| File name: | bitdefenderfree.exe |
| Full analysis: | https://app.any.run/tasks/7f77f620-eaeb-49b8-8e3a-665e9ffcdbde |
| Verdict: | Malicious activity |
| Analysis date: | December 23, 2024, 12:11:06 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
| MD5: | FD1E2D74EE69D385FFE392DE738A09A8 |
| SHA1: | CFFDC38420D50F6D2672FC5C9C3267F12B8D08B8 |
| SHA256: | BA580F566EFF785F741C99A84877B6E867B8805210C91205B5BCD21A59FA7AEB |
| SSDEEP: | 98304:zM5IMaLpm1tVRD/1TZHk/VY1k57gTGLIF5FWhys1aP1C8Oq3uTmR0FGg1ZiGEOvM:7+R+FhK575rC6yEtewf21PX11yz |
MALICIOUS
Registers / Runs the DLL via REGSVR32.EXE
- DiscoverySrv.exe (PID: 2324)
SUSPICIOUS
Reads security settings of Internet Explorer
- bitdefenderfree.exe (PID: 2672)
- agent_launcher.exe (PID: 3060)
- installer.exe (PID: 644)
- bddeploy.exe (PID: 5244)
Executable content was dropped or overwritten
- bitdefenderfree.exe (PID: 2672)
- setuppackage.exe (PID: 4624)
- installer.exe (PID: 644)
Checks Windows Trust Settings
- agent_launcher.exe (PID: 3060)
- installer.exe (PID: 644)
- DiscoverySrv.exe (PID: 2324)
- DiscoverySrv.exe (PID: 2144)
- bddeploy.exe (PID: 5244)
- WatchDog.exe (PID: 5972)
- ProductAgentUI.exe (PID: 3364)
Creates a software uninstall entry
- installer.exe (PID: 644)
The process verifies whether the antivirus software is installed
- ProductAgentService.exe (PID: 5096)
- ProductAgentService.exe (PID: 5256)
- bdredline.exe (PID: 5556)
- ProductAgentService.exe (PID: 4392)
- ProductAgentService.exe (PID: 6076)
- installer.exe (PID: 644)
- DiscoverySrv.exe (PID: 2324)
- ProductAgentService.exe (PID: 6056)
- ProductAgentService.exe (PID: 3524)
- ProductAgentUI.exe (PID: 3364)
- DiscoverySrv.exe (PID: 2144)
- WatchDog.exe (PID: 5972)
Executes as Windows Service
- bdredline.exe (PID: 5556)
- ProductAgentService.exe (PID: 6056)
Creates/Modifies COM task schedule object
- regsvr32.exe (PID: 1380)
Application launched itself
- ProductAgentService.exe (PID: 6056)
INFO
Reads the computer name
- bitdefenderfree.exe (PID: 2672)
- agent_launcher.exe (PID: 3060)
- setuppackage.exe (PID: 4624)
- installer.exe (PID: 644)
- ProductAgentService.exe (PID: 4392)
- ProductAgentService.exe (PID: 5256)
- bdredline.exe (PID: 5556)
- ProductAgentService.exe (PID: 6076)
- ProductAgentService.exe (PID: 6056)
- DiscoverySrv.exe (PID: 2144)
- WatchDog.exe (PID: 5972)
The sample compiled with english language support
- bitdefenderfree.exe (PID: 2672)
- setuppackage.exe (PID: 4624)
- installer.exe (PID: 644)
Reads the software policy settings
- bddeploy.exe (PID: 5244)
- agent_launcher.exe (PID: 3060)
- installer.exe (PID: 644)
- DiscoverySrv.exe (PID: 2324)
- DiscoverySrv.exe (PID: 2144)
- ProductAgentService.exe (PID: 6056)
Checks supported languages
- setuppackage.exe (PID: 4624)
- bitdefenderfree.exe (PID: 2672)
- installer.exe (PID: 644)
- ProductAgentService.exe (PID: 5096)
- ProductAgentService.exe (PID: 6076)
- bdredline.exe (PID: 5556)
- ProductAgentService.exe (PID: 4392)
- ProductAgentService.exe (PID: 5256)
- ProductAgentService.exe (PID: 6056)
- DiscoverySrv.exe (PID: 2324)
- bddeploy.exe (PID: 5244)
- agent_launcher.exe (PID: 3060)
- ProductAgentService.exe (PID: 3524)
- ProductAgentUI.exe (PID: 3364)
Process checks computer location settings
- bitdefenderfree.exe (PID: 2672)
- agent_launcher.exe (PID: 3060)
The process uses the downloaded file
- bitdefenderfree.exe (PID: 2672)
- installer.exe (PID: 644)
Reads the machine GUID from the registry
- agent_launcher.exe (PID: 3060)
- installer.exe (PID: 644)
- DiscoverySrv.exe (PID: 2324)
- DiscoverySrv.exe (PID: 2144)
- bddeploy.exe (PID: 5244)
- ProductAgentService.exe (PID: 6056)
- ProductAgentUI.exe (PID: 3364)
- WatchDog.exe (PID: 5972)
Create files in a temporary directory
- setuppackage.exe (PID: 4624)
Creates files in the program directory
- installer.exe (PID: 644)
- ProductAgentService.exe (PID: 6056)
Application based on Rust
- bdredline.exe (PID: 5556)
Reads CPU info
- ProductAgentService.exe (PID: 6056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2016:08:14 19:15:49+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 188416 |
| InitializedDataSize: | 265216 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1cab5 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
139
Monitored processes
17
Malicious processes
13
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 644 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\installer.exe | bddeploy.exe | ||||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Installation File Exit code: 0 Version: 27.0.16.279 Modules
| |||||||||||||||
| 1380 | regsvr32 /s "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoveryComp.dll" | C:\Windows\SysWOW64\regsvr32.exe | — | DiscoverySrv.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2144 | "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe" | C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: DiscoverySrv Version: 27.0.1.263 Modules
| |||||||||||||||
| 2324 | "C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe" install | C:\Program Files\Bitdefender Agent\27.0.1.266\DiscoverySrv.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: DiscoverySrv Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 2672 | "C:\Users\admin\Desktop\bitdefenderfree.exe" | C:\Users\admin\Desktop\bitdefenderfree.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3060 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe | — | bitdefenderfree.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: MEDIUM Description: Bitdefender Agent Launcher Exit code: 0 Version: 27.0.16.279 Modules
| |||||||||||||||
| 3364 | "C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C2 app_name="Bitdefender Security" | C:\Program Files\Bitdefender Agent\27.0.1.266\ProductAgentUI.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender Agent Version: 27.0.1.264 Modules
| |||||||||||||||
| 3524 | "ProductAgentService.exe" login_silent | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | ProductAgentService.exe | |||||||||||
User: SYSTEM Company: Bitdefender Integrity Level: SYSTEM Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 4392 | "C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable | C:\Program Files\Bitdefender Agent\ProductAgentService.exe | — | installer.exe | |||||||||||
User: admin Company: Bitdefender Integrity Level: HIGH Description: Bitdefender Agent Exit code: 0 Version: 27.0.1.263 Modules
| |||||||||||||||
| 4624 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe | bddeploy.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
32 495
Read events
32 409
Write events
81
Delete events
5
Modification events
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | InstallerLauncher |
Value: | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | InstallerLauncher |
Value: | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install |
| Operation: | write | Name: | ShortInstallPath |
Value: C:\Program Files\Bitdefender Agent\ | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Install |
| Operation: | write | Name: | InstallPath |
Value: C:\Program Files\Bitdefender Agent\ | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceFolder |
Value: C:\ProgramData\Bitdefender Agent | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceLevel |
Value: 1 | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender Agent |
| Operation: | write | Name: | traceMode |
Value: 0 | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitdefender Agent\Submission\Agent Submission Tool |
| Operation: | write | Name: | AppPath |
Value: C:\Program Files\Bitdefender Agent\27.0.1.266\bdsubwiz.exe | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\Bitdefender Agent\27.0.1.266\bdicon.ico | |||
| (PID) Process: | (644) installer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender Agent |
| Operation: | write | Name: | DisplayName |
Value: Bitdefender Agent | |||
Executable files
54
Suspicious files
25
Text files
161
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2672 | bitdefenderfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe | executable | |
MD5:3E68D3AFFB1D07B291B402B1F8733B52 | SHA256:CCA66104ABC7B29B365F2F5F55579348F0B5645DEAFBD962FC802D18C520E676 | |||
| 2672 | bitdefenderfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\bddeploy.exe.md5 | text | |
MD5:ADF45D21EE156877A30F4680B6A742FA | SHA256:F22A08394A54E58276D9AD87DE2B0AD691C70774771B0E5876E5F8854BB3D594 | |||
| 4624 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.ini | binary | |
MD5:96D15C4F3DB04429631866751A1D2890 | SHA256:E8D31C1DE790F738EF75DAA0402584560A0672402D0D3DED0899D2DBC95FB911 | |||
| 2672 | bitdefenderfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe | executable | |
MD5:7CD9464AE3A1BBE3C155F0353E5F681F | SHA256:16BEFF6D89DD76A4F22130F5E7B9D7A30CA0CB63893CB6591943BD8E6D3D7F72 | |||
| 4624 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\additional.dll | executable | |
MD5:CD10F317D54A8BA35E5CE85BA3B60220 | SHA256:EE05132599596B99F595B0ECF7783E7E119D5D03519B12FE9F3DBF5DEEF6FAB4 | |||
| 5244 | bddeploy.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\data\params.json | binary | |
MD5:11C00C95ED8F6CD596B3F897DC50C674 | SHA256:C1DAEE4DAA61DC1D984967A812D76BE7744BF4D48ED1A1CA0BD5BF4D369F6A59 | |||
| 2672 | bitdefenderfree.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\agentpackage.exe.md5 | text | |
MD5:2AF0F1B3DD50CB94EFB978061C10A211 | SHA256:8381983DE4108CD0A54000B11F85F9128B46B82645C4117D864E32D728C87900 | |||
| 4624 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdec.dll | executable | |
MD5:E2A0334684B05BF05A953B80A4832D20 | SHA256:7DEDB34158F800166567887C7A007A85ECA0BE379D20D51DA3230F66C6B094C0 | |||
| 4624 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.dll | executable | |
MD5:C86511990365AC18CFB527E41A6F7EAC | SHA256:EB247A43D0CFD0662559F1E3A2BB6656A6B7D465C8D404D5A3EA090DAAD78196 | |||
| 4624 | setuppackage.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\packages\bdnc.ini.md5 | text | |
MD5:3A0A7D7823833BE6E8AF5AB1AF295139 | SHA256:A5F15BA3B16384B584780F2BBB0EF3E7FD49CCABD0B9CA10437882F65F49C7F2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
49
DNS requests
31
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3040 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3040 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5556 | bdredline.exe | GET | 404 | 104.18.169.222:80 | http://upgrade.bitdefender.com/redline_com.bitdefender.agent/versions.id | unknown | — | — | whitelisted |
— | — | GET | — | 34.54.215.149:443 | https://elb-ned-gcp.nimbus.bitdefender.net/_ServerStatus | unknown | — | — | — |
— | — | GET | — | 34.117.254.173:443 | https://elb-nvi-gcp.nimbus.bitdefender.net/_ServerStatus | unknown | — | — | — |
— | — | GET | — | 34.120.68.241:443 | https://eu.nimbus.bitdefender.net/_ServerStatus | unknown | — | — | — |
— | — | GET | — | 34.120.68.241:443 | https://eu.nimbus.bitdefender.net/_ServerStatus | unknown | — | — | — |
— | — | GET | — | 34.149.211.227:443 | https://mclb-gcp.nimbus.bitdefender.net/_ServerStatus | unknown | — | — | — |
— | — | GET | — | 34.54.215.149:443 | https://elb-ned-gcp.nimbus.bitdefender.net/_ServerStatus | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3040 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.126.37.137:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3040 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3040 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
upgrade.bitdefender.com |
| whitelisted |
nimbus.bitdefender.net |
| whitelisted |
mclb-gcp.nimbus.bitdefender.net |
| whitelisted |
eu.nimbus.bitdefender.net |
| whitelisted |
elb-ned-gcp.nimbus.bitdefender.net |
| whitelisted |