quasar | 38be048dda9dfebcea59c2cbf3cf2abb971b96636aefabc8cafa5359efb63bc2

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara V3/SolaraV3.exe
Size

3.1MB
MD5

3db0c6fb25d98ede3749c5c296227708
SHA1

5d7843d185e9d7f56490bd03094f49c1444fa92a
SHA256

604e26e36c395712913a141ef96bc461385eea54d2182d170196dfee458ea82f
SHA512

461df5b25d7d14d340729177a987f254425d0bf57ca6f00853278d7640c40b6e52966a6465c0add70193fce2fc7a66555f1338e6a3f9eb28e85f3f5bab64b452
SSDEEP

49152:xvrI22SsaNYfdPBldt698dBcjHE82wvBx5ZoGdD3THHB72eh2NT:xvU22SsaNYfdPBldt6+dBcjHiwr

Score

10^/10

quasar robot discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

robot

tcp://quasarrat12345-50279.portmap.host:50279

Mutex

5b3b6ef6-1f5c-4cf2-a902-f38fc18c6f74

Attributes

encryption_key
044C06AD5B6394C7D3CCD0919FA2C67D30EA87D4
install_name
SolaraV3.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/1960-1-0x00000000013E0000-0x0000000001708000-memory.dmp	family_quasar
behavioral1/files/0x00060000000194df-6.dat	family_quasar
behavioral1/memory/2028-9-0x0000000000810000-0x0000000000B38000-memory.dmp	family_quasar
behavioral1/memory/2668-23-0x00000000002C0000-0x00000000005E8000-memory.dmp	family_quasar
behavioral1/memory/1920-34-0x0000000000800000-0x0000000000B28000-memory.dmp	family_quasar
behavioral1/memory/2516-45-0x0000000000FF0000-0x0000000001318000-memory.dmp	family_quasar
behavioral1/memory/1604-67-0x00000000010B0000-0x00000000013D8000-memory.dmp	family_quasar
behavioral1/memory/336-88-0x0000000000370000-0x0000000000698000-memory.dmp	family_quasar
behavioral1/memory/2392-99-0x0000000000950000-0x0000000000C78000-memory.dmp	family_quasar
behavioral1/memory/2560-110-0x0000000000CF0000-0x0000000001018000-memory.dmp	family_quasar
behavioral1/memory/1668-121-0x00000000010E0000-0x0000000001408000-memory.dmp	family_quasar
behavioral1/memory/1692-133-0x0000000001300000-0x0000000001628000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2028	SolaraV3.exe
2668	SolaraV3.exe
1920	SolaraV3.exe
2516	SolaraV3.exe
2160	SolaraV3.exe
1604	SolaraV3.exe
2884	SolaraV3.exe
336	SolaraV3.exe
2392	SolaraV3.exe
2560	SolaraV3.exe
1668	SolaraV3.exe
1692	SolaraV3.exe
1036	SolaraV3.exe
1308	SolaraV3.exe
2216	SolaraV3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2964	PING.EXE
1712	PING.EXE
2948	PING.EXE
1708	PING.EXE
908	PING.EXE
2020	PING.EXE
1788	PING.EXE
596	PING.EXE
2224	PING.EXE
840	PING.EXE
1052	PING.EXE
640	PING.EXE
2836	PING.EXE
908	PING.EXE
640	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1788	PING.EXE
2836	PING.EXE
908	PING.EXE
640	PING.EXE
2020	PING.EXE
2224	PING.EXE
640	PING.EXE
2964	PING.EXE
1052	PING.EXE
2948	PING.EXE
1708	PING.EXE
840	PING.EXE
596	PING.EXE
1712	PING.EXE
908	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2052	schtasks.exe
2872	schtasks.exe
2388	schtasks.exe
2704	schtasks.exe
872	schtasks.exe
2248	schtasks.exe
2680	schtasks.exe
2652	schtasks.exe
1632	schtasks.exe
2260	schtasks.exe
2256	schtasks.exe
1320	schtasks.exe
1276	schtasks.exe
2680	schtasks.exe
760	schtasks.exe
408	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	SolaraV3.exe
Token: SeDebugPrivilege	2028	SolaraV3.exe
Token: SeDebugPrivilege	2668	SolaraV3.exe
Token: SeDebugPrivilege	1920	SolaraV3.exe
Token: SeDebugPrivilege	2516	SolaraV3.exe
Token: SeDebugPrivilege	2160	SolaraV3.exe
Token: SeDebugPrivilege	1604	SolaraV3.exe
Token: SeDebugPrivilege	2884	SolaraV3.exe
Token: SeDebugPrivilege	336	SolaraV3.exe
Token: SeDebugPrivilege	2392	SolaraV3.exe
Token: SeDebugPrivilege	2560	SolaraV3.exe
Token: SeDebugPrivilege	1668	SolaraV3.exe
Token: SeDebugPrivilege	1692	SolaraV3.exe
Token: SeDebugPrivilege	1036	SolaraV3.exe
Token: SeDebugPrivilege	1308	SolaraV3.exe
Token: SeDebugPrivilege	2216	SolaraV3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1276	1960	SolaraV3.exe	31
PID 1960 wrote to memory of 1276	1960	SolaraV3.exe	31
PID 1960 wrote to memory of 1276	1960	SolaraV3.exe	31
PID 1960 wrote to memory of 2028	1960	SolaraV3.exe	33
PID 1960 wrote to memory of 2028	1960	SolaraV3.exe	33
PID 1960 wrote to memory of 2028	1960	SolaraV3.exe	33
PID 2028 wrote to memory of 2680	2028	SolaraV3.exe	34
PID 2028 wrote to memory of 2680	2028	SolaraV3.exe	34
PID 2028 wrote to memory of 2680	2028	SolaraV3.exe	34
PID 2028 wrote to memory of 2220	2028	SolaraV3.exe	36
PID 2028 wrote to memory of 2220	2028	SolaraV3.exe	36
PID 2028 wrote to memory of 2220	2028	SolaraV3.exe	36
PID 2220 wrote to memory of 2336	2220	cmd.exe	38
PID 2220 wrote to memory of 2336	2220	cmd.exe	38
PID 2220 wrote to memory of 2336	2220	cmd.exe	38
PID 2220 wrote to memory of 2836	2220	cmd.exe	39
PID 2220 wrote to memory of 2836	2220	cmd.exe	39
PID 2220 wrote to memory of 2836	2220	cmd.exe	39
PID 2220 wrote to memory of 2668	2220	cmd.exe	40
PID 2220 wrote to memory of 2668	2220	cmd.exe	40
PID 2220 wrote to memory of 2668	2220	cmd.exe	40
PID 2668 wrote to memory of 2704	2668	SolaraV3.exe	41
PID 2668 wrote to memory of 2704	2668	SolaraV3.exe	41
PID 2668 wrote to memory of 2704	2668	SolaraV3.exe	41
PID 2668 wrote to memory of 2580	2668	SolaraV3.exe	43
PID 2668 wrote to memory of 2580	2668	SolaraV3.exe	43
PID 2668 wrote to memory of 2580	2668	SolaraV3.exe	43
PID 2580 wrote to memory of 1656	2580	cmd.exe	45
PID 2580 wrote to memory of 1656	2580	cmd.exe	45
PID 2580 wrote to memory of 1656	2580	cmd.exe	45
PID 2580 wrote to memory of 908	2580	cmd.exe	46
PID 2580 wrote to memory of 908	2580	cmd.exe	46
PID 2580 wrote to memory of 908	2580	cmd.exe	46
PID 2580 wrote to memory of 1920	2580	cmd.exe	47
PID 2580 wrote to memory of 1920	2580	cmd.exe	47
PID 2580 wrote to memory of 1920	2580	cmd.exe	47
PID 1920 wrote to memory of 2260	1920	SolaraV3.exe	48
PID 1920 wrote to memory of 2260	1920	SolaraV3.exe	48
PID 1920 wrote to memory of 2260	1920	SolaraV3.exe	48
PID 1920 wrote to memory of 1912	1920	SolaraV3.exe	50
PID 1920 wrote to memory of 1912	1920	SolaraV3.exe	50
PID 1920 wrote to memory of 1912	1920	SolaraV3.exe	50
PID 1912 wrote to memory of 1716	1912	cmd.exe	52
PID 1912 wrote to memory of 1716	1912	cmd.exe	52
PID 1912 wrote to memory of 1716	1912	cmd.exe	52
PID 1912 wrote to memory of 1708	1912	cmd.exe	53
PID 1912 wrote to memory of 1708	1912	cmd.exe	53
PID 1912 wrote to memory of 1708	1912	cmd.exe	53
PID 1912 wrote to memory of 2516	1912	cmd.exe	54
PID 1912 wrote to memory of 2516	1912	cmd.exe	54
PID 1912 wrote to memory of 2516	1912	cmd.exe	54
PID 2516 wrote to memory of 760	2516	SolaraV3.exe	55
PID 2516 wrote to memory of 760	2516	SolaraV3.exe	55
PID 2516 wrote to memory of 760	2516	SolaraV3.exe	55
PID 2516 wrote to memory of 2856	2516	SolaraV3.exe	57
PID 2516 wrote to memory of 2856	2516	SolaraV3.exe	57
PID 2516 wrote to memory of 2856	2516	SolaraV3.exe	57
PID 2856 wrote to memory of 2200	2856	cmd.exe	59
PID 2856 wrote to memory of 2200	2856	cmd.exe	59
PID 2856 wrote to memory of 2200	2856	cmd.exe	59
PID 2856 wrote to memory of 640	2856	cmd.exe	60
PID 2856 wrote to memory of 640	2856	cmd.exe	60
PID 2856 wrote to memory of 640	2856	cmd.exe	60
PID 2856 wrote to memory of 2160	2856	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara V3\SolaraV3.exe
"C:\Users\Admin\AppData\Local\Temp\Solara V3\SolaraV3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1276
- C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2680
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\A97JRxoyOace.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2336
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2836
  - - C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bkj8qc0oBSNb.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1656
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:908
      - C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tg1hkKd2kAk3.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASdwLlddQj0G.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\klHeVhRouYJC.bat" "
        11⤵
        
        PID:2020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XEccW94EUroz.bat" "
        13⤵
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BJUOATUoDm3G.bat" "
        15⤵
        
        PID:1012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\biGH2UHIw2xs.bat" "
        17⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wzl7O6Js7dOl.bat" "
        19⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vld3AQPK6P6g.bat" "
        21⤵
        
        PID:1616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rfCtCHUNorY8.bat" "
        23⤵
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9iJGu9Yt41lu.bat" "
        25⤵
        
        PID:2516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VaIihqmDMsrl.bat" "
        27⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1320
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AppKehXNDFUh.bat" "
        29⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIBlAMtWWEux.bat" "
        31⤵
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9iJGu9Yt41lu.bat

Filesize
209B

MD5
fb453bddb3a6e6d77ee3ce30f898dfc3

SHA1
80305537b41a7fd2eea98ce09dad95f474ad5288

SHA256
25adfccca33cf2fc806916c650607f0e833c9ff0e305eaa2f5757ea8cea9dfd5

SHA512
14598ce19acd2f8cdbdc80f3a2dee6416b4b00ad26c26f550778bcc716baa3ce4e117be0b71b48e2d3dd32b8e98a200bb9b2d678402b9cd6aba4d68923ab61bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\A97JRxoyOace.bat

Filesize
209B

MD5
e549fd8e4277df1187decde28c50fad9

SHA1
f04c735848012f22fb3562a49d324ec94fd17ccb

SHA256
43e1a361cbde50aa4c2ecc2d767972eca491d57c7cfc1e9caab74b6b53bb71d2

SHA512
17bc62c9b10be5fab270d1dbc4d196e337c7acbe327c3cbc0ced6e0c72882bed68679d8e4b0d0fa4f720047ff30995e81571bb0134903a108b3b626b75198759

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASdwLlddQj0G.bat

Filesize
209B

MD5
781f6582dce1fe74576fdd10490fa364

SHA1
805c7b445dd81566bf3134f08826f51645335ae8

SHA256
373ef63df34164ba17782c5c46e951dea08fe24a6e908933274b16da5dda9575

SHA512
d445c385873c3c01cc12a03b6e2a41fa5b6187be18f2855dbe1ec39126278bb9267ed113e1be7df7f4780a9d055ef3990e3bcc7697a454ccf59d28e3eb9650b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AppKehXNDFUh.bat

Filesize
209B

MD5
b4d71a91148bc4bec35b788adbc12707

SHA1
fe671965a5748c8f7e10f87d545b6be22a17cbf9

SHA256
d3869f08784f93137d4008618173da317ab292bd1d284b0c949926891cbf4803

SHA512
3e8b225bbab941173f96dce5f604d88b716e2c474cf74734e497d22191a0005e9bc11c017c84bb611074ecf2b8ceb822f610e0cdd28cd3b638952cf13ac0badd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJUOATUoDm3G.bat

Filesize
209B

MD5
175cd10371df2e4b6f76ba4bcf99b5e2

SHA1
1f3a9595494fcdcf56860787f8aeb717f117b0b6

SHA256
efbf4267e140878871f7c8d5453562ba9140dc933edeb66b7214b1638e5a5930

SHA512
2e7b5773f32debd8cf82c6adacef22a8b529b5a2270012dbd3f198ffcb82afe255aea53c7691cc0f3b8bc17abf4919cc3476cd9bccd47daf29d3ac230732b182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bkj8qc0oBSNb.bat

Filesize
209B

MD5
da0fdbc2be7ef7b5202c7a4f70b88ba5

SHA1
20f5b2faceb668dae5e1ff4101e6e1e78dcdf92e

SHA256
5cfeca0bf4c9bff4eac8682c56204fe45008360cd2414854ff562b82662f401b

SHA512
9290d78fb4a7c5462eb79d51e1eb8176d9c06249d184558e94fef72c6da4b87cde92238e54a6693850a434ae79decde728ef48e2cb4b2d19966524a433d012a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VaIihqmDMsrl.bat

Filesize
209B

MD5
38c2f6c4e43680c4e5beeef6777cf702

SHA1
6bc0ca34b82b7eaff1a2f683a2b3798230d4960c

SHA256
d1f7873b09ab7044f1098713c59ad237ccc46f139a3a523518d5da8dbeb8aa99

SHA512
c14fb39c734918a36feab23b4902b71f6bdccc8a110b08ebb7ea47e6036c62f9aa76870d5f8bb96e7bdbe8f6555ce8c25686689e3a8769517578ead5ca58fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vld3AQPK6P6g.bat

Filesize
209B

MD5
30b1a4817fe02f8325753e1ab23faf75

SHA1
53a02179ff6f645492e1beac95a242d697f960bb

SHA256
1cec304b4c32537ebc2b1ab2dc9ec4a547091216a0de8b8f31130636c922200a

SHA512
b4374ce9121f729a51ed532fc1e2f41034865473c7c520874b1acadc6353ba27cc8b9a7adf6fa5d583de174c2e8243bc81bc3ff10c6273fc6618189c078dab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEccW94EUroz.bat

Filesize
209B

MD5
7985e901f2de24f162304cd9acb2c12b

SHA1
60d03f44effc6be5af9a5999670036e7fd42c470

SHA256
8e07915dffb5b0a16d39edbf4d282e159816382bf88e66d44cd194d926ca51ab

SHA512
80f5f812b785a1f6e191f487e8039abd12b4e955338656cf1896c0e428cb39583b8ff5892e6e6fe1d67c29453829778969d8ca59e7dc9a941ad0228a4eab84b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\biGH2UHIw2xs.bat

Filesize
209B

MD5
6e784e12f935868671f882e00c1d7ece

SHA1
9bcc7e33d31ad66d38af59defdd7ea448795ed23

SHA256
f4327cf12359a11e598ed1df9b1a6ebbdb538a042d92d41f9504cbd77e8e13aa

SHA512
31930eec9e4ed27573ae982abfa35483e88e7a84322f378cd455f5c1218e3cafbcd071426ee7a70c69385df6b331b03fd7922e574ca8a565fc71e0b05b31368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\klHeVhRouYJC.bat

Filesize
209B

MD5
509778b6e66a8286cf7e076b2f1ceba6

SHA1
b4fa311faacb38f1ba512a95d9ff3136bf1c46bb

SHA256
d214172fde39c8f58c87ba108aadc6c45d53e049484bf0bf03af6b18c2168850

SHA512
04134273095f6647ace087c960f56af58535c64a11e0a8a829e67e8ad4f16f175e6cf5d3e230d30f7c2cbbcad51aef357ff0ad5d0caa736f3f8ff7e81b20a836

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIBlAMtWWEux.bat

Filesize
209B

MD5
6239b940e0da19c6570c2197c2d75748

SHA1
7555669865deeae9d4a78ecd9fc202be0e861376

SHA256
afcaea7835a951b7a4a79f7e37cb8c2f5cb0c3d5a69f73aa62343b4de30c6f4d

SHA512
d34b0656fe2d6299d022628ef5d2430105acf25dde256d5c00d114037b3f170f892395153691f5f2f46698170a4ab3d827d2822b52a48ca35dfc0b7be66b9544

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfCtCHUNorY8.bat

Filesize
209B

MD5
6d0b105ecb6068a0efbedd803795180d

SHA1
f5b8ef4f55c0e3b26b8cb900c4db7d55f51804c2

SHA256
e542c7b9059fc24dfc991d522c6b0ca8b1626fa48c29dcead8bd7aa34a4b4f84

SHA512
39c725850bc9de0c7fc4c109791d3379b5cb6833b9dc1c6662bfc7a3a7f69213fb050d27dad6b19ea57517b68b3546299425b281a789ad59923f41b7c832874d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tg1hkKd2kAk3.bat

Filesize
209B

MD5
371061efcb6743cbe9889982b2faf7c8

SHA1
310a3bc0d07d6039917d83d21dc313f193fc7e2b

SHA256
f52c6f8c067293a78d25f240905a8fb3c94f42a8b52266d042d0a847139b2230

SHA512
770b0bc90c050c1af9f489e52e23fbac6951ec3ddc8cb06206977ec172bc479c2ad600f13abdf4fe3a08d222ed1d476514a3bf162507934c45bdd215fd7fa2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzl7O6Js7dOl.bat

Filesize
209B

MD5
11787d964d4ae1a999996dfd94b020a8

SHA1
980001ed848ce5fb55eab3b1c988cb6f9f627866

SHA256
db34e1d853ea4d2486e0a0487a58d08345fe3a70dce7c48691ab9c9e1ae4fb6a

SHA512
8b6a3577502cbbccfeeda16af54cc1b12581c2324ecc6625fc439cf16d0477b4da692f04ed35d6833222717f9465b6a323302b58ef593ed634c07d0e7a738838

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\SolaraV3.exe

Filesize
3.1MB

MD5
3db0c6fb25d98ede3749c5c296227708

SHA1
5d7843d185e9d7f56490bd03094f49c1444fa92a

SHA256
604e26e36c395712913a141ef96bc461385eea54d2182d170196dfee458ea82f

SHA512
461df5b25d7d14d340729177a987f254425d0bf57ca6f00853278d7640c40b6e52966a6465c0add70193fce2fc7a66555f1338e6a3f9eb28e85f3f5bab64b452

Download Submit
memory/336-88-0x0000000000370000-0x0000000000698000-memory.dmp

Filesize
3.2MB

Download
memory/1604-67-0x00000000010B0000-0x00000000013D8000-memory.dmp

Filesize
3.2MB

Download
memory/1668-121-0x00000000010E0000-0x0000000001408000-memory.dmp

Filesize
3.2MB

Download
memory/1692-133-0x0000000001300000-0x0000000001628000-memory.dmp

Filesize
3.2MB

Download
memory/1920-34-0x0000000000800000-0x0000000000B28000-memory.dmp

Filesize
3.2MB

Download
memory/1960-1-0x00000000013E0000-0x0000000001708000-memory.dmp

Filesize
3.2MB

Download
memory/1960-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1960-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1960-8-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2028-20-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2028-9-0x0000000000810000-0x0000000000B38000-memory.dmp

Filesize
3.2MB

Download
memory/2028-11-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2028-10-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-99-0x0000000000950000-0x0000000000C78000-memory.dmp

Filesize
3.2MB

Download
memory/2516-45-0x0000000000FF0000-0x0000000001318000-memory.dmp

Filesize
3.2MB

Download
memory/2560-110-0x0000000000CF0000-0x0000000001018000-memory.dmp

Filesize
3.2MB

Download
memory/2668-23-0x00000000002C0000-0x00000000005E8000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads