SHA512
ebada483c64d7645b852d7490b097731080f7c2ca9fff07ef9300d0d8395654b5305e14c74d5bbfe0f4ae96a123ae47acdf5a81c38957d0a29c5ce489c89faec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZR07w21zfBS.bat

Filesize
219B

MD5
8dd6d9a564d8fde997bfc35d4b019fea

SHA1
6989a4f8920aae9c7437476c0d2a2af375fd752c

SHA256
ac3a9022fdaaa38f709e2c0ec9b049a6dbf839d252f1cf0573c30f809c482b5e

SHA512
faec5f21a5bfb576f3c304a8505ebb4579147a1a32b56de9e1c7740ffd313c50da40c3efc8c7408e24e3caa969a20cba735043b3c384a1ec0d1dd54f38cbe886

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhkq5xFwuXwi.bat

Filesize
219B

MD5
c66c0eedd1d68404fe9d3b53c2dfc3fb

SHA1
1220fbd1358e27ad17fad90a6790aca46ef2358d

SHA256
0cdfd2f7d0bdd27d9032dcc3d7825876bd188041d1b56a58465f0282acc86ded

SHA512
3236ea591aa89e900d697d2d748b20594fc0a4caabc52b5d2667d5800e1410191025670f29b60fa113c6db419cd09d96fed20d837b6678b0890c4dc7b162b69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tFKiQoBts8Bp.bat

Filesize
219B

MD5
497eeaf29bc40e7bb12255c44430af32

SHA1
06a21bb3efe99271e1b26203df6fa29a833decc1

SHA256
5f2a4564bba0687a0ce82cfd3b406298f1b3a3af00139bf176f87e558bb4fc88

SHA512
95729c20366204f33d7d253d9be5f17ad4507a3a23e9283d81820be643848738fd72efea691b84874a1cae63aaa66e28ed09921f96bc934fa767225335ebe8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uXLuhI8WcbWu.bat

Filesize
219B

MD5
7d25d1058b3536d092801aee00bbc3ea

SHA1
762ced3cfe993da627c0c227843e72872c764fa5

SHA256
3e266f066fed7b0e86acc00e5ec57b374d0603e909714c2329de196f347ae612

SHA512
f39a811b387df23f6d807c11e8ac5b4714cd5f333e02f71d1019a99e57189503767c00220453c458c65ee83821267eeb56ffba6554538c621101be8273068a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vBMua8ssQCVY.bat

Filesize
219B

MD5
3cd8aff0c74fa4d2fd5927794477f6fd

SHA1
f65e112e29efa3aab97af40c367e8596d97be7ec

SHA256
609877edaa498acd3920ea6e1c6d2c17a54789d33c1fa16c77da9c8866e04aac

SHA512
2240a0bf289752c069011bd816a245a8ae515c540b2834fb20745b36139186b44fb585cb0ce0029bceddf62503b1c7abe6eb1a49b0c4c47ccb747a3172ac0481

Download Submit
C:\Users\Admin\AppData\Local\Temp\yLAKskA4v26y.bat

Filesize
219B

MD5
48c9511ad345a2727b3611281cedcb2d

SHA1
1742288378e1ed09f2a7546a03da327edf0378dd

SHA256
1b6c8a0c33c7e65578ed63c2d999b3e3ed22a439ae03002a983bfed9a9e09241

SHA512
b325a3415a0368de1774d51d8d0dc255003bc585f0e3742163c69ca93ddf423fb3bb3901a7e5ef23fcd0fbc1af4936b2f2dc45c09d0f5246714a3b0abd459748

Download Submit
C:\Users\Admin\AppData\Local\Temp\zr2tZgtJMhAu.bat

Filesize
219B

MD5
4757732b5ba6d67bff08ac391755c6a8

SHA1
18a3ae898b51a854029b43c2fb8086e6d755959e

SHA256
6d01a2043b220d330b5d12bfd0fc4a67fc4ac76100a815c061cfa5c9b9f89872

SHA512
b5352baeefdd4adf5b2485cedba325b090f7c7a3349a7b534335f5573d3a59c72e6f6fb20a0e8acdb3813acfc9de88377f8fe2cd78e27c81f6106df2c072f3c8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\SolaraBootstrapper.exe

Filesize
3.1MB

MD5
777ed5284b4e0d4305e912b99f618141

SHA1
87453944e39401ceec173a996f88a38af7d70eab

SHA256
af28db66812bd93b8680039d629844fa8821c0f205285051a50ed4a3bcc7623d

SHA512
d5d7e0c0174714b70c642ba4122f2b8f5b6b77fa5b3e291364688c02ddfc3c5c9a3fedd011985779d93a15d7ac018259d33aa1e011e5edca1bd29bf5961727ad

Download Submit
memory/576-166-0x0000000000900000-0x0000000000C24000-memory.dmp

Filesize
3.1MB

Download
memory/1008-144-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/1140-121-0x0000000000A40000-0x0000000000D64000-memory.dmp

Filesize
3.1MB

Download
memory/1536-9-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1536-11-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1536-20-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1536-10-0x0000000000F10000-0x0000000001234000-memory.dmp

Filesize
3.1MB

Download
memory/1672-34-0x0000000000890000-0x0000000000BB4000-memory.dmp

Filesize
3.1MB

Download
memory/1852-45-0x0000000000B00000-0x0000000000E24000-memory.dmp

Filesize
3.1MB

Download
memory/2000-110-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/2076-133-0x0000000001230000-0x0000000001554000-memory.dmp

Filesize
3.1MB

Download
memory/2088-66-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/2160-77-0x00000000011A0000-0x00000000014C4000-memory.dmp

Filesize
3.1MB

Download
memory/2508-155-0x00000000008B0000-0x0000000000BD4000-memory.dmp

Filesize
3.1MB

Download
memory/2692-99-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/2852-23-0x0000000000280000-0x00000000005A4000-memory.dmp

Filesize
3.1MB

Download
memory/3012-0-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

Filesize
4KB

Download
memory/3012-8-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-2-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-1-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads