84c628adba7d09e7621579a147e6d2daa189dd4f47a86e6095d05cd696fcd570

General

Target

Bandicam/bdcam_setup2.bat
Size

70KB
MD5

8a522dec33821148711c857d983651c1
SHA1

2641393f1fd63466a4b35ea632b9c177ac3bbbcb
SHA256

fd83c925242c80089404bda5cbeee012ed4592c9fdd9dceba2d0ed43dad451d4
SHA512

d14f57f949f1a519966a3bfba27d79aa34c32474e573031f35eee8a743d971cb771c8e7c8f82de094e47bc7c08744c5f3eb5e082e809149efc0accfbc4786261
SSDEEP

1536:Adgu9vQizEgn0/6xwWhyYS2LEkTBR+MSD9dCr:ADzEowWhyeQIR+MMur

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4136	bdcam_activate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
876	bdcam.exe
876	bdcam.exe
2380	bdcam.exe
2380	bdcam.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\BANDICAM.bfix\Shell	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\BANDICAM.bfix\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bandicam\\bdfix.exe"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\BANDICAM.bfix	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\BANDICAM.bfix\DefaultIcon	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\BANDICAM.bfix\Shell\Open	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\.bfix	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\.bfix\ = "BANDICAM.bfix"	bdcam.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
876	bdcam.exe
876	bdcam.exe
2380	bdcam.exe
2380	bdcam.exe
2380	bdcam.exe
2380	bdcam.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3608	AUDIODG.EXE
Token: 33	2380	bdcam.exe
Token: SeIncBasePriorityPrivilege	2380	bdcam.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	bdcam.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2380	bdcam.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
876	bdcam.exe
2380	bdcam.exe
2380	bdcam.exe
2380	bdcam.exe
2380	bdcam.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3780	1368	cmd.exe	80
PID 1368 wrote to memory of 3780	1368	cmd.exe	80
PID 3780 wrote to memory of 2680	3780	net.exe	81
PID 3780 wrote to memory of 2680	3780	net.exe	81
PID 1368 wrote to memory of 876	1368	cmd.exe	82
PID 1368 wrote to memory of 876	1368	cmd.exe	82
PID 876 wrote to memory of 4456	876	bdcam.exe	83
PID 876 wrote to memory of 4456	876	bdcam.exe	83
PID 876 wrote to memory of 4956	876	bdcam.exe	84
PID 876 wrote to memory of 4956	876	bdcam.exe	84
PID 876 wrote to memory of 4956	876	bdcam.exe	84
PID 1368 wrote to memory of 2000	1368	cmd.exe	85
PID 1368 wrote to memory of 2000	1368	cmd.exe	85
PID 1368 wrote to memory of 4136	1368	cmd.exe	86
PID 1368 wrote to memory of 4136	1368	cmd.exe	86
PID 1368 wrote to memory of 4136	1368	cmd.exe	86
PID 1368 wrote to memory of 3180	1368	cmd.exe	87
PID 1368 wrote to memory of 3180	1368	cmd.exe	87
PID 1368 wrote to memory of 2380	1368	cmd.exe	88
PID 1368 wrote to memory of 2380	1368	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\system32\net.exe
  NET SESSION
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 SESSION
    3⤵
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
  "bdcam.exe" /install
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    PID:4956
- C:\Windows\system32\certutil.exe
  certutil -decode C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam_setup2.bat "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe"
  2⤵
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe
  "C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe" /inst
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\system32\reg.exe
  reg copy "HKLM\SOFTWARE\WOW6432Node\BANDISOFT\BANDICAM\OPTION" "HKCU\SOFTWARE\BANDISOFT\BANDICAM\OPTION" /s /f
  2⤵
  PID:3180
- C:\Users\Admin\AppData\Local\Temp\Bandicam\bdcam.exe
  "bdcam.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdcam_activate.exe

Filesize
51KB

MD5
e8798824bbbeb49465ed12f37f2d9f4a

SHA1
63727c3524b0fd56c977cc5e1918c740714c1ead

SHA256
e3b24f1c668598adc610c010a4fb43e4e3d370c2e63cd4f7130936e761d7db78

SHA512
fddb433caa0441b9facfa9cc4e396584fd4b7f2cf3e8953fc7ad667842320588d32cbd334e8f88578c1f5e925ecb4a9cb97b01b5e9118d3fc50e8f2cf4f3841b

Download Submit
memory/876-0-0x00007FF79631B000-0x00007FF796758000-memory.dmp

Filesize
4.2MB

Download
memory/876-1-0x00007FF8BA430000-0x00007FF8BA432000-memory.dmp

Filesize
8KB

Download
memory/876-2-0x00007FF795D60000-0x00007FF796AC2000-memory.dmp

Filesize
13.4MB

Download
memory/876-3-0x00007FF79631B000-0x00007FF796758000-memory.dmp

Filesize
4.2MB

Download
memory/2380-10-0x00007FF795D60000-0x00007FF796AC2000-memory.dmp

Filesize
13.4MB

Download
memory/4136-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing