| File name: | POS Printer Driver V8.11.230113.3.exe |
| Full analysis: | https://app.any.run/tasks/c71b6c6a-5bc0-496c-9359-80a12e10741e |
| Verdict: | Malicious activity |
| Analysis date: | October 18, 2023, 11:35:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 9A529046F6DD011FA4ACD55BBED760E9 |
| SHA1: | 935EB8770A2305E6007C2773D9E779C83361CB00 |
| SHA256: | 85C2C28AF7B0D4C881CA49E83B887816998C98255F4DF8B7A85E83DBD9826440 |
| SSDEEP: | 98304:Ut9nQL0skPOfNWG4Uq3U2EtQ5aScce/Unba+O+CB3jD9SxPKOgv5fiNyMPBnq3x1:9VS/RUAm |
MALICIOUS
Drops the executable file immediately after the start
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
SUSPICIOUS
Process drops legitimate windows executable
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 4064)
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
Creates files in the program directory
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
Checks supported languages
- wmpnscfg.exe (PID: 4064)
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 4064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (17.3) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (4.1) |
| .exe | | | Win32 Executable (generic) (2.8) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:12:13 03:05:28+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 1710080 |
| InitializedDataSize: | 2063872 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16c20b |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 8.11.221.213 |
| ProductVersionNumber: | 8.11.0.60 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Pre-release, Patched, Private build, Special build |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Chinese (Simplified) |
| CharacterSet: | Unicode |
| CompanyName: | 2022 (C) Copyright |
| FileDescription: | POS Printer Driver Setup |
| FileVersion: | 8.11.221.213 |
| InternalName: | POSPrinterDriverSetup.exe |
| LegalCopyright: | 2022 (C) Copyright |
| OriginalFileName: | POSPrinterDriverSetup.exe |
| ProductName: | POSPrinterDriverSetup |
| ProductVersion: | 8.11.0.60 |
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 664 | "C:\Users\admin\AppData\Local\Temp\POS Printer Driver V8.11.230113.3.exe" | C:\Users\admin\AppData\Local\Temp\POS Printer Driver V8.11.230113.3.exe | explorer.exe | ||||||||||||
User: admin Company: 2022 (C) Copyright Integrity Level: HIGH Description: POS Printer Driver Setup Exit code: 0 Version: 8.11.221.213 Modules
| |||||||||||||||
| 1536 | "C:\Users\admin\AppData\Local\Temp\POS Printer Driver V8.11.230113.3.exe" | C:\Users\admin\AppData\Local\Temp\POS Printer Driver V8.11.230113.3.exe | — | explorer.exe | |||||||||||
User: admin Company: 2022 (C) Copyright Integrity Level: MEDIUM Description: POS Printer Driver Setup Exit code: 3221226540 Version: 8.11.221.213 Modules
| |||||||||||||||
| 4064 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
183
Read events
180
Write events
0
Delete events
3
Modification events
| (PID) Process: | (4064) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A678A1FB-CE2D-456E-97F0-333A9FB51765}\{C01382C4-86B3-429C-A0C7-C814DA5DE7AC} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4064) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A678A1FB-CE2D-456E-97F0-333A9FB51765} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4064) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{54443769-F5BA-4669-B57D-D431FC29AA68} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
33
Suspicious files
8
Text files
27
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P76.dll | executable | |
MD5:31C466F9C7CF5A20574C21D1C637CFBC | SHA256:BAB46D640BF7A147EF90FFADCF1E106F9689DDB22CB0085332F51D57386DEFA6 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\Receipt.ini | text | |
MD5:66E1D1E2555F7ABC1BCF07177779B726 | SHA256:7AC287E5DA736BE66275781AB78D5F9CB6BB1AA76FD0C9B34422976A5A2463FA | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\POSPrinterDriver_x64.inf | binary | |
MD5:1E487D756A297613DCFAAB04BA148B39 | SHA256:679B86FBD389624BE1A49A1518D1958C654FA6CC19EAAFA1EB427278BCB59EE3 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\ReceiptDrv.dll | executable | |
MD5:03A85A2E0314226452B9BE283759AFDD | SHA256:6087D7B3FCBBB7051F3693972BAEDA51459B9EC798462CABF1D3C8A2B5FDB70B | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\ReceiptUI.dll | executable | |
MD5:B9B2CCC3A4CA52F5933888A6019EA567 | SHA256:815FB003230D4EB80E71DB5C51FAA74D2EA45A92C80FFEC3A7A0B87585471886 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P58C.GPD | text | |
MD5:31174C73B3E587B193273BBB78AE190E | SHA256:A36A6811103E833E9F5DC4A41A50BC9762C43F85E0235073DD402A3DF4A07FD4 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P58.GPD | text | |
MD5:26BBDCDF2973320EF08C3696815B7813 | SHA256:D8BB6ABE4760C3ACC40E409FC890CEF706781A3CED5A0A3D7C86B981B1873954 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P76C.GPD | text | |
MD5:DA090B0EBE8CEC77E50E56CAFE2F7D2D | SHA256:CE03D5157933D0E15730D8FA6CF1875B042C38E0C098FE8878164B693D20A11B | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P76.GPD | text | |
MD5:1D4F68057F5DBDB9197EC28BFEA5FA7E | SHA256:453BEB779B5C2DAAF1A4789B89D339896AE859B4E00C793E3AF649837C3A0AD2 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64.zip | compressed | |
MD5:1B0BD62A5AF2D9D599A17368998A8037 | SHA256:96CCA0529193B015493CF5A29A20755CFC708FA6D419EF17D3E060FAB9AC58BB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2656 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |