6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507

General

Target

Star-Wars-Battlefron_330757428.exe
Size

7.4MB
MD5

1f916117907696b1166fd3b79e9905f9
SHA1

50b83e0dcc2205b8e153ba5898498ef5ee01b943
SHA256

6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507
SHA512

b472b663c0536f2ee6af7ce2c0d8450fbbbc0c32ceef8e22d66f600a19a92c60e5763ce481f3d69f146c4fcd39c75da8d904a081d60d3d2f0aa2d0efe7789048

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmpSEHRecoveryToolboxLauncher.exe

pid process

1944 Star-Wars-Battlefron_330757428.tmp
2672 SEHRecoveryToolboxLauncher.exe
Loads dropped DLL 2 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmp

pid process

1944 Star-Wars-Battlefron_330757428.tmp
1944 Star-Wars-Battlefron_330757428.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 21 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmp

description	ioc	process
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-EONBF.tmp	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\unins000.dat	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\cc3260.dll	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\prRarRecoveryToolboxLib.dll	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\unins000.dat	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-25VGU.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-5BGJA.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-BK57L.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-OC0K0.tmp	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\ssleay32.dll	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-SSR5I.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-B9PJA.tmp	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\RAR Recovery Toolbox.chm	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\prRarRecoveryToolboxLib5.dll	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-10R6E.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-6LFHV.tmp	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\libeay32.dll	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-MSOEV.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-B926E.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-ESFTQ.tmp	Star-Wars-Battlefron_330757428.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmpSEHRecoveryToolboxLauncher.exe

pid	process
1944	Star-Wars-Battlefron_330757428.tmp
1944	Star-Wars-Battlefron_330757428.tmp
2672	SEHRecoveryToolboxLauncher.exe
2672	SEHRecoveryToolboxLauncher.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmp

pid process

1944 Star-Wars-Battlefron_330757428.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Star-Wars-Battlefron_330757428.exeStar-Wars-Battlefron_330757428.tmp

description	pid	process	target process
PID 3968 wrote to memory of 1944	3968	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 3968 wrote to memory of 1944	3968	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 3968 wrote to memory of 1944	3968	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 1944 wrote to memory of 2672	1944	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe
PID 1944 wrote to memory of 2672	1944	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe
PID 1944 wrote to memory of 2672	1944	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe

C:\Users\Admin\AppData\Local\Temp\Star-Wars-Battlefron_330757428.exe
"C:\Users\Admin\AppData\Local\Temp\Star-Wars-Battlefron_330757428.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\is-DUINA.tmp\Star-Wars-Battlefron_330757428.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DUINA.tmp\Star-Wars-Battlefron_330757428.tmp" /SL5="$201C8,7020769,1072640,C:\Users\Admin\AppData\Local\Temp\Star-Wars-Battlefron_330757428.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1944

C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe
"C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe" Star-Wars-Battlefron_330757428.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe
MD5
56f12ac950b313c857c4de27ed86d334

SHA1
2fb150324007af4b7790af628c1ae0ccadf01b82

SHA256
caca1e988b91716e899e5a37d2fa97c17f0d5004cb751800e84c966291136f19

SHA512
08057cc1d38a53a8283acfc00ce4ed443afda1a8d7baa343f988f785df37402c8f4929d940c2d83a13fc43905dee3f323fbc0ad5fcfcb4346d8a156d1a722d86

Download Submit
C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe
MD5
56f12ac950b313c857c4de27ed86d334

SHA1
2fb150324007af4b7790af628c1ae0ccadf01b82

SHA256
caca1e988b91716e899e5a37d2fa97c17f0d5004cb751800e84c966291136f19

SHA512
08057cc1d38a53a8283acfc00ce4ed443afda1a8d7baa343f988f785df37402c8f4929d940c2d83a13fc43905dee3f323fbc0ad5fcfcb4346d8a156d1a722d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DUINA.tmp\Star-Wars-Battlefron_330757428.tmp
MD5
1af5a1ed59fcb0e2f61839fae950a2f8

SHA1
917429dd437ff355c3061f25c4d1068a95420d2c

SHA256
b7767fd4addb557368ff1e605d358e0e36d39e526dc72bdd3eb28ff78a302ef9

SHA512
dc5e3bb735d728ab4d6dc50809e9f156c92e00dfaea68d78f7e7c7d4c22c6e351a46b256422401b9758273bbd04b9848ac7e8fde315d817a34c473dd4d4ae24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DUINA.tmp\Star-Wars-Battlefron_330757428.tmp
MD5
1af5a1ed59fcb0e2f61839fae950a2f8

SHA1
917429dd437ff355c3061f25c4d1068a95420d2c

SHA256
b7767fd4addb557368ff1e605d358e0e36d39e526dc72bdd3eb28ff78a302ef9

SHA512
dc5e3bb735d728ab4d6dc50809e9f156c92e00dfaea68d78f7e7c7d4c22c6e351a46b256422401b9758273bbd04b9848ac7e8fde315d817a34c473dd4d4ae24e

Download Submit
\Users\Admin\AppData\Local\Temp\is-V74U4.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-V74U4.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
memory/1944-120-0x0000000003591000-0x0000000003593000-memory.dmp

Filesize
8KB

Download
memory/1944-121-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1944-116-0x0000000000000000-mapping.dmp

Download
memory/2672-123-0x0000000000000000-mapping.dmp

Download
memory/2672-126-0x0000000000400000-0x000000000170A000-memory.dmp

Filesize
19.0MB

Download
memory/2672-127-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/3968-115-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads