84c628adba7d09e7621579a147e6d2daa189dd4f47a86e6095d05cd696fcd570

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bandicam/bdcam_setup2.bat
Size

70KB
MD5

8a522dec33821148711c857d983651c1
SHA1

2641393f1fd63466a4b35ea632b9c177ac3bbbcb
SHA256

fd83c925242c80089404bda5cbeee012ed4592c9fdd9dceba2d0ed43dad451d4
SHA512

d14f57f949f1a519966a3bfba27d79aa34c32474e573031f35eee8a743d971cb771c8e7c8f82de094e47bc7c08744c5f3eb5e082e809149efc0accfbc4786261
SSDEEP

1536:Adgu9vQizEgn0/6xwWhyYS2LEkTBR+MSD9dCr:ADzEowWhyeQIR+MMur

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2284	bdcam_activate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3028	bdcam.exe
3028	bdcam.exe
2612	bdcam.exe
2612	bdcam.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\Shell	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\Shell\Open	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.bfix	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\DefaultIcon	bdcam.exe

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2284	bdcam_activate.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3028	bdcam.exe
2612	bdcam.exe
2612	bdcam.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2612	bdcam.exe
Token: SeIncBasePriorityPrivilege	2612	bdcam.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2612	bdcam.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2612	bdcam.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3028	bdcam.exe
2612	bdcam.exe
2612	bdcam.exe
2612	bdcam.exe
2612	bdcam.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2920	2932	cmd.exe	29
PID 2932 wrote to memory of 2920	2932	cmd.exe	29
PID 2932 wrote to memory of 2920	2932	cmd.exe	29
PID 2920 wrote to memory of 2972	2920	net.exe	30
PID 2920 wrote to memory of 2972	2920	net.exe	30
PID 2920 wrote to memory of 2972	2920	net.exe	30
PID 2932 wrote to memory of 3028	2932	cmd.exe	31
PID 2932 wrote to memory of 3028	2932	cmd.exe	31
PID 2932 wrote to memory of 3028	2932	cmd.exe	31
PID 3028 wrote to memory of 2820	3028	bdcam.exe	32
PID 3028 wrote to memory of 2820	3028	bdcam.exe	32
PID 3028 wrote to memory of 2820	3028	bdcam.exe	32
PID 3028 wrote to memory of 2608	3028	bdcam.exe	33
PID 3028 wrote to memory of 2608	3028	bdcam.exe	33
PID 3028 wrote to memory of 2608	3028	bdcam.exe	33
PID 3028 wrote to memory of 2608	3028	bdcam.exe	33
PID 3028 wrote to memory of 2608	3028	bdcam.exe	33
PID 3028 wrote to memory of 2608	3028	bdcam.exe	33
PID 3028 wrote to memory of 2608	3028	bdcam.exe	33
PID 2932 wrote to memory of 2816	2932	cmd.exe	34
PID 2932 wrote to memory of 2816	2932	cmd.exe	34
PID 2932 wrote to memory of 2816	2932	cmd.exe	34
PID 2932 wrote to memory of 2284	2932	cmd.exe	35
PID 2932 wrote to memory of 2284	2932	cmd.exe	35
PID 2932 wrote to memory of 2284	2932	cmd.exe	35
PID 2932 wrote to memory of 2284	2932	cmd.exe	35
PID 2932 wrote to memory of 2712	2932	cmd.exe	36
PID 2932 wrote to memory of 2712	2932	cmd.exe	36
PID 2932 wrote to memory of 2712	2932	cmd.exe	36
PID 2932 wrote to memory of 2612	2932	cmd.exe	37
PID 2932 wrote to memory of 2612	2932	cmd.exe	37
PID 2932 wrote to memory of 2612	2932	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\net.exe
  NET SESSION
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 SESSION
    3⤵
    PID:2972
- C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
  "bdcam.exe" /install
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    PID:2608
- C:\Windows\system32\certutil.exe
  certutil -decode C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe
  "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe" /inst
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2284
- C:\Windows\system32\reg.exe
  reg copy "HKLM\SOFTWARE\WOW6432Node\BANDISOFT\BANDICAM\OPTION" "HKCU\SOFTWARE\BANDISOFT\BANDICAM\OPTION" /s /f
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
  "bdcam.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe

Filesize
51KB

MD5
e8798824bbbeb49465ed12f37f2d9f4a

SHA1
63727c3524b0fd56c977cc5e1918c740714c1ead

SHA256
e3b24f1c668598adc610c010a4fb43e4e3d370c2e63cd4f7130936e761d7db78

SHA512
fddb433caa0441b9facfa9cc4e396584fd4b7f2cf3e8953fc7ad667842320588d32cbd334e8f88578c1f5e925ecb4a9cb97b01b5e9118d3fc50e8f2cf4f3841b

Download Submit
memory/2284-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2612-17-0x000000013F040000-0x000000013FDA2000-memory.dmp

Filesize
13.4MB

Download
memory/2612-16-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/2612-19-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2612-18-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2612-20-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2612-21-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2612-22-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/3028-5-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/3028-6-0x000000013F0E0000-0x000000013FE42000-memory.dmp

Filesize
13.4MB

Download
memory/3028-7-0x000000013F69B000-0x000000013FAD8000-memory.dmp

Filesize
4.2MB

Download
memory/3028-1-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/3028-3-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/3028-0-0x000000013F69B000-0x000000013FAD8000-memory.dmp

Filesize
4.2MB

Download