Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
BandagedBD_Windows.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
BandagedBD_Windows.exe
Resource
win10v2004-20240709-en
General
-
Target
BandagedBD_Windows.exe
-
Size
112KB
-
MD5
5771dc777121b6db68b13177c6d2f479
-
SHA1
5da5787b7fc16b23a580ca2fb59e596d7ca35a98
-
SHA256
5381cf1c07d26fd6eaebf43c14e27edc787e03e2e2959d7fcc106196fce9516f
-
SHA512
fcdcfc0631295d3317063fc2b4e2054cff87f8bc597e0c4481c023d2afabbdd97180d15420b94882d2b85d7dd4d147975312bab6d22b9393f1e9009f03753d72
-
SSDEEP
1536:uqv7jfumxFM6EajCJyPOcF0bAtYFpFWtFn3VR6Bl:u6/mSOC09/WLn3Or
Malware Config
Signatures
-
Downloads MZ/PE file
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 644607.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2548 BandagedBD_Windows.exe 2548 BandagedBD_Windows.exe 2548 BandagedBD_Windows.exe 4468 msedge.exe 4468 msedge.exe 3660 msedge.exe 3660 msedge.exe 1484 identity_helper.exe 1484 identity_helper.exe 1612 msedge.exe 1612 msedge.exe 1612 msedge.exe 1612 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2548 BandagedBD_Windows.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe 3660 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 3660 2548 BandagedBD_Windows.exe 91 PID 2548 wrote to memory of 3660 2548 BandagedBD_Windows.exe 91 PID 3660 wrote to memory of 4716 3660 msedge.exe 92 PID 3660 wrote to memory of 4716 3660 msedge.exe 92 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 1868 3660 msedge.exe 93 PID 3660 wrote to memory of 4468 3660 msedge.exe 94 PID 3660 wrote to memory of 4468 3660 msedge.exe 94 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95 PID 3660 wrote to memory of 2136 3660 msedge.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\BandagedBD_Windows.exe"C:\Users\Admin\AppData\Local\Temp\BandagedBD_Windows.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/rauenzi/BBDInstaller/releases/download/v1.0.5/BandagedBD.exe2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x9c,0x7ffd30a646f8,0x7ffd30a64708,0x7ffd30a647183⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:83⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:13⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:83⤵PID:1192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:13⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:13⤵PID:1228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4740 /prefetch:83⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:13⤵PID:1712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 /prefetch:83⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:13⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:13⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16237039092556840442,12963988490347179450,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2916 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4016
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a499254d6b5d91f97eb7a86e5f8ca573
SHA103dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1
SHA256fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499
SHA512d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c
-
Filesize
152B
MD5bafce9e4c53a0cb85310891b6b21791b
SHA15d70027cc137a7cbb38f5801b15fd97b05e89ee2
SHA25671fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00
SHA512c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
5KB
MD58ba3a68d7f166b11372f4196e056ff05
SHA118b6b29bdd6bf6b5ebefa4657afdee39bae38dcc
SHA256ec244a2debd0243e0b0d47cee431f23bca31219599751820273e001325ffa24a
SHA5128735de8438e2c7eae07b6ce52e93ce39853dbfe05322895ff83f32d050d9a279508dc29c8798c4c73ef43a4478fab79518c6b1ad4c757d0ed8702a0867339d3f
-
Filesize
6KB
MD519c1d27de09e213933d9a3df0736b70c
SHA1574a4b27c94eab0842ed3027216bd7697a6f7862
SHA25640ac730a8001ff38f600a94cd279d03e24972dde4a18cdfb04e65674877f11fa
SHA512dd757665c9f2e3866d5ed0a0bf1e306daa2b6efbc504d585972d9159764c11722cea8fdc93b22b332f31877f982506380abbe95b007a4498976f771c07a08c80
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5be65ec35772ed1fb35f228be21e93ee4
SHA1b566e70787da8334497e0f4ae56761c51c686b61
SHA256eac34a2639e16c760eda9a45bcd040d4ce563cd98cca5eb8f993af10eb85afe0
SHA512f4398fa89a13f8271e87ceeca6fa636a858c448eed23dea52eecbd0cf7340b213d55355e29162886757e025ced7ece798856a32d7a34ab48745c2c6bfda1bdd2
-
Filesize
112KB
MD5402fbc0999cb0c517678676d31dcc578
SHA1943db51502db80faad6c7eb76cc7094304a4db3b
SHA2563b1a505b23715f16b1a8083f14f07b7bb619d1b42f74b2f5791cf5b02888bfdf
SHA512b3793c9ab550103b697bcd75471bffac6d2285a9ee3910ba39ed21ae5160f8e8db57792d35633a5b36387cb131b65048a1db278f2c93d66c1d79d5829d1f6e63