File name:	BitDefender.exe
Full analysis:	https://app.any.run/tasks/83028a73-e61b-4ec2-95b4-bbd5be0775e9
Verdict:	Malicious activity
Analysis date:	November 18, 2024, 07:19:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	D3AAE88F576F95DF9157E1FC1EE80726
SHA1:	EEFC47DFE0745CAEC97D11ABA570EEA2ACEB6BEB
SHA256:	809FD0248615F0DB51D7B01307A27D875E12F8D129035E77B3F34EB8EB227562
SSDEEP:	393216:HygBV9LVLGqMN9a+vDSOxwq459AyDXvxsYZ0IQlPc5JcRui7:3V9LMq0a+v6q4LPCVIQlPc5O

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:08:14 19:15:49+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	188416
InitializedDataSize:	265216
UninitializedDataSize:	-
EntryPoint:	0xa6000
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	InstallerLauncher
Value:
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	InstallerLauncher
Value:
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install
Operation:	write	Name:	ShortInstallPath
Value: C:\Program Files\Bitdefender Agent\
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install
Operation:	write	Name:	InstallPath
Value: C:\Program Files\Bitdefender Agent\
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceFolder
Value: C:\ProgramData\Bitdefender Agent
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceLevel
Value: 1
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent
Operation:	write	Name:	traceMode
Value: 0
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Submission\Agent Submission Tool
Operation:	write	Name:	AppPath
Value: C:\Program Files\Bitdefender Agent\27.0.1.259\bdsubwiz.exe
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\Bitdefender Agent\27.0.1.259\bdicon.ico
(PID) Process:	(4476) installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent
Operation:	write	Name:	DisplayName
Value: Bitdefender Agent

PID	Process	Filename		Type
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe		executable
		MD5:854954078FE09F22FCF2B0B0C22239F5	SHA256:46508A899A5593358CDC6FCE29C09B2E9FCE3D483EB45802B26FF68EF52A184A
7100	BitDefender.exe	C:\Users\Public\chall.exe		executable
		MD5:0CA65E5CA88B8B26C3273F455DF15847	SHA256:5CFD1D56585B5CD7EC58E0689953938E17BE6BAE32656CAEB10285DA2C7DB31A
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll		executable
		MD5:EDAC260CC2F94367601FBB0725B98893	SHA256:30D8D141F7AD4409A742CFC0A6D700607069D599CC4DD6E597953C9698B06956
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe		executable
		MD5:5A578F9EDEAA9DDBBE6E05026EC709BC	SHA256:E9C71131FE2A6D2AA7283542F2D0A30FA7B672FD34B134667E4BAFF1CFA6DB3E
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe.md5		text
		MD5:9CD4A3E36F54AC331333E17523FBF774	SHA256:BA5C0034C21EB8A01E431EAB96B5BA0F197A37BC8B5EB3F4A94973046939B4F9
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe		executable
		MD5:52197EE706B8AF5ED2431EED01AA0DB5	SHA256:A72B1882E289D5678931CD91C579810CD16CC30AC0453A77B166CD219402B097
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll.md5		text
		MD5:B7ABBCA1D2EAD41663C4CE3C317A6A46	SHA256:52AAF751B05DC5D3065C5D716118739075BEE31702D9C3D0D5012AFB174BF5B9
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe.md5		text
		MD5:0973E2965F7841151D7A53AB9F598B43	SHA256:22269CB67FB9F78AF1F580BC45326E953D710C17C3A2062CB4C574F188521308
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe		executable
		MD5:F6490A11A2CB2AAEE84021DACF2E2CCF	SHA256:EF640B738BBF96AA374EA8E488F768576EFCE2790CE039FADDA4CCBB0E2F4E3C
7100	BitDefender.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5		text
		MD5:665B937A18FDBBDB74D01B8761119BCD	SHA256:6C6D17CD3866C5850FC713E31EB4C325618642BE2CB3E953D45CFE96483A8D37

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6596	bdredline.exe	GET	403	104.18.168.222:80	http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	34.120.68.241:443	https://nimbus.bitdefender.net/bdnc/config	unknown	binary	237 b	whitelisted
—	—	GET	200	34.120.68.241:443	https://eu.nimbus.bitdefender.net/_ServerStatus	unknown	text	21 b	whitelisted
—	—	GET	200	34.149.211.227:443	https://mclb-gcp.nimbus.bitdefender.net/_ServerStatus	unknown	text	21 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.146:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5488	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
www.bing.com	104.126.37.146 104.126.37.137 104.126.37.130 104.126.37.153 104.126.37.145 104.126.37.136 104.126.37.139 104.126.37.128 104.126.37.131	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
upgrade.bitdefender.com	104.18.168.222 104.18.169.222	whitelisted
nimbus.bitdefender.net	34.120.68.241	whitelisted
mclb-gcp.nimbus.bitdefender.net	34.149.211.227	whitelisted
eu.nimbus.bitdefender.net	34.120.68.241	whitelisted
elb-ned-gcp.nimbus.bitdefender.net	34.54.215.149	whitelisted

General Info

BitDefender.exe

D3AAE88F576F95DF9157E1FC1EE80726

EEFC47DFE0745CAEC97D11ABA570EEA2ACEB6BEB

809FD0248615F0DB51D7B01307A27D875E12F8D129035E77B3F34EB8EB227562

393216:HygBV9LVLGqMN9a+vDSOxwq459AyDXvxsYZ0IQlPc5JcRui7:3V9LMq0a+v6q4LPCVIQlPc5O

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Antivirus name has been found in the command line (generic signature)

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Executable content was dropped or overwritten

Likely accesses (executes) a file from the Public directory

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Executes as Windows Service

Application launched itself

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

The process uses the downloaded file

Reads the machine GUID from the registry

Reads the software policy settings

Application based on Rust

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings