| File name: | BandLabAssistantSetup10.8.3.exe |
| Full analysis: | https://app.any.run/tasks/46610c84-5958-4870-867c-70822acd3a7f |
| Verdict: | Malicious activity |
| Analysis date: | November 19, 2024, 03:33:30 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | D95A964DB5F5EEA0890BFA61CF24ED5C |
| SHA1: | 04127484643E85E09A09E50750451B509386B4FC |
| SHA256: | 04A93CC14A895A5AA8535BFDF07ADDB3A914FA502381D1F3BF6374B7B0D4DC2F |
| SSDEEP: | 786432:EEO+2eBHVl6kasIboItPk96OCFGlhZccRaL3:EEDpz6kasIboIGzNpRs3 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Malware-specific behavior (creating "System.dll" in Temp)
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
Process drops legitimate windows executable
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
Drops 7-zip archiver for unpacking
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
Executable content was dropped or overwritten
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
Reads security settings of Internet Explorer
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
The process creates files with name similar to system file names
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
Creates a software uninstall entry
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
Application launched itself
- BandLab Assistant.exe (PID: 7140)
INFO
Checks supported languages
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
- msiexec.exe (PID: 6000)
- BandLab Assistant.exe (PID: 7140)
- BandLab Assistant.exe (PID: 6148)
- BandLab Assistant.exe (PID: 824)
- BandLab Assistant.exe (PID: 6608)
- BandLab Assistant.exe (PID: 3792)
Reads the computer name
- msiexec.exe (PID: 6000)
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
- BandLab Assistant.exe (PID: 7140)
- BandLab Assistant.exe (PID: 6148)
- BandLab Assistant.exe (PID: 3792)
- BandLab Assistant.exe (PID: 824)
Manual execution by a user
- BandLab Assistant.exe (PID: 7140)
Creates files or folders in the user directory
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
- BandLab Assistant.exe (PID: 7140)
- BandLab Assistant.exe (PID: 824)
Reads product name
- BandLab Assistant.exe (PID: 7140)
- BandLab Assistant.exe (PID: 6608)
Create files in a temporary directory
- BandLabAssistantSetup10.8.3.exe (PID: 6996)
- BandLab Assistant.exe (PID: 7140)
Reads Environment values
- BandLab Assistant.exe (PID: 7140)
- BandLab Assistant.exe (PID: 6608)
Checks proxy server information
- BandLab Assistant.exe (PID: 7140)
Process checks computer location settings
- BandLab Assistant.exe (PID: 7140)
- BandLab Assistant.exe (PID: 6608)
Reads the machine GUID from the registry
- BandLab Assistant.exe (PID: 7140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:12:15 22:26:14+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 473088 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 10.8.3.0 |
| ProductVersionNumber: | 10.8.3.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | BandLab Technologies |
| FileDescription: | BandLab Assistant |
| FileVersion: | 626-f7d03db |
| LegalCopyright: | Copyright © 2024 BandLab Technologies |
| ProductName: | BandLab Assistant |
| ProductVersion: | 10.8.3 |
Total processes
127
Monitored processes
9
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 824 | "C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\bandlab-assistant" --field-trial-handle=2160,i,1948185847006405421,16444630911717167186,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:3 | C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe | BandLab Assistant.exe | ||||||||||||
User: admin Company: BandLab Technologies Integrity Level: MEDIUM Description: BandLab Assistant Version: 626-f7d03db Modules
| |||||||||||||||
| 2312 | "C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --user-data-dir="C:\Users\admin\AppData\Roaming\bandlab-assistant" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2380,i,1948185847006405421,16444630911717167186,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:8 | C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe | — | BandLab Assistant.exe | |||||||||||
User: admin Company: BandLab Technologies Integrity Level: MEDIUM Description: BandLab Assistant Exit code: 0 Version: 626-f7d03db Modules
| |||||||||||||||
| 3792 | "C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\admin\AppData\Roaming\bandlab-assistant" --field-trial-handle=2420,i,1948185847006405421,16444630911717167186,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1728 /prefetch:8 | C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe | — | BandLab Assistant.exe | |||||||||||
User: admin Company: BandLab Technologies Integrity Level: LOW Description: BandLab Assistant Version: 626-f7d03db Modules
| |||||||||||||||
| 4004 | MsiExec.exe /x{MY_MSI_GUID} /quiet | C:\Windows\SysWOW64\msiexec.exe | — | BandLabAssistantSetup10.8.3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1619 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6000 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6148 | "C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\bandlab-assistant" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,1948185847006405421,16444630911717167186,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1776 /prefetch:2 | C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe | — | BandLab Assistant.exe | |||||||||||
User: admin Company: BandLab Technologies Integrity Level: LOW Description: BandLab Assistant Version: 626-f7d03db Modules
| |||||||||||||||
| 6608 | "C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\bandlab-assistant" --app-user-model-id=com.electron.bandlab --app-path="C:\Users\admin\AppData\Local\Programs\bandlab-assistant\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2484,i,1948185847006405421,16444630911717167186,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:1 | C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe | — | BandLab Assistant.exe | |||||||||||
User: admin Company: BandLab Technologies Integrity Level: MEDIUM Description: BandLab Assistant Version: 626-f7d03db Modules
| |||||||||||||||
| 6996 | "C:\Users\admin\Desktop\BandLabAssistantSetup10.8.3.exe" | C:\Users\admin\Desktop\BandLabAssistantSetup10.8.3.exe | explorer.exe | ||||||||||||
User: admin Company: BandLab Technologies Integrity Level: MEDIUM Description: BandLab Assistant Exit code: 0 Version: 626-f7d03db Modules
| |||||||||||||||
| 7140 | "C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe" | C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe | explorer.exe | ||||||||||||
User: admin Company: BandLab Technologies Integrity Level: MEDIUM Description: BandLab Assistant Version: 626-f7d03db Modules
| |||||||||||||||
Total events
3 118
Read events
3 086
Write events
14
Delete events
18
Modification events
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\Programs\bandlab-assistant | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | KeepShortcuts |
Value: true | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | ShortcutName |
Value: BandLab Assistant | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | MenuDirectory |
Value: BandLab Technologies | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | DisplayName |
Value: BandLab Assistant 10.8.3 | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | UninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\bandlab-assistant\Uninstall BandLab Assistant.exe" /currentuser | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\bandlab-assistant\Uninstall BandLab Assistant.exe" /currentuser /S | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | DisplayVersion |
Value: 10.8.3 | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Users\admin\AppData\Local\Programs\bandlab-assistant\BandLab Assistant.exe,0 | |||
| (PID) Process: | (6996) BandLabAssistantSetup10.8.3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9b08bea4-021c-5f9d-a74e-ac0ceb51fb28 |
| Operation: | write | Name: | Publisher |
Value: BandLab Technologies | |||
Executable files
21
Suspicious files
178
Text files
14
Unknown types
9
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\app-64.7z | — | |
MD5:— | SHA256:— | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\7z-out\icudtl.dat | — | |
MD5:— | SHA256:— | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\7z-out\LICENSES.chromium.html | — | |
MD5:— | SHA256:— | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\7z-out\chrome_100_percent.pak | pgc | |
MD5:CB4F128469CD84711ED1C9C02212C7A8 | SHA256:7DD5485DEF22A53C0635EFDF8AE900F147EC8C8A22B9ED71C24668075DD605D3 | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\nsExec.dll | executable | |
MD5:EC0504E6B8A11D5AAD43B296BEEB84B2 | SHA256:5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962 | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\SpiderBanner.dll | executable | |
MD5:17309E33B596BA3A5693B4D3E85CF8D7 | SHA256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93 | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\StdUtils.dll | executable | |
MD5:C6A6E03F77C313B267498515488C5740 | SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\nsis7z.dll | executable | |
MD5:80E44CE4895304C6A3A831310FBF8CD0 | SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592 | |||
| 6996 | BandLabAssistantSetup10.8.3.exe | C:\Users\admin\AppData\Local\Temp\nsa21C5.tmp\7z-out\LICENSE.electron.txt | text | |
MD5:4D42118D35941E0F664DDDBD83F633C5 | SHA256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
31
DNS requests
24
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6944 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | — | 3.161.82.30:443 | https://static-test.bandlab.com/assistant/BandLab%20Assistant%20Setup%2010.8.4.exe | unknown | — | — | unknown |
— | — | GET | 200 | 18.66.102.28:443 | https://www.bandlab.com/web-icons/v1.0.1/bandlab.css | unknown | text | 7.89 Kb | whitelisted |
— | — | GET | 206 | 3.161.82.81:443 | https://static-test.bandlab.com/assistant/BandLab%20Assistant%20Setup%2010.8.4.exe | unknown | binary | 84.0 Mb | whitelisted |
— | — | POST | 200 | 52.38.247.178:443 | https://api.amplitude.com/ | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
google-analytics.com |
| whitelisted |
www.bandlab.com |
| whitelisted |
www.bing.com |
| whitelisted |
static-test.bandlab.com |
| whitelisted |
api.amplitude.com |
| whitelisted |
accounts.bandlab.com |
| whitelisted |