File name:

poster.exe

Full analysis: https://app.any.run/tasks/1470e146-3cad-4f02-8d68-42db0d5b2245
Verdict: Malicious activity
Analysis date: September 07, 2024, 09:49:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
antivm
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
MD5:

CA294344E2ED57FDCFFE74F55DFBD561

SHA1:

429AC6F65C7485E735516D0FC1BA8256500B107B

SHA256:

AEE600A3027F29D197676D9B868CF08907BF9961E1582E7435619E4330CB91C9

SSDEEP:

24576:sz5eb8C6PCNwJS67BDoVyE6jf0qeaWyUCTQi:sz5eb8C6PCNwJS6VEVyE6jf0qeaWyUC9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • poster.exe (PID: 4876)

    • Adds path to the Windows Defender exclusion list

      • poster.exe (PID: 4876)

    • Disables Windows Defender

      • poster.exe (PID: 4876)

    • Changes the autorun value in the registry

      • poster.exe (PID: 4876)

    • Disables the LogOff the Start menu

      • poster.exe (PID: 4876)

    • Changes image file execution options

      • poster.exe (PID: 4876)

    • Disables the Find the Start menu

      • poster.exe (PID: 4876)

    • Disables the Shutdown in the Start menu

      • poster.exe (PID: 4876)

    • Disables the Run the Start menu

      • poster.exe (PID: 4876)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • poster.exe (PID: 4876)

    • Script adds exclusion path to Windows Defender

      • poster.exe (PID: 4876)

    • Starts CMD.EXE for commands execution

      • poster.exe (PID: 4876)

    • Starts POWERSHELL.EXE for commands execution

      • poster.exe (PID: 4876)

    • There is functionality for VM detection (VMWare)

      • poster.exe (PID: 4876)

    • There is functionality for VM detection (VirtualBox)

      • poster.exe (PID: 4876)

  • INFO

    • Checks supported languages

      • poster.exe (PID: 4876)

    • Reads the computer name

      • poster.exe (PID: 4876)

    • The process uses the downloaded file

      • poster.exe (PID: 4876)

    • Process checks computer location settings

      • poster.exe (PID: 4876)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6472)

    • Create files in a temporary directory

      • poster.exe (PID: 4876)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, No debug, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1172992
InitializedDataSize: 184832
UninitializedDataSize: -
EntryPoint: 0x1933b2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT poster.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs searchapp.exe no specs poster.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4876"C:\Users\admin\Desktop\poster.exe" C:\Users\admin\Desktop\poster.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\poster.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5556"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\admin\Desktop\poster.exe" /rl HIGHEST /fC:\Windows\System32\cmd.exeposter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
6472"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\Desktop\poster.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeposter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6808"C:\Users\admin\Desktop\poster.exe" C:\Users\admin\Desktop\poster.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\poster.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6920"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
2147945463
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
Total events
5 814
Read events
5 780
Write events
34
Delete events
0

Modification events

(PID) Process:(4876) poster.exeKey:HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableCMD
Value:
2
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Qwe
Value:
C:\Users\admin\Desktop\poster.exe
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\Desktop\poster.exe
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\Desktop\poster.exe
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\Desktop\poster.exe
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\Desktop\poster.exe
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\Desktop\poster.exe
(PID) Process:(4876) poster.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
Operation:writeName:Debugger
Value:
"cmd.exe","C:\Users\admin\Desktop\poster.exe"
Executable files
0
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6472powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:9DD84E182D6BF2E477796C2C8A896D85
SHA256:EAB12BA4EF027852FAB65495C1C4C356090037AD88D027CF91F8C6DD9A9D6C31
6472powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uhy23gk2.1bt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4876poster.exeC:\Users\admin\AppData\Local\Temp\Time.initext
MD5:EB13B7EAF7F30D348E471F0907B31AAC
SHA256:94BA214735774FB4E68BE906C3E181D29C71DBBCD10540E70BA7021FCF5EA3AA
6472powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qutkxknb.dmw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4876poster.exeC:\Users\admin\AppData\Local\Temp\Time2.initext
MD5:1538CFDFDBBEE4B174DF682033D1E968
SHA256:F746F66F8D3FC0AEB847432448E5B2CC98BBCCA633A34ADA0D1B306C51DDEA89
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6052
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6456
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6052
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6456
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6052
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6456
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
poster.exe