Overview
overview
7Static
static
3Bandicam/b...up.bat
windows10-1703-x64
7Bandicam/b...up.bat
windows7-x64
7Bandicam/b...up.bat
windows10-2004-x64
7Bandicam/b...up.bat
windows11-21h2-x64
7Bandicam/b...p2.bat
windows10-1703-x64
7Bandicam/b...p2.bat
windows7-x64
7Bandicam/b...p2.bat
windows10-2004-x64
7Bandicam/b...p2.bat
windows11-21h2-x64
7Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
Bandicam/bdcam_setup.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Bandicam/bdcam_setup.bat
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Bandicam/bdcam_setup.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
Bandicam/bdcam_setup.bat
Resource
win11-20240611-en
Behavioral task
behavioral5
Sample
Bandicam/bdcam_setup2.bat
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
Bandicam/bdcam_setup2.bat
Resource
win7-20240419-en
Behavioral task
behavioral7
Sample
Bandicam/bdcam_setup2.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Bandicam/bdcam_setup2.bat
Resource
win11-20240611-en
General
-
Target
Bandicam/bdcam_setup2.bat
-
Size
70KB
-
MD5
8a522dec33821148711c857d983651c1
-
SHA1
2641393f1fd63466a4b35ea632b9c177ac3bbbcb
-
SHA256
fd83c925242c80089404bda5cbeee012ed4592c9fdd9dceba2d0ed43dad451d4
-
SHA512
d14f57f949f1a519966a3bfba27d79aa34c32474e573031f35eee8a743d971cb771c8e7c8f82de094e47bc7c08744c5f3eb5e082e809149efc0accfbc4786261
-
SSDEEP
1536:Adgu9vQizEgn0/6xwWhyYS2LEkTBR+MSD9dCr:ADzEowWhyeQIR+MMur
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2284 bdcam_activate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3028 bdcam.exe 3028 bdcam.exe 2612 bdcam.exe 2612 bdcam.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.bfix\ = "BANDICAM.bfix" bdcam.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\Shell bdcam.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\Shell\Open bdcam.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe\"\"%1\"" bdcam.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe" bdcam.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command bdcam.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.bfix bdcam.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix bdcam.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\ = "BandiFix Recovery File" bdcam.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\BANDICAM.bfix\DefaultIcon bdcam.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2284 bdcam_activate.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3028 bdcam.exe 2612 bdcam.exe 2612 bdcam.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2612 bdcam.exe Token: SeIncBasePriorityPrivilege 2612 bdcam.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2612 bdcam.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2612 bdcam.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3028 bdcam.exe 2612 bdcam.exe 2612 bdcam.exe 2612 bdcam.exe 2612 bdcam.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2920 2932 cmd.exe 29 PID 2932 wrote to memory of 2920 2932 cmd.exe 29 PID 2932 wrote to memory of 2920 2932 cmd.exe 29 PID 2920 wrote to memory of 2972 2920 net.exe 30 PID 2920 wrote to memory of 2972 2920 net.exe 30 PID 2920 wrote to memory of 2972 2920 net.exe 30 PID 2932 wrote to memory of 3028 2932 cmd.exe 31 PID 2932 wrote to memory of 3028 2932 cmd.exe 31 PID 2932 wrote to memory of 3028 2932 cmd.exe 31 PID 3028 wrote to memory of 2820 3028 bdcam.exe 32 PID 3028 wrote to memory of 2820 3028 bdcam.exe 32 PID 3028 wrote to memory of 2820 3028 bdcam.exe 32 PID 3028 wrote to memory of 2608 3028 bdcam.exe 33 PID 3028 wrote to memory of 2608 3028 bdcam.exe 33 PID 3028 wrote to memory of 2608 3028 bdcam.exe 33 PID 3028 wrote to memory of 2608 3028 bdcam.exe 33 PID 3028 wrote to memory of 2608 3028 bdcam.exe 33 PID 3028 wrote to memory of 2608 3028 bdcam.exe 33 PID 3028 wrote to memory of 2608 3028 bdcam.exe 33 PID 2932 wrote to memory of 2816 2932 cmd.exe 34 PID 2932 wrote to memory of 2816 2932 cmd.exe 34 PID 2932 wrote to memory of 2816 2932 cmd.exe 34 PID 2932 wrote to memory of 2284 2932 cmd.exe 35 PID 2932 wrote to memory of 2284 2932 cmd.exe 35 PID 2932 wrote to memory of 2284 2932 cmd.exe 35 PID 2932 wrote to memory of 2284 2932 cmd.exe 35 PID 2932 wrote to memory of 2712 2932 cmd.exe 36 PID 2932 wrote to memory of 2712 2932 cmd.exe 36 PID 2932 wrote to memory of 2712 2932 cmd.exe 36 PID 2932 wrote to memory of 2612 2932 cmd.exe 37 PID 2932 wrote to memory of 2612 2932 cmd.exe 37 PID 2932 wrote to memory of 2612 2932 cmd.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\net.exeNET SESSION2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 SESSION3⤵PID:2972
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe"bdcam.exe" /install2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk64.dll",RegDll3⤵PID:2820
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk32.dll",RegDll3⤵PID:2608
-
-
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe"2⤵PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe"C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe" /inst2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2284
-
-
C:\Windows\system32\reg.exereg copy "HKLM\SOFTWARE\WOW6432Node\BANDISOFT\BANDICAM\OPTION" "HKCU\SOFTWARE\BANDISOFT\BANDICAM\OPTION" /s /f2⤵PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe"bdcam.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5e8798824bbbeb49465ed12f37f2d9f4a
SHA163727c3524b0fd56c977cc5e1918c740714c1ead
SHA256e3b24f1c668598adc610c010a4fb43e4e3d370c2e63cd4f7130936e761d7db78
SHA512fddb433caa0441b9facfa9cc4e396584fd4b7f2cf3e8953fc7ad667842320588d32cbd334e8f88578c1f5e925ecb4a9cb97b01b5e9118d3fc50e8f2cf4f3841b