Malware Analysis Report

2024-10-16 06:34

Sample ID 240609-s2y2tscf98
Target RegFuck.exe
SHA256 5ed108674b29709483871f48c307a11739c0c5bfe834770e348a5ce939e89032
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

5ed108674b29709483871f48c307a11739c0c5bfe834770e348a5ce939e89032

Threat Level: Shows suspicious behavior

The file RegFuck.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks installed software on the system

Unsigned PE

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Enumerates system info in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 15:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-09 15:37

Reported

2024-06-09 15:41

Platform

win11-20240426-en

Max time kernel

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RegFuck.exe"

Signatures

Checks installed software on the system

discovery

Checks processor information in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RegFuck.exe

"C:\Users\Admin\AppData\Local\Temp\RegFuck.exe"

Network

N/A

Files

memory/936-0-0x00007FFF1DEB3000-0x00007FFF1DEB5000-memory.dmp

memory/936-1-0x000001C810DE0000-0x000001C810DF0000-memory.dmp

memory/936-2-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

memory/936-3-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

memory/936-4-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

memory/936-5-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

memory/936-7-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 15:37

Reported

2024-06-09 15:39

Platform

win7-20240221-en

Max time kernel

11s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RegFuck.exe"

Signatures

Checks installed software on the system

discovery

Checks processor information in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RegFuck.exe

"C:\Users\Admin\AppData\Local\Temp\RegFuck.exe"

C:\Windows\Explorer.exe

Explorer.exe

Network

N/A

Files

memory/832-0-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp

memory/832-1-0x0000000000D50000-0x0000000000D60000-memory.dmp

memory/832-2-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

memory/832-3-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

memory/832-4-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp

memory/832-5-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

memory/832-6-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 15:37

Reported

2024-06-09 15:41

Platform

win10v2004-20240426-en

Max time kernel

31s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RegFuck.exe"

Signatures

Checks installed software on the system

discovery

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\RegFuck.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RegFuck.exe

"C:\Users\Admin\AppData\Local\Temp\RegFuck.exe"

C:\Windows\System32\InputMethod\CHS\ChsIME.exe

C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 175.25.90.104.in-addr.arpa udp

Files

memory/2300-0-0x0000021E4D2D0000-0x0000021E4D2E0000-memory.dmp

memory/2300-1-0x00007FFAE48B3000-0x00007FFAE48B5000-memory.dmp

memory/2300-2-0x00007FFAE48B0000-0x00007FFAE5371000-memory.dmp

memory/2300-3-0x00007FFAE48B0000-0x00007FFAE5371000-memory.dmp

memory/2300-4-0x00007FFAE48B3000-0x00007FFAE48B5000-memory.dmp

memory/2300-5-0x00007FFAE48B0000-0x00007FFAE5371000-memory.dmp

memory/2300-6-0x00007FFAE48B0000-0x00007FFAE5371000-memory.dmp

memory/2300-8-0x00007FFAE48B0000-0x00007FFAE5371000-memory.dmp