84c628adba7d09e7621579a147e6d2daa189dd4f47a86e6095d05cd696fcd570

General

Target

Bandicam/bdcam_setup2.bat
Size

70KB
MD5

8a522dec33821148711c857d983651c1
SHA1

2641393f1fd63466a4b35ea632b9c177ac3bbbcb
SHA256

fd83c925242c80089404bda5cbeee012ed4592c9fdd9dceba2d0ed43dad451d4
SHA512

d14f57f949f1a519966a3bfba27d79aa34c32474e573031f35eee8a743d971cb771c8e7c8f82de094e47bc7c08744c5f3eb5e082e809149efc0accfbc4786261
SSDEEP

1536:Adgu9vQizEgn0/6xwWhyYS2LEkTBR+MSD9dCr:ADzEowWhyeQIR+MMur

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3868	bdcam_activate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2544	bdcam.exe
2544	bdcam.exe
1272	bdcam.exe
1272	bdcam.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BANDICAM.bfix	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BANDICAM.bfix\DefaultIcon	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BANDICAM.bfix\Shell	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BANDICAM.bfix\Shell\Open	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bfix	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BANDICAM.bfix\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe"	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2544	bdcam.exe
2544	bdcam.exe
1272	bdcam.exe
1272	bdcam.exe
1272	bdcam.exe
1272	bdcam.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4492	AUDIODG.EXE
Token: 33	1272	bdcam.exe
Token: SeIncBasePriorityPrivilege	1272	bdcam.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1272	bdcam.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1272	bdcam.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2544	bdcam.exe
1272	bdcam.exe
1272	bdcam.exe
1272	bdcam.exe
1272	bdcam.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3640	4692	cmd.exe	91
PID 4692 wrote to memory of 3640	4692	cmd.exe	91
PID 3640 wrote to memory of 4052	3640	net.exe	92
PID 3640 wrote to memory of 4052	3640	net.exe	92
PID 4692 wrote to memory of 2544	4692	cmd.exe	93
PID 4692 wrote to memory of 2544	4692	cmd.exe	93
PID 2544 wrote to memory of 5088	2544	bdcam.exe	94
PID 2544 wrote to memory of 5088	2544	bdcam.exe	94
PID 2544 wrote to memory of 1012	2544	bdcam.exe	95
PID 2544 wrote to memory of 1012	2544	bdcam.exe	95
PID 2544 wrote to memory of 1012	2544	bdcam.exe	95
PID 4692 wrote to memory of 3100	4692	cmd.exe	96
PID 4692 wrote to memory of 3100	4692	cmd.exe	96
PID 4692 wrote to memory of 3868	4692	cmd.exe	98
PID 4692 wrote to memory of 3868	4692	cmd.exe	98
PID 4692 wrote to memory of 3868	4692	cmd.exe	98
PID 4692 wrote to memory of 3172	4692	cmd.exe	99
PID 4692 wrote to memory of 3172	4692	cmd.exe	99
PID 4692 wrote to memory of 1272	4692	cmd.exe	100
PID 4692 wrote to memory of 1272	4692	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\net.exe
  NET SESSION
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 SESSION
    3⤵
    PID:4052
- C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
  "bdcam.exe" /install
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    PID:1012
- C:\Windows\system32\certutil.exe
  certutil -decode C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe"
  2⤵
  PID:3100
- C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe
  "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe" /inst
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\system32\reg.exe
  reg copy "HKLM\SOFTWARE\WOW6432Node\BANDISOFT\BANDICAM\OPTION" "HKCU\SOFTWARE\BANDISOFT\BANDICAM\OPTION" /s /f
  2⤵
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
  "bdcam.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1020,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8
1⤵
PID:1624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe

Filesize
51KB

MD5
e8798824bbbeb49465ed12f37f2d9f4a

SHA1
63727c3524b0fd56c977cc5e1918c740714c1ead

SHA256
e3b24f1c668598adc610c010a4fb43e4e3d370c2e63cd4f7130936e761d7db78

SHA512
fddb433caa0441b9facfa9cc4e396584fd4b7f2cf3e8953fc7ad667842320588d32cbd334e8f88578c1f5e925ecb4a9cb97b01b5e9118d3fc50e8f2cf4f3841b

Download Submit
C:\Users\Admin\AppData\Roaming\Bandicam Company\BANDICAM\version.ini

Filesize
88B

MD5
7e6424083dd8154651fa316761326deb

SHA1
72f4886fe199a64e33719c1268aa7f7ca45f391c

SHA256
719f5377e869580dd65bad8bc74c3209ab503fce8b2685fb3dad58a3405cd1da

SHA512
384cb33925235892d18656f46056a6a24c7be86ab2c35caa6c650c942cc37c40b69175d6b8aba0742bb98e85fb5460a22a904105e22f4e265e1f42202d1b64de

Download Submit
memory/1272-10-0x00007FF750D40000-0x00007FF751AA2000-memory.dmp

Filesize
13.4MB

Download
memory/2544-0-0x00007FF7512FB000-0x00007FF751738000-memory.dmp

Filesize
4.2MB

Download
memory/2544-1-0x00007FFF93D10000-0x00007FFF93D12000-memory.dmp

Filesize
8KB

Download
memory/2544-2-0x00007FF750D40000-0x00007FF751AA2000-memory.dmp

Filesize
13.4MB

Download
memory/2544-3-0x00007FF7512FB000-0x00007FF751738000-memory.dmp

Filesize
4.2MB

Download
memory/3868-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing