General

  • Target

    _Getintopc.com_Bandicam_7.1.4.2458.rar

  • Size

    30.3MB

  • Sample

    241117-qy6w6a1erp

  • MD5

    500575dbd7bde177a4ddfadbbfdb4de8

  • SHA1

    70cfff956440e9c65229d4073146c7f0e5102812

  • SHA256

    5eb1c7792aa20e5ba1267e9a045956e762826222d942ab4a3059673f125923b4

  • SHA512

    019a39ed637e9cf12d90a6e4699ff121aba3932d6493555905207069b6b1e8fb762c7e1a2d62616cc475cb2f9d2ff19ded3ba52e84275684d1de256b4fce230e

  • SSDEEP

    786432:U16k81vFo7Qt39BiGQdvfK6LfO06tutJOw3Q:m9qqA9yvfK6LlkuWp

Malware Config

Targets

    • Target

      Bandicam_7.1.4.2458/Crack/BC Reset 32-bit.exe

    • Size

      133KB

    • MD5

      0cb81e9844e38d82e96ad5c797981634

    • SHA1

      eeaa433d35112f8ebaf476c6e4f47bf9c957cea4

    • SHA256

      ec14ca80084366c2ca2b34bd717ea2c7cf6a1437f70be3780a396697c709025f

    • SHA512

      5436b46c82f1ed85bcbb2dcd0f150e1b327d00034048508def2c0c748002230706ffc6f6b4beffe9e553fbd3afbc785bca339181c20ef5114c5853a95420340b

    • SSDEEP

      3072:tq6+ouCpk2mpcWJ0r+QNTBfp1F/OHdHZorDa7Rfyg:tldk1cWQRNTBhuHzoXa9f3

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      Bandicam_7.1.4.2458/Crack/BC Reset 64-bit.exe

    • Size

      166KB

    • MD5

      66c058437ec794aba3f851cc7e3cf4fa

    • SHA1

      521bad222e4ba40761aae033ee1aba676e1af474

    • SHA256

      00748d7ea4ccfb6fc6ff59e3fe24c46b862ab3dd9c562ff6b13b5dfb31326bc6

    • SHA512

      e839f645d0be95ecf11dd832982a05f513f481566f764fccf060b1ddd9fdaa2b71c7bec4f99b66bca048b3cf8b921f812c68d45d0ae4d39b26058cb404df49f1

    • SSDEEP

      3072:PV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPIkF/OHdHZorDa7Rfk:Ct5hBPi0BW69hd1MMdxPe9N9uA069TBd

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      Bandicam_7.1.4.2458/Crack/Keygen.exe

    • Size

      69KB

    • MD5

      8a8a0d8aa60c7529753089dfd1d7d8a5

    • SHA1

      a129fca9b5a7cff9a586f6dc7931b79c7f53b373

    • SHA256

      3921c96ee71d9f7271c2d256958bdfc2c1081d9e3d5149f035635e0421253892

    • SHA512

      b6874ed1569e6d9434e5924f2bf80645e878b4b2680d2f5bf30821e15edf149510bee14b0420a218ffb6f4619cdee06154ed72a474d8a8682d814ee7281a81ac

    • SSDEEP

      1536:m6UzoyE5BIKEJRjZa7NdUYDg/JrE1Uw7UI:TU8ycaKEJRdkTNYJrnw7

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Bandicam_7.1.4.2458/Crack/msimg32.dll

    • Size

      12KB

    • MD5

      4b4705640975b0df28adb898ac74811f

    • SHA1

      a1def7e9a9195e652c57711afd8251651f6dd69e

    • SHA256

      523198b4b933f95af21970328e505f28bb7a7331c6193626fbb681cf3bcca65e

    • SHA512

      7f3968daf85dbcd3f49f3488f5b4a01924edb16bb686c070afcc99ae13dde2a01b0b194fedca7dbc0a98a88bf66228b1a52305b0a5b4434234a635c8f369c071

    • SSDEEP

      192:OD7/70NPblKbUDFL00XvBgKBsqTYTTwZYYeyQW3qIW:ODbAblKYDFRvBHBL8feeyQWaIW

    Score
    1/10
    • Target

      Bandicam_7.1.4.2458/bdcamsetup.exe

    • Size

      30.1MB

    • MD5

      19e1756c53cd2366d3d0ac1838c09f53

    • SHA1

      5d637d39e37b71abd130c43c393865da5b6471f4

    • SHA256

      bf76a5b846bb434469560b70a84175361bb276484ba5d45b040a4997f90eba55

    • SHA512

      ce8918a879eee3434eefe76c76a6498a540d4f793611430414232c2db145c151e10a1e58731dc4584a5aff8ba7728b50bb1269ce4df7e7c1660bf895e0bc4b5e

    • SSDEEP

      786432:tmY0YHo15h+TeYB4zK8ZjyhtOJ3HmmTeh+BDr9R8V0PYNr/h4vu:U1J1qTFOu8ZSOJ3NTeQDxRgr/9

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      15KB

    • MD5

      720304c57dcfa17751ed455b3bb9c10a

    • SHA1

      59a1c3a746de10b8875229ff29006f1fd36b1e41

    • SHA256

      6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

    • SHA512

      c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

    • SSDEEP

      384:E1C43tPegZ3eBaRwCPOYY7nNYXC0A/Yosa:E8TgZ3eBTCmrnNAf

    Score
    3/10
    • Target

      $PLUGINSDIR/ShellExecAsUser.dll

    • Size

      43KB

    • MD5

      552cba3c6c9987e01be178e1ee22d36b

    • SHA1

      4c0ab0127453b0b53aeb27e407859bccb229ea1b

    • SHA256

      1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

    • SHA512

      9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

    • SSDEEP

      768:SA49ATJ9ONLkh9J5lDYDzG8yVAf7hiJFkkAqnTEDlV4vihdk:SA4CJ9OFpXf0AfNiTkIMrhdk

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      17ed1c86bd67e78ade4712be48a7d2bd

    • SHA1

      1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    • SHA256

      bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    • SHA512

      0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

    • SSDEEP

      192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+

    Score
    3/10
    • Target

      $SYSDIR/D3DCompiler_47.dll

    • Size

      3.5MB

    • MD5

      7375633014ca3bcabf6d337abe399afc

    • SHA1

      bbaf4aa50ffc0d2bd363d5debe56d41121a1fec2

    • SHA256

      80b8f0435b379b18bbfd91f9e62e3797b3e9bf07d77bb8e5201a74f590cba37a

    • SHA512

      d81bfffb7b031f48e08ddf9d3f4862851ed87ce50d149c63eb74fa68d92e336c1da66a5bcceb55f22211c877441570111439d7383597ad6a2cecdbd5b7502990

    • SSDEEP

      49152:VtdNhilBx6wvXmPwJTtLgvUACN5m5fsRu9qLHyPQiC7:VTNUlBUwv5hdAGQfsRu2uk

    Score
    3/10
    • Target

      $SYSDIR/msvcp110.dll

    • Size

      522KB

    • MD5

      3e29914113ec4b968ba5eb1f6d194a0a

    • SHA1

      557b67e372e85eb39989cb53cffd3ef1adabb9fe

    • SHA256

      c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

    • SHA512

      75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

    • SSDEEP

      12288:FqULIc5nb9rywgfyhUgiW6QR7t5sA3Ooc8sHkC2eRxUH:PLHnhryLfBA3Ooc8sHkC2eRxUH

    Score
    3/10
    • Target

      $SYSDIR/msvcr110.dll

    • Size

      854KB

    • MD5

      4ba25d2cbe1587a841dcfb8c8c4a6ea6

    • SHA1

      52693d4b5e0b55a929099b680348c3932f2c3c62

    • SHA256

      b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

    • SHA512

      82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

    • SSDEEP

      12288:TmCyHcMpK7QdgD+9Tr8r3FmJciMgLFWkA8qTWu+FVlofpJCjNdr12iqwZeq:TmCyHNIQdTryVmCipIkqTWu+Fr

    Score
    3/10
    • Target

      $SYSDIR/vcomp140.dll

    • Size

      178KB

    • MD5

      1cd23a0f3daf4210f86ba8eb60b2612b

    • SHA1

      979ab8d98d27fc0c8810822d80a4f1361657f21d

    • SHA256

      dbc67dd65ef7d68bde9147c6244e7aaa8cb275ed6d0ef60301c7e4fbb95a5a42

    • SHA512

      90941648d2cebf4bcd65e54c503a2ced7362fe2b5afa6772b0ecc8ca945d2e43ea14e90a17e64f3eab8ef76ecbb0ea3cc801dbcfeaa8a90ab8b1fe2e081c17c6

    • SSDEEP

      3072:KDGRbh7RozAcuolrdTl2E72uRcQnFCt+DVFf/w62dQ:HoTuIT73CG/SQ

    Score
    3/10
    • Target

      $TEMP/BDMPEG1SETUP.EXE

    • Size

      1.4MB

    • MD5

      461d135a4fccd51bbae38f742e123fd3

    • SHA1

      c12a442fbcd4a9c44102f0a560ba03d59bc501ed

    • SHA256

      4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

    • SHA512

      41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

    • SSDEEP

      24576:KmJpkgDvk80bh06JsAD8JLPHXcovQjy1jR8Qlq7m5xHlwP4mWunSCiwpFHNi:KUM80bO6JsA+jnb9iZK5plDjCTpFU

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      RegVulkanLayer.bat

    • Size

      118B

    • MD5

      b35e7d846a436bf1bc48b53125176f0b

    • SHA1

      6e859c9374441da33fb404bff2041bbb6b068f23

    • SHA256

      8198189537e866909dbeb383bb3ce43fec3351fe85ca8ddc8e9955193054f808

    • SHA512

      00644acf7e72887e4dcc3e29a83362f17fd3f5338d640b0f85407f8ed173f4f3763e2a6e85dca3fdbad2495b90c3aa1761859bdfe539231b250e93ba504a56e2

    Score
    3/10
    • Target

      UnregVulkanLayer.bat

    • Size

      122B

    • MD5

      13e241026906e9c49e8dcc436313dc55

    • SHA1

      3d2c1fdb2e0166f915796569c6e4c04167aba9d3

    • SHA256

      ec319ae952e4ffac8ff5edede7029050d53452a4df9bc026de3375ecfa983a44

    • SHA512

      338fd96cad17b7f73328b9361a9a23da5c184c39a0fb185d772719daa2eb7abc268834fcba5cc2f0d6e6adf1b6364d3f7e59f9b330dba1ce769674cad295b0c7

    Score
    3/10
    • Target

      bdcam.exe

    • Size

      10.7MB

    • MD5

      5b260a4fc628ef1c009ebf22fb13788f

    • SHA1

      9e004b48fa97dd3a39a3a17f224c9776574d0b1c

    • SHA256

      db444d97939b34fbf776998af277663c682d252a57ad20766ec3c21c08ce2992

    • SHA512

      8c5bd3bffa4ec25cc934f1625f9f627068300d71055500ad8e39f709adff577b3d3ad0991c9f17b8a1b8786ec5617da5515741129d690e4031488b02a92a54d6

    • SSDEEP

      196608:wf8k629L9XGPMaYIGMzxniZdvbKbF0JbeUa/xes/o:wf8URXNM/SVa/xA

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      bdcam32.bin

    • Size

      2.1MB

    • MD5

      1ed0bb2eb99690b58f16431d9d7131c7

    • SHA1

      01f4604651f1e21f70da640a0c488364b3962952

    • SHA256

      71fb772141ff4b8fb2a032f338bf35ae8451d9f046bb22e632b58d7fe82b826a

    • SHA512

      69eb5057dab8b47491b261f1c65cfd0b15e687174507c28ca514779cad5d2919b4c422f85decdc05aeb4cf9b8b0a108b57b54f7a47b4ecf39d77bee942671b57

    • SSDEEP

      49152:lf5D+mnZS+AUN99dg2MSLFgILqg4RL4IZgtFrwtG9GDw:lEWDb99dBMSLFBqgWL4IZgtFrwI

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

upxthemida
Score
7/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
7/10

behavioral3

Score
3/10

behavioral4

Score
7/10

behavioral5

discoveryupx
Score
5/10

behavioral6

discoveryupx
Score
5/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

discoveryevasionpersistenceprivilege_escalationthemidatrojan
Score
9/10

behavioral10

discoveryevasionpersistenceprivilege_escalationthemidatrojan
Score
9/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discoverypersistenceprivilege_escalation
Score
5/10

behavioral25

discoverypersistenceprivilege_escalation
Score
5/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discoveryevasionthemidatrojan
Score
9/10

behavioral31

discoveryevasionthemidatrojan
Score
9/10

behavioral32

discovery
Score
3/10