| File name: | bitdefender_avfree.exe |
| Full analysis: | https://app.any.run/tasks/7fd6188f-c3aa-4d0a-83ac-326475a03afe |
| Verdict: | Malicious activity |
| Analysis date: | February 10, 2024, 00:34:17 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 654DA9AD76A6913A0670A474C0E48138 |
| SHA1: | 9007453AE2D127D7ECE9FFDD5B0EBB4B772CCBB0 |
| SHA256: | B49623AE45E78D24E93BC8092D8DA314BCAAC3226C5A2BB2DC566ADEA8DAF60F |
| SSDEEP: | 98304:SM5IMaLpm1tVRD/1TZHkLSDsusJ87gTGLIF5FWhys1aP1C8Oq3uTmR0FGg1ZiGEW:L+R+FNrfdcEfk2bdO1I0P8Q28uZ |
MALICIOUS
Drops the executable file immediately after the start
- bitdefender_avfree.exe (PID: 3864)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
Registers / Runs the DLL via REGSVR32.EXE
- DiscoverySrv.exe (PID: 1740)
Creates a writable file in the system directory
- ProductAgentService.exe (PID: 3164)
- ProductAgentUI.exe (PID: 1624)
SUSPICIOUS
Executable content was dropped or overwritten
- bitdefender_avfree.exe (PID: 3864)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
Reads settings of System Certificates
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
Reads the Internet Settings
- bitdefender_avfree.exe (PID: 3864)
- agent_launcher.exe (PID: 1432)
- installer.exe (PID: 2636)
Reads security settings of Internet Explorer
- agent_launcher.exe (PID: 1432)
- bitdefender_avfree.exe (PID: 3864)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
Checks Windows Trust Settings
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
- DiscoverySrv.exe (PID: 1740)
- ProductAgentService.exe (PID: 3164)
- DiscoverySrv.exe (PID: 3068)
- ProductAgentUI.exe (PID: 1624)
Adds/modifies Windows certificates
- bddeploy.exe (PID: 3932)
The process verifies whether the antivirus software is installed
- ProductAgentService.exe (PID: 3992)
- bdredline.exe (PID: 3940)
- ProductAgentService.exe (PID: 2064)
- ProductAgentService.exe (PID: 3164)
- ProductAgentService.exe (PID: 2892)
- ProductAgentService.exe (PID: 956)
- regsvr32.exe (PID: 748)
- DiscoverySrv.exe (PID: 1740)
- ProductAgentService.exe (PID: 968)
- DiscoverySrv.exe (PID: 3068)
- installer.exe (PID: 2636)
- ProductAgentUI.exe (PID: 1624)
Executes as Windows Service
- bdredline.exe (PID: 3940)
- ProductAgentService.exe (PID: 3164)
Creates a software uninstall entry
- installer.exe (PID: 2636)
Creates/Modifies COM task schedule object
- regsvr32.exe (PID: 748)
Application launched itself
- ProductAgentService.exe (PID: 3164)
INFO
Create files in a temporary directory
- bitdefender_avfree.exe (PID: 3864)
- setuppackage.exe (PID: 2328)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
Checks supported languages
- bitdefender_avfree.exe (PID: 3864)
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 3992)
- bdredline.exe (PID: 3940)
- ProductAgentService.exe (PID: 2892)
- ProductAgentService.exe (PID: 956)
- ProductAgentService.exe (PID: 2064)
- ProductAgentService.exe (PID: 3164)
- DiscoverySrv.exe (PID: 3068)
- DiscoverySrv.exe (PID: 1740)
- ProductAgentService.exe (PID: 968)
- ProductAgentUI.exe (PID: 1624)
Reads the computer name
- bitdefender_avfree.exe (PID: 3864)
- agent_launcher.exe (PID: 1432)
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
- bddeploy.exe (PID: 3932)
- bdredline.exe (PID: 3940)
- ProductAgentService.exe (PID: 2064)
- ProductAgentService.exe (PID: 3164)
- ProductAgentService.exe (PID: 2892)
- ProductAgentService.exe (PID: 956)
- DiscoverySrv.exe (PID: 1740)
- ProductAgentService.exe (PID: 968)
- DiscoverySrv.exe (PID: 3068)
- ProductAgentUI.exe (PID: 1624)
Reads the machine GUID from the registry
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 3164)
- DiscoverySrv.exe (PID: 1740)
- DiscoverySrv.exe (PID: 3068)
- ProductAgentUI.exe (PID: 1624)
Reads the software policy settings
- agent_launcher.exe (PID: 1432)
- bddeploy.exe (PID: 3932)
- installer.exe (PID: 2636)
- DiscoverySrv.exe (PID: 1740)
- ProductAgentService.exe (PID: 3164)
- DiscoverySrv.exe (PID: 3068)
- ProductAgentUI.exe (PID: 1624)
Dropped object may contain TOR URL's
- setuppackage.exe (PID: 2328)
- installer.exe (PID: 2636)
Creates files in the program directory
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 2064)
- ProductAgentService.exe (PID: 3164)
Reads Environment values
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 3164)
- ProductAgentUI.exe (PID: 1624)
Reads product name
- installer.exe (PID: 2636)
- ProductAgentService.exe (PID: 3164)
- ProductAgentUI.exe (PID: 1624)
Reads CPU info
- ProductAgentService.exe (PID: 3164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2016:08:14 19:15:49+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 188416 |
| InitializedDataSize: | 265216 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1cab5 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
56
Monitored processes
16
Malicious processes
15
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 748 | regsvr32 /s "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoveryComp.dll" | C:\Windows\System32\regsvr32.exe | — | DiscoverySrv.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 956 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 968 | "ProductAgentService.exe" login_silent | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 1432 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe | — | bitdefender_avfree.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: MEDIUM Description: Bitdefender Agent Launcher Exit code: 0 Version: 27.0.16.279 Modules
| |||||||||||||||
| 1624 | "C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2 app_name="Bitdefender Security" | C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe | ProductAgentService.exe | ||||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.264 Modules
| |||||||||||||||
| 1740 | "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe" install | C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: DiscoverySrv Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 2064 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" start "C:\Users\admin\AppData\Local\Temp\bitdefender_avfree.exe" | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 2328 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe | bddeploy.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2636 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe | bddeploy.exe | ||||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Installation File Exit code: 0 Version: 27.0.16.279 Modules
| |||||||||||||||
| 2892 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
Total events
40 380
Read events
40 172
Write events
201
Delete events
7
Modification events
| (PID) Process: | (3864) bitdefender_avfree.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3864) bitdefender_avfree.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3864) bitdefender_avfree.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3864) bitdefender_avfree.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1432) agent_launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3932) bddeploy.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
54
Suspicious files
14
Text files
165
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll | executable | |
MD5:12A33D34EFE5C1196366D9401CB87DB8 | SHA256:61C06FAD9CE99B0E313761DC94AB244C1B196D56195BD037A028D34AE120EBA7 | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5 | text | |
MD5:33E2DDE83EA3C901EA0313BB8F5831F4 | SHA256:4FB97B6DC5E0F772BA3D9EAEBBA2ADE2CEA8EE71DC28A2E9528A45D927C6AC87 | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe.md5 | text | |
MD5:46300D15F2888E56873E3635A808BF3B | SHA256:A920F077BA2A9715802A3A8D83FFECD7FA1F8025A4459BB8DB1A739E2F712FBC | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe | executable | |
MD5:05EE53AB2BB06F33024E8B094EF3140E | SHA256:B4856CDC5046FCCA636CB0CF747A56F3B78472301950E2AD8CE2259F578DF501 | |||
| 2328 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.dll | executable | |
MD5:C86511990365AC18CFB527E41A6F7EAC | SHA256:EB247A43D0CFD0662559F1E3A2BB6656A6B7D465C8D404D5A3EA090DAAD78196 | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe | executable | |
MD5:3E68D3AFFB1D07B291B402B1F8733B52 | SHA256:CCA66104ABC7B29B365F2F5F55579348F0B5645DEAFBD962FC802D18C520E676 | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe | executable | |
MD5:B685E5F768EF924A6D7B9CE5A836EC02 | SHA256:3E0DC0308691760AD03D144AF28F2818C3E9DB62E7CD4D9E61D2806B13D1A73A | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe.md5 | text | |
MD5:ADF45D21EE156877A30F4680B6A742FA | SHA256:F22A08394A54E58276D9AD87DE2B0AD691C70774771B0E5876E5F8854BB3D594 | |||
| 2328 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.ini | binary | |
MD5:96D15C4F3DB04429631866751A1D2890 | SHA256:E8D31C1DE790F738EF75DAA0402584560A0672402D0D3DED0899D2DBC95FB911 | |||
| 3864 | bitdefender_avfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\deploy.dll.md5 | text | |
MD5:0A02DBB21B6CCE58D3A38597630DB08E | SHA256:C7ABB0FD4F63E7E380CEC72BB4CF4567E3753CD9D18ACC3209DF82CBCB915BAE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
45
DNS requests
34
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3164 | ProductAgentService.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | unknown | binary | 727 b | unknown |
3940 | bdredline.exe | GET | 404 | 104.18.169.222:80 | http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id | unknown | html | 153 b | unknown |
3164 | ProductAgentService.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAfUgQ0eGXaK4wv96iKa0QU%3D | unknown | binary | 727 b | unknown |
3164 | ProductAgentService.exe | GET | 304 | 2.19.126.206:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2fa640a8c7eec850 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3940 | bdredline.exe | 104.18.169.222:80 | upgrade.bitdefender.com | CLOUDFLARENET | — | shared |
1236 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
3164 | ProductAgentService.exe | 34.120.68.241:443 | nimbus.bitdefender.net | GOOGLE-CLOUD-PLATFORM | US | unknown |
3164 | ProductAgentService.exe | 34.149.211.227:443 | mclb-gcp.nimbus.bitdefender.net | GOOGLE | US | unknown |
3164 | ProductAgentService.exe | 34.120.67.236:443 | elb-lon-gcp.nimbus.bitdefender.net | GOOGLE-CLOUD-PLATFORM | US | unknown |
3164 | ProductAgentService.exe | 34.117.254.173:443 | elb-nvi-gcp.nimbus.bitdefender.net | GOOGLE-CLOUD-PLATFORM | US | unknown |
3164 | ProductAgentService.exe | 2.19.126.206:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
upgrade.bitdefender.com |
| unknown |
nimbus.bitdefender.net |
| unknown |
mclb-gcp.nimbus.bitdefender.net |
| unknown |
eu.nimbus.bitdefender.net |
| unknown |
elb-lon-gcp.nimbus.bitdefender.net |
| unknown |
elb-nvi-gcp.nimbus.bitdefender.net |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
download.bitdefender.com |
| unknown |