| File name: | POS Printer Driver V8.11.230113.3.exe |
| Full analysis: | https://app.any.run/tasks/c71b6c6a-5bc0-496c-9359-80a12e10741e |
| Verdict: | Malicious activity |
| Analysis date: | October 18, 2023, 11:35:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 9A529046F6DD011FA4ACD55BBED760E9 |
| SHA1: | 935EB8770A2305E6007C2773D9E779C83361CB00 |
| SHA256: | 85C2C28AF7B0D4C881CA49E83B887816998C98255F4DF8B7A85E83DBD9826440 |
| SSDEEP: | 98304:Ut9nQL0skPOfNWG4Uq3U2EtQ5aScce/Unba+O+CB3jD9SxPKOgv5fiNyMPBnq3x1:9VS/RUAm |
MALICIOUS
Drops the executable file immediately after the start
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
SUSPICIOUS
Process drops legitimate windows executable
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 4064)
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 4064)
Checks supported languages
- wmpnscfg.exe (PID: 4064)
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
Creates files in the program directory
- POS Printer Driver V8.11.230113.3.exe (PID: 664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (17.3) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (4.1) |
| .exe | | | Win32 Executable (generic) (2.8) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:12:13 03:05:28+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 1710080 |
| InitializedDataSize: | 2063872 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16c20b |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 8.11.221.213 |
| ProductVersionNumber: | 8.11.0.60 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Pre-release, Patched, Private build, Special build |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Chinese (Simplified) |
| CharacterSet: | Unicode |
| CompanyName: | 2022 (C) Copyright |
| FileDescription: | POS Printer Driver Setup |
| FileVersion: | 8.11.221.213 |
| InternalName: | POSPrinterDriverSetup.exe |
| LegalCopyright: | 2022 (C) Copyright |
| OriginalFileName: | POSPrinterDriverSetup.exe |
| ProductName: | POSPrinterDriverSetup |
| ProductVersion: | 8.11.0.60 |
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 664 | "C:\Users\admin\AppData\Local\Temp\POS Printer Driver V8.11.230113.3.exe" | C:\Users\admin\AppData\Local\Temp\POS Printer Driver V8.11.230113.3.exe | explorer.exe | ||||||||||||
User: admin Company: 2022 (C) Copyright Integrity Level: HIGH Description: POS Printer Driver Setup Exit code: 0 Version: 8.11.221.213 Modules
| |||||||||||||||
| 1536 | "C:\Users\admin\AppData\Local\Temp\POS Printer Driver V8.11.230113.3.exe" | C:\Users\admin\AppData\Local\Temp\POS Printer Driver V8.11.230113.3.exe | — | explorer.exe | |||||||||||
User: admin Company: 2022 (C) Copyright Integrity Level: MEDIUM Description: POS Printer Driver Setup Exit code: 3221226540 Version: 8.11.221.213 Modules
| |||||||||||||||
| 4064 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
183
Read events
180
Write events
0
Delete events
3
Modification events
| (PID) Process: | (4064) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A678A1FB-CE2D-456E-97F0-333A9FB51765}\{C01382C4-86B3-429C-A0C7-C814DA5DE7AC} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4064) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A678A1FB-CE2D-456E-97F0-333A9FB51765} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4064) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{54443769-F5BA-4669-B57D-D431FC29AA68} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
33
Suspicious files
8
Text files
27
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P58.dll | executable | |
MD5:B573A1C4C5207F95AF2BD4D5EDF0B6B0 | SHA256:D141CC0C8D700E2C20B4A4D029AD84C50E328B5DC48F8872C2F4F798EBCE28E7 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\POSPrinterDriver_x64.inf | binary | |
MD5:1E487D756A297613DCFAAB04BA148B39 | SHA256:679B86FBD389624BE1A49A1518D1958C654FA6CC19EAAFA1EB427278BCB59EE3 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P58.GPD | text | |
MD5:26BBDCDF2973320EF08C3696815B7813 | SHA256:D8BB6ABE4760C3ACC40E409FC890CEF706781A3CED5A0A3D7C86B981B1873954 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P58C.GPD | text | |
MD5:31174C73B3E587B193273BBB78AE190E | SHA256:A36A6811103E833E9F5DC4A41A50BC9762C43F85E0235073DD402A3DF4A07FD4 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\UNIDRV.DLL | executable | |
MD5:4A333819EC523DDCA91ADA29D79D0EA0 | SHA256:467F5C0877C3EF588297A0E048FA8B78C4BFDEC06344E1920C2F8AE9D6A91468 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\Receipt.ini | text | |
MD5:66E1D1E2555F7ABC1BCF07177779B726 | SHA256:7AC287E5DA736BE66275781AB78D5F9CB6BB1AA76FD0C9B34422976A5A2463FA | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P80C.GPD | text | |
MD5:7EE8A606E564197916FD040D1FEF4DF8 | SHA256:30E1FD8F257872ED7BE4EE0B13FF793E6B190CED022BE8DC3B2CBFE8B5FBA814 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P80.dll | executable | |
MD5:F91FF5E7B6EE4FA915B16C6E138CDA52 | SHA256:B32FBD1B9AC072D0759AC25B6CC1E3B93666DF08A55729DB0D134848C6963B3F | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P76.dll | executable | |
MD5:31C466F9C7CF5A20574C21D1C637CFBC | SHA256:BAB46D640BF7A147EF90FFADCF1E106F9689DDB22CB0085332F51D57386DEFA6 | |||
| 664 | POS Printer Driver V8.11.230113.3.exe | C:\Program Files (x86)\POS Printer Driver V8.11\Windows ARM64\RES\P80.GPD | text | |
MD5:93A708D07D0EC267FF7275D9A3EC1771 | SHA256:E6A3400D48253B30E5A9EB1C27BF18A4EA0E6143D34A8E60874B5D939FE8C88C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2656 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |