Overview

overview

7

Static

static

3

Bandicam/b...up.bat

windows10-1703-x64

7

Bandicam/b...up.bat

windows7-x64

7

Bandicam/b...up.bat

windows10-2004-x64

7

Bandicam/b...up.bat

windows11-21h2-x64

7

Bandicam/b...p2.bat

windows10-1703-x64

7

Bandicam/b...p2.bat

windows7-x64

7

Bandicam/b...p2.bat

windows10-2004-x64

7

Bandicam/b...p2.bat

windows11-21h2-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bandicam/bdcam_setup2.bat

  • Size

    70KB

  • MD5

    8a522dec33821148711c857d983651c1

  • SHA1

    2641393f1fd63466a4b35ea632b9c177ac3bbbcb

  • SHA256

    fd83c925242c80089404bda5cbeee012ed4592c9fdd9dceba2d0ed43dad451d4

  • SHA512

    d14f57f949f1a519966a3bfba27d79aa34c32474e573031f35eee8a743d971cb771c8e7c8f82de094e47bc7c08744c5f3eb5e082e809149efc0accfbc4786261

  • SSDEEP

    1536:Adgu9vQizEgn0/6xwWhyYS2LEkTBR+MSD9dCr:ADzEowWhyeQIR+MMur

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Modifies registry class 10 IoCs
  • Runs net.exe
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\system32\net.exe
      NET SESSION
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 SESSION
        3⤵
          PID:2972
      • C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
        "bdcam.exe" /install
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk64.dll",RegDll
          3⤵
            PID:2820
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk32.dll",RegDll
            3⤵
              PID:2608
          • C:\Windows\system32\certutil.exe
            certutil -decode C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe"
            2⤵
              PID:2816
            • C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe
              "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe" /inst
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              PID:2284
            • C:\Windows\system32\reg.exe
              reg copy "HKLM\SOFTWARE\WOW6432Node\BANDISOFT\BANDICAM\OPTION" "HKCU\SOFTWARE\BANDISOFT\BANDICAM\OPTION" /s /f
              2⤵
                PID:2712
              • C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
                "bdcam.exe"
                2⤵
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                PID:2612

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe
              Filesize

              51KB

              MD5

              e8798824bbbeb49465ed12f37f2d9f4a

              SHA1

              63727c3524b0fd56c977cc5e1918c740714c1ead

              SHA256

              e3b24f1c668598adc610c010a4fb43e4e3d370c2e63cd4f7130936e761d7db78

              SHA512

              fddb433caa0441b9facfa9cc4e396584fd4b7f2cf3e8953fc7ad667842320588d32cbd334e8f88578c1f5e925ecb4a9cb97b01b5e9118d3fc50e8f2cf4f3841b

              Download Submit

            • memory/2284-11-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2612-17-0x000000013F040000-0x000000013FDA2000-memory.dmp

              Filesize

              13.4MB

              Download

            • memory/2612-16-0x00000000770E0000-0x00000000770E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2612-19-0x0000000000430000-0x000000000043A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2612-18-0x0000000000430000-0x000000000043A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2612-20-0x0000000000430000-0x000000000043A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2612-21-0x0000000000430000-0x000000000043A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2612-22-0x0000000000430000-0x000000000043A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3028-5-0x00000000770E0000-0x00000000770E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3028-6-0x000000013F0E0000-0x000000013FE42000-memory.dmp

              Filesize

              13.4MB

              Download

            • memory/3028-7-0x000000013F69B000-0x000000013FAD8000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/3028-1-0x00000000770E0000-0x00000000770E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3028-3-0x00000000770E0000-0x00000000770E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3028-0-0x000000013F69B000-0x000000013FAD8000-memory.dmp

              Filesize

              4.2MB

              Download