Analysis
-
max time kernel
103s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2025, 15:00
Behavioral task
behavioral1
Sample
Receipt.exe
Resource
win10v2004-20250314-en
7 signatures
150 seconds
General
-
Target
Receipt.exe
-
Size
765KB
-
MD5
e2dfee8df8311299ec4805ef1b084f49
-
SHA1
6e84ecf4be3aaab02fe4e5de8fa7c512d17d6cda
-
SHA256
69e51ff6376359583cb16f9c90a2be5a26de5a0c5e398c5b670fec24223500a3
-
SHA512
c0cb22513886487a00adee419d4ed2b435a52aae26959e34905d7e83d0318acf18597fba663110be4b22c1a377746f5603075c154fb77c4342a2fb78f971b04a
-
SSDEEP
12288:Qkb2oWZCaxfeb9uWwLV46A9jmP/uhu/yMS08CkntxYRmBL:sCa1QuWwLufmP/UDMS08Ckn3r
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Receipt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2408 mspaint.exe 2408 mspaint.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4640 Receipt.exe 4640 Receipt.exe 4640 Receipt.exe 2408 mspaint.exe 2408 mspaint.exe 2408 mspaint.exe 2408 mspaint.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4640 wrote to memory of 5644 4640 Receipt.exe 89 PID 4640 wrote to memory of 5644 4640 Receipt.exe 89 PID 4640 wrote to memory of 5644 4640 Receipt.exe 89 PID 5644 wrote to memory of 2408 5644 cmd.exe 91 PID 5644 wrote to memory of 2408 5644 cmd.exe 91 PID 5644 wrote to memory of 2408 5644 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5644 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4868