| File name: | Bitwarden-Installer-2024.1.0.exe |
| Full analysis: | https://app.any.run/tasks/ac9b3eca-98ff-4558-9a8d-a9a90aeb9237 |
| Verdict: | Malicious activity |
| Analysis date: | February 14, 2024, 20:19:57 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 7BC3B13F92C7B772D8D093D1B399EE6E |
| SHA1: | 651C9248016C2A0C828C00D8C965A4D301025570 |
| SHA256: | 5464319E265E28304801EA1CC74800B13E8FF7890C2F44A5DC5E75524693FFBC |
| SSDEEP: | 24576:CBHJRioulZSRF4HyNt85nq2O6vhCmSxbv0kFgQ0Qh1lhUqhZAVH1io32ZV5:CBpRioulZSRF4HyNt85q2O6ZCmSxbv00 |
MALICIOUS
Drops the executable file immediately after the start
- Bitwarden-Installer-2024.1.0.exe (PID: 2472)
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
SUSPICIOUS
Executable content was dropped or overwritten
- Bitwarden-Installer-2024.1.0.exe (PID: 2472)
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Malware-specific behavior (creating "System.dll" in Temp)
- Bitwarden-Installer-2024.1.0.exe (PID: 2472)
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
The process creates files with name similar to system file names
- Bitwarden-Installer-2024.1.0.exe (PID: 2472)
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Application launched itself
- Bitwarden-Installer-2024.1.0.exe (PID: 2472)
Reads the Internet Settings
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Reads security settings of Internet Explorer
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Reads settings of System Certificates
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Process drops legitimate windows executable
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Checks Windows Trust Settings
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Drops 7-zip archiver for unpacking
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Creates a software uninstall entry
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
INFO
Checks supported languages
- Bitwarden-Installer-2024.1.0.exe (PID: 2472)
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Reads the computer name
- Bitwarden-Installer-2024.1.0.exe (PID: 2472)
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Create files in a temporary directory
- Bitwarden-Installer-2024.1.0.exe (PID: 2472)
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Checks proxy server information
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Creates files in the program directory
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Reads the machine GUID from the registry
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Reads the software policy settings
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Creates files or folders in the user directory
- Bitwarden-Installer-2024.1.0.exe (PID: 2752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:12:15 22:26:14+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 473088 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2024.1.0.0 |
| ProductVersionNumber: | 2024.1.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Bitwarden Inc. |
| FileDescription: | A secure and free password manager for all of your devices. |
| FileVersion: | 2024.1.0 |
| LegalCopyright: | Copyright © 2015-2024 Bitwarden Inc. |
| ProductName: | Bitwarden |
| ProductVersion: | 2024.1.0 |
Total processes
41
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2472 | "C:\Users\admin\AppData\Local\Temp\Bitwarden-Installer-2024.1.0.exe" | C:\Users\admin\AppData\Local\Temp\Bitwarden-Installer-2024.1.0.exe | explorer.exe | ||||||||||||
User: admin Company: Bitwarden Inc. Integrity Level: MEDIUM Description: A secure and free password manager for all of your devices. Exit code: 0 Version: 2024.1.0 Modules
| |||||||||||||||
| 2752 | "C:\Users\admin\AppData\Local\Temp\Bitwarden-Installer-2024.1.0.exe" /UAC:12019C /NCRC | C:\Users\admin\AppData\Local\Temp\Bitwarden-Installer-2024.1.0.exe | Bitwarden-Installer-2024.1.0.exe | ||||||||||||
User: admin Company: Bitwarden Inc. Integrity Level: HIGH Description: A secure and free password manager for all of your devices. Exit code: 0 Version: 2024.1.0 Modules
| |||||||||||||||
Total events
10 026
Read events
9 967
Write events
50
Delete events
9
Modification events
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyServer |
Value: | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyOverride |
Value: | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoConfigURL |
Value: | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoDetect |
Value: | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2752) Bitwarden-Installer-2024.1.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
28
Suspicious files
121
Text files
29
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2752 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\bitwarden-2024.1.0-ia32.nsis[1].7z | — | |
MD5:— | SHA256:— | |||
| 2752 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nszBB4.tmp\package.7z | — | |
MD5:— | SHA256:— | |||
| 2752 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nszBB4.tmp\7z-out\icudtl.dat | — | |
MD5:— | SHA256:— | |||
| 2752 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nszBB4.tmp\7z-out\LICENSES.chromium.html | — | |
MD5:— | SHA256:— | |||
| 2472 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nsjF108.tmp\modern-wizard.bmp | image | |
MD5:0073DF1BFECFC543F9457843CC02B4A5 | SHA256:35176DD40612D7542AF49B10E7ED927F25B4AB4A935BB4597909BEED8D1CACF8 | |||
| 2472 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nsjF108.tmp\nsDialogs.dll | executable | |
MD5:466179E1C8EE8A1FF5E4427DBB6C4A01 | SHA256:1E40211AF65923C2F4FD02CE021458A7745D28E2F383835E3015E96575632172 | |||
| 2472 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nsjF108.tmp\UAC.dll | executable | |
MD5:ADB29E6B186DAA765DC750128649B63D | SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08 | |||
| 2752 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nszBB4.tmp\UAC.dll | executable | |
MD5:ADB29E6B186DAA765DC750128649B63D | SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08 | |||
| 2472 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nsjF108.tmp\StdUtils.dll | executable | |
MD5:C6A6E03F77C313B267498515488C5740 | SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E | |||
| 2472 | Bitwarden-Installer-2024.1.0.exe | C:\Users\admin\AppData\Local\Temp\nsjF108.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2752 | Bitwarden-Installer-2024.1.0.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | unknown | binary | 1.47 Kb | unknown |
2752 | Bitwarden-Installer-2024.1.0.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c95f502a893cd837 | unknown | — | — | unknown |
1080 | svchost.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a414549a770d7263 | unknown | compressed | 65.2 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2752 | Bitwarden-Installer-2024.1.0.exe | 104.18.40.204:443 | artifacts.bitwarden.com | CLOUDFLARENET | — | shared |
2752 | Bitwarden-Installer-2024.1.0.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
2752 | Bitwarden-Installer-2024.1.0.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1080 | svchost.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
artifacts.bitwarden.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |