84c628adba7d09e7621579a147e6d2daa189dd4f47a86e6095d05cd696fcd570

General

Target

Bandicam/bdcam_setup2.bat
Size

70KB
MD5

8a522dec33821148711c857d983651c1
SHA1

2641393f1fd63466a4b35ea632b9c177ac3bbbcb
SHA256

fd83c925242c80089404bda5cbeee012ed4592c9fdd9dceba2d0ed43dad451d4
SHA512

d14f57f949f1a519966a3bfba27d79aa34c32474e573031f35eee8a743d971cb771c8e7c8f82de094e47bc7c08744c5f3eb5e082e809149efc0accfbc4786261
SSDEEP

1536:Adgu9vQizEgn0/6xwWhyYS2LEkTBR+MSD9dCr:ADzEowWhyeQIR+MMur

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2004	bdcam_activate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1276	bdcam.exe
1276	bdcam.exe
192	bdcam.exe
192	bdcam.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\BANDICAM.bfix\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\BANDICAM.bfix\Shell\Open	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.bfix	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\BANDICAM.bfix	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\BANDICAM.bfix\DefaultIcon	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\BANDICAM.bfix\Shell	bdcam.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1276	bdcam.exe
1276	bdcam.exe
192	bdcam.exe
192	bdcam.exe
192	bdcam.exe
192	bdcam.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	604	AUDIODG.EXE
Token: 33	192	bdcam.exe
Token: SeIncBasePriorityPrivilege	192	bdcam.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
192	bdcam.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
192	bdcam.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1276	bdcam.exe
192	bdcam.exe
192	bdcam.exe
192	bdcam.exe
192	bdcam.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 4936	2564	cmd.exe	74
PID 2564 wrote to memory of 4936	2564	cmd.exe	74
PID 4936 wrote to memory of 3032	4936	net.exe	75
PID 4936 wrote to memory of 3032	4936	net.exe	75
PID 2564 wrote to memory of 1276	2564	cmd.exe	76
PID 2564 wrote to memory of 1276	2564	cmd.exe	76
PID 1276 wrote to memory of 4644	1276	bdcam.exe	77
PID 1276 wrote to memory of 4644	1276	bdcam.exe	77
PID 1276 wrote to memory of 1248	1276	bdcam.exe	78
PID 1276 wrote to memory of 1248	1276	bdcam.exe	78
PID 1276 wrote to memory of 1248	1276	bdcam.exe	78
PID 2564 wrote to memory of 3680	2564	cmd.exe	79
PID 2564 wrote to memory of 3680	2564	cmd.exe	79
PID 2564 wrote to memory of 2004	2564	cmd.exe	80
PID 2564 wrote to memory of 2004	2564	cmd.exe	80
PID 2564 wrote to memory of 2004	2564	cmd.exe	80
PID 2564 wrote to memory of 168	2564	cmd.exe	81
PID 2564 wrote to memory of 168	2564	cmd.exe	81
PID 2564 wrote to memory of 192	2564	cmd.exe	83
PID 2564 wrote to memory of 192	2564	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\system32\net.exe
  NET SESSION
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 SESSION
    3⤵
    PID:3032
- C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
  "bdcam.exe" /install
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    PID:1248
- C:\Windows\system32\certutil.exe
  certutil -decode C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe"
  2⤵
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe
  "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe" /inst
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\system32\reg.exe
  reg copy "HKLM\SOFTWARE\WOW6432Node\BANDISOFT\BANDICAM\OPTION" "HKCU\SOFTWARE\BANDISOFT\BANDICAM\OPTION" /s /f
  2⤵
  PID:168
- C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
  "bdcam.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:192

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe

Filesize
51KB

MD5
e8798824bbbeb49465ed12f37f2d9f4a

SHA1
63727c3524b0fd56c977cc5e1918c740714c1ead

SHA256
e3b24f1c668598adc610c010a4fb43e4e3d370c2e63cd4f7130936e761d7db78

SHA512
fddb433caa0441b9facfa9cc4e396584fd4b7f2cf3e8953fc7ad667842320588d32cbd334e8f88578c1f5e925ecb4a9cb97b01b5e9118d3fc50e8f2cf4f3841b

Download Submit
memory/192-10-0x00007FF7D16A0000-0x00007FF7D2402000-memory.dmp

Filesize
13.4MB

Download
memory/1276-0-0x00007FF7D1C5B000-0x00007FF7D2098000-memory.dmp

Filesize
4.2MB

Download
memory/1276-1-0x00007FF971430000-0x00007FF971432000-memory.dmp

Filesize
8KB

Download
memory/1276-2-0x00007FF7D16A0000-0x00007FF7D2402000-memory.dmp

Filesize
13.4MB

Download
memory/1276-3-0x00007FF7D1C5B000-0x00007FF7D2098000-memory.dmp

Filesize
4.2MB

Download
memory/2004-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing