Overview
overview
7Static
static
3bandicam-1-6-en.exe
windows7-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$TEMP/BDMP...UP.exe
windows7-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$SYSDIR/bdmjpeg.dll
windows7-x64
1$SYSDIR/bdmjpeg64.dll
windows7-x64
1$SYSDIR/bdmpega.dll
windows7-x64
1$SYSDIR/bdmpega64.dll
windows7-x64
1$SYSDIR/bdmpegv.dll
windows7-x64
1$SYSDIR/bdmpegv64.dll
windows7-x64
1$TEMP/bdfilters.dll
windows7-x64
1bdfilters.dll
windows7-x64
1bdfilters64.dll
windows7-x64
7bdcam.dll
windows7-x64
1bdcam.exe
windows7-x64
1bdcam64.exe
windows7-x64
1bdcam64.dll
windows7-x64
1bdcamih.dll
windows7-x64
1bdcap32.dll
windows7-x64
1bdcap64.dll
windows7-x64
1bdfix.exe
windows7-x64
1Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240215-es -
resource tags
arch:x64arch:x86image:win7-20240215-eslocale:es-esos:windows7-x64systemwindows -
submitted
22/02/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
bandicam-1-6-en.exe
Resource
win7-20240220-es
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-es
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240221-es
Behavioral task
behavioral4
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240215-es
Behavioral task
behavioral5
Sample
$TEMP/BDMPEG1SETUP.exe
Resource
win7-20240221-es
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-es
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-es
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240220-es
Behavioral task
behavioral9
Sample
$SYSDIR/bdmjpeg.dll
Resource
win7-20240221-es
Behavioral task
behavioral10
Sample
$SYSDIR/bdmjpeg64.dll
Resource
win7-20240221-es
Behavioral task
behavioral11
Sample
$SYSDIR/bdmpega.dll
Resource
win7-20240221-es
Behavioral task
behavioral12
Sample
$SYSDIR/bdmpega64.dll
Resource
win7-20240221-es
Behavioral task
behavioral13
Sample
$SYSDIR/bdmpegv.dll
Resource
win7-20240221-es
Behavioral task
behavioral14
Sample
$SYSDIR/bdmpegv64.dll
Resource
win7-20240220-es
Behavioral task
behavioral15
Sample
$TEMP/bdfilters.dll
Resource
win7-20240221-es
Behavioral task
behavioral16
Sample
bdfilters.dll
Resource
win7-20240221-es
Behavioral task
behavioral17
Sample
bdfilters64.dll
Resource
win7-20240215-es
Behavioral task
behavioral18
Sample
bdcam.dll
Resource
win7-20240221-es
Behavioral task
behavioral19
Sample
bdcam.exe
Resource
win7-20240221-es
Behavioral task
behavioral20
Sample
bdcam64.exe
Resource
win7-20240221-es
Behavioral task
behavioral21
Sample
bdcam64.dll
Resource
win7-20240221-es
Behavioral task
behavioral22
Sample
bdcamih.dll
Resource
win7-20240221-es
Behavioral task
behavioral23
Sample
bdcap32.dll
Resource
win7-20240221-es
Behavioral task
behavioral24
Sample
bdcap64.dll
Resource
win7-20240221-es
Behavioral task
behavioral25
Sample
bdfix.exe
Resource
win7-20240221-es
General
-
Target
bdfilters64.dll
-
Size
3.7MB
-
MD5
79dd4a67830c508079eccdd8c1332cc4
-
SHA1
f8a4fba282d40b8c1a9bf7339cec1e3d947d321d
-
SHA256
87c92d2e700f9a3bc62630be3a92e2df01d8d497afcf30d466d65f926a65f230
-
SHA512
2605d00cb14957384e1016a1f0e587e8c38a303814374ffeaf74504b8cd92d432c875b72d44b7a8565fa9c209d3d899560c4d47f7bf568a141b7100bd2525545
-
SSDEEP
49152:rf2EUD3PQxTTvfwBvvfrsdBD3PQxTTvfwBvvfrsdBD3PQxTTvfwBvvfrsdyy1y6o:CEcn6QwJFPvvv
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" regsvr32.exe -
Modifies registry class 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandisoft MPEG-1 Audio Decoder" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandisoft MPEG-1 Audio Decoder" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandisoft MPEG-1 Video Decoder" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandisoft MPEG-1 Audio Property" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandisoft MPEG-1 Video Property" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandisoft MPEG-1 Video Decoder" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188} regsvr32.exe