6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507

General

Target

Star-Wars-Battlefron_330757428.exe
Size

7.4MB
MD5

1f916117907696b1166fd3b79e9905f9
SHA1

50b83e0dcc2205b8e153ba5898498ef5ee01b943
SHA256

6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507
SHA512

b472b663c0536f2ee6af7ce2c0d8450fbbbc0c32ceef8e22d66f600a19a92c60e5763ce481f3d69f146c4fcd39c75da8d904a081d60d3d2f0aa2d0efe7789048

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmpSEHRecoveryToolboxLauncher.exe

pid process

1768 Star-Wars-Battlefron_330757428.tmp
1232 SEHRecoveryToolboxLauncher.exe
Loads dropped DLL 3 IoCs

Processes:

Star-Wars-Battlefron_330757428.exeStar-Wars-Battlefron_330757428.tmp

pid process

528 Star-Wars-Battlefron_330757428.exe
1768 Star-Wars-Battlefron_330757428.tmp
1768 Star-Wars-Battlefron_330757428.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
528	Star-Wars-Battlefron_330757428.exe
1768	Star-Wars-Battlefron_330757428.tmp
1768	Star-Wars-Battlefron_330757428.tmp

Drops file in Program Files directory 21 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmp

description	ioc	process
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-0VRJB.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-FQ831.tmp	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\cc3260.dll	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\libeay32.dll	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\RAR Recovery Toolbox.chm	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-RUH33.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-DS9BM.tmp	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\prRarRecoveryToolboxLib5.dll	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\ssleay32.dll	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\unins000.dat	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-Q7CSU.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-HHR62.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-D4457.tmp	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\prRarRecoveryToolboxLib.dll	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-8V1I2.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-RC6PA.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-59RDQ.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-8946U.tmp	Star-Wars-Battlefron_330757428.tmp
File created	C:\Program Files (x86)\SEH Recovery Toolbox\is-C70KR.tmp	Star-Wars-Battlefron_330757428.tmp
File opened for modification	C:\Program Files (x86)\SEH Recovery Toolbox\unins000.dat	Star-Wars-Battlefron_330757428.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmpSEHRecoveryToolboxLauncher.exe

pid	process
1768	Star-Wars-Battlefron_330757428.tmp
1768	Star-Wars-Battlefron_330757428.tmp
1232	SEHRecoveryToolboxLauncher.exe
1232	SEHRecoveryToolboxLauncher.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Star-Wars-Battlefron_330757428.tmp

pid process

1768 Star-Wars-Battlefron_330757428.tmp

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Star-Wars-Battlefron_330757428.exeStar-Wars-Battlefron_330757428.tmp

description	pid	process	target process
PID 528 wrote to memory of 1768	528	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 528 wrote to memory of 1768	528	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 528 wrote to memory of 1768	528	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 528 wrote to memory of 1768	528	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 528 wrote to memory of 1768	528	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 528 wrote to memory of 1768	528	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 528 wrote to memory of 1768	528	Star-Wars-Battlefron_330757428.exe	Star-Wars-Battlefron_330757428.tmp
PID 1768 wrote to memory of 1232	1768	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe
PID 1768 wrote to memory of 1232	1768	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe
PID 1768 wrote to memory of 1232	1768	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe
PID 1768 wrote to memory of 1232	1768	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe
PID 1768 wrote to memory of 1232	1768	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe
PID 1768 wrote to memory of 1232	1768	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe
PID 1768 wrote to memory of 1232	1768	Star-Wars-Battlefron_330757428.tmp	SEHRecoveryToolboxLauncher.exe

C:\Users\Admin\AppData\Local\Temp\Star-Wars-Battlefron_330757428.exe
"C:\Users\Admin\AppData\Local\Temp\Star-Wars-Battlefron_330757428.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\is-GFJL0.tmp\Star-Wars-Battlefron_330757428.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GFJL0.tmp\Star-Wars-Battlefron_330757428.tmp" /SL5="$50156,7020769,1072640,C:\Users\Admin\AppData\Local\Temp\Star-Wars-Battlefron_330757428.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1768

C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe
"C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe" Star-Wars-Battlefron_330757428.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe
MD5
56f12ac950b313c857c4de27ed86d334

SHA1
2fb150324007af4b7790af628c1ae0ccadf01b82

SHA256
caca1e988b91716e899e5a37d2fa97c17f0d5004cb751800e84c966291136f19

SHA512
08057cc1d38a53a8283acfc00ce4ed443afda1a8d7baa343f988f785df37402c8f4929d940c2d83a13fc43905dee3f323fbc0ad5fcfcb4346d8a156d1a722d86

Download Submit
C:\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe
MD5
56f12ac950b313c857c4de27ed86d334

SHA1
2fb150324007af4b7790af628c1ae0ccadf01b82

SHA256
caca1e988b91716e899e5a37d2fa97c17f0d5004cb751800e84c966291136f19

SHA512
08057cc1d38a53a8283acfc00ce4ed443afda1a8d7baa343f988f785df37402c8f4929d940c2d83a13fc43905dee3f323fbc0ad5fcfcb4346d8a156d1a722d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GFJL0.tmp\Star-Wars-Battlefron_330757428.tmp
MD5
1af5a1ed59fcb0e2f61839fae950a2f8

SHA1
917429dd437ff355c3061f25c4d1068a95420d2c

SHA256
b7767fd4addb557368ff1e605d358e0e36d39e526dc72bdd3eb28ff78a302ef9

SHA512
dc5e3bb735d728ab4d6dc50809e9f156c92e00dfaea68d78f7e7c7d4c22c6e351a46b256422401b9758273bbd04b9848ac7e8fde315d817a34c473dd4d4ae24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GFJL0.tmp\Star-Wars-Battlefron_330757428.tmp
MD5
1af5a1ed59fcb0e2f61839fae950a2f8

SHA1
917429dd437ff355c3061f25c4d1068a95420d2c

SHA256
b7767fd4addb557368ff1e605d358e0e36d39e526dc72bdd3eb28ff78a302ef9

SHA512
dc5e3bb735d728ab4d6dc50809e9f156c92e00dfaea68d78f7e7c7d4c22c6e351a46b256422401b9758273bbd04b9848ac7e8fde315d817a34c473dd4d4ae24e

Download Submit
\Program Files (x86)\SEH Recovery Toolbox\SEHRecoveryToolboxLauncher.exe
MD5
56f12ac950b313c857c4de27ed86d334

SHA1
2fb150324007af4b7790af628c1ae0ccadf01b82

SHA256
caca1e988b91716e899e5a37d2fa97c17f0d5004cb751800e84c966291136f19

SHA512
08057cc1d38a53a8283acfc00ce4ed443afda1a8d7baa343f988f785df37402c8f4929d940c2d83a13fc43905dee3f323fbc0ad5fcfcb4346d8a156d1a722d86

Download Submit
\Users\Admin\AppData\Local\Temp\is-BUQ23.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-GFJL0.tmp\Star-Wars-Battlefron_330757428.tmp
MD5
1af5a1ed59fcb0e2f61839fae950a2f8

SHA1
917429dd437ff355c3061f25c4d1068a95420d2c

SHA256
b7767fd4addb557368ff1e605d358e0e36d39e526dc72bdd3eb28ff78a302ef9

SHA512
dc5e3bb735d728ab4d6dc50809e9f156c92e00dfaea68d78f7e7c7d4c22c6e351a46b256422401b9758273bbd04b9848ac7e8fde315d817a34c473dd4d4ae24e

Download Submit
memory/528-66-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/528-59-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1232-71-0x0000000000000000-mapping.dmp

Download
memory/1232-75-0x0000000000400000-0x000000000170A000-memory.dmp

Filesize
19.0MB

Download
memory/1232-76-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1768-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1768-68-0x0000000074501000-0x0000000074503000-memory.dmp

Filesize
8KB

Download
memory/1768-62-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads