a8aa0575929c2a6c7c7b54b776e2d61fa43b62c220fbce5cbc4a254b2d2ee522

Analysis

max time kernel
136s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

citra-setup-windows.exe
Size

24.4MB
MD5

4ef40ea49d688b1211ff3bde3e95c324
SHA1

10a8feb1213d23b5215a2aaf30d190331394123f
SHA256

a8aa0575929c2a6c7c7b54b776e2d61fa43b62c220fbce5cbc4a254b2d2ee522
SHA512

03f4346d85054349fdc04b47b3ae280c736271a9c95967c1b2bf2b1a322afdc4740b201540078f0178fd2f22fa10cfcc7eda1acf2584bd822cb441d0f8f0d9ec
SSDEEP

393216:CsV/CwiBSb0fjMQPqh4mA+Sf9JPAt4BQtPWiAhJfxa2+aegQkNFHtBJsv6tWKFdx:C2nhARkjk7Rt

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
388	citra-setup-windows.exe
388	citra-setup-windows.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
388	citra-setup-windows.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
388	citra-setup-windows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	388	citra-setup-windows.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
388	citra-setup-windows.exe
388	citra-setup-windows.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe
388	citra-setup-windows.exe

C:\Users\Admin\AppData\Local\Temp\citra-setup-windows.exe
"C:\Users\Admin\AppData\Local\Temp\citra-setup-windows.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Citra\maintenancetool.exe.new

Filesize
24.4MB

MD5
f310fd450f271e70771bf7ca956e9e94

SHA1
802109118a0bb9333b6cc10e378e05a1865044da

SHA256
427fc6286559836949e25e9e896479c143cb6269ac42afcf70778d70e3cf85b2

SHA512
78ac69971615aa9cbc3093de1d950c22bbe6192b684ec08a08000bb48735ff9c736356546c22c899b2b1da8891b4703313e16bfb67051342b47b875fbf28d03d

Download Submit
C:\Users\Admin\AppData\Local\Citra\maintenancetool.ini

Filesize
4KB

MD5
86d4119ee921efec8df6a1ff9b15b900

SHA1
702cb3fc58d00eeeab0329e6d1081eb79e0bfca8

SHA256
1556a47be0d5a98e6a32f56d99843961684388e5a22dac456a98881e73c87909

SHA512
6c36ed9802371d650a29bd56d496ded282c258079a2e2d0bbdf2790fdf9fea098d9d3319f19724011d03612eab388194c686e07ceeece038312a5d9bd36490c8

Download Submit
C:\Users\Admin\AppData\Local\Citra\nightly\citra-qt.exe

Filesize
44.8MB

MD5
f2e26ddbe6d3bdbda4a10c79d1a3e839

SHA1
3042b22e1748da2fc9de42d73ee4addce51f2d30

SHA256
2a3677ef21cf07452522e9482a0a40fb222df85f920c0877c81ec3556cc756a1

SHA512
116f851a1dfe0c75162a9012dacb97f9af8349118fe719590f0465f97b913cc5481c9ec00067d80e5c3812fed13d8c6718a326562d99215e91dbacddb0ec5252

Download Submit
C:\Users\Admin\AppData\Local\Temp\remoterepo-HpmPXH\org.citra.canary.osx\license.txt.sha1

Filesize
40B

MD5
1a7626bd87bcbeee3995edeff8507e23

SHA1
bee5fa96a65c705dfd7c9ea2e872e227e989217d

SHA256
ef8544551ffb4a35152ae7d204330495a18eb40dc318854f093319a6a1529fed

SHA512
861b66a56f13be1c2b62b5418c6bdbae57fdef01e1c2aebf62268fc051ed87429aee28e5a5114c5a03700ac5e93563220e9f647aa98ef1c53514e328810a49f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\remoterepo-HpmPXH\org.citra.nightly.mingw\license.txt

Filesize
17KB

MD5
751419260aa954499f7abaabaa882bbe

SHA1
06877624ea5c77efe3b7e39b0f909eda6e25a4ec

SHA256
ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6

SHA512
5b322abf6a5a82894113c0dfe549725b140006197a920dfdf1a3ed615730e1de0a947cceea5ff9357cdd42334f8f53a1ab66072fca9ea966be85340a56d4649c

Download Submit
C:\Users\Admin\AppData\Local\cache\qt-installer-framework\b65cb026-b96f-347e-bb2c-635db96819c0\29c166a88f2a04d8b04d674351f95df21071110e\Updates.xml

Filesize
4KB

MD5
358f69ac7e9e9a79e26e32003b860577

SHA1
29c166a88f2a04d8b04d674351f95df21071110e

SHA256
64de9873fde08600dda10253a3d3c7d4f55e62ce18d4927cf450b0e1694d0ffa

SHA512
8d23a541910e3f5ae001c58fde779d97ca5bfc31635558d07dcdac306ccbd136986ecbc1f7a07337083f679905678a9fcf08c21970e7a2dfdd155ff7920d1e28

Download Submit
C:\Users\Admin\AppData\Local\cache\qt-installer-framework\b65cb026-b96f-347e-bb2c-635db96819c0\29c166a88f2a04d8b04d674351f95df21071110e\org.citra.canary.linux\installscript.qs

Filesize
1KB

MD5
6cab4a19ae898a6754fe84d37013cb06

SHA1
e5099bffc18d489034c0e286d40b67a0a2c1164f

SHA256
348d5ab084459d092fc50b506b0379c31947cd789996d749ace648646b68f5e9

SHA512
97f91b2d897bde3aeeb2c34d4702a38d47850fdcfc5c79f06006ecf70864ee9575d2b04046dbac23f7b23b792726f10b5743c52ce281d64c3ca6de50a3fd7d55

Download Submit
C:\Users\Admin\AppData\Local\cache\qt-installer-framework\b65cb026-b96f-347e-bb2c-635db96819c0\29c166a88f2a04d8b04d674351f95df21071110e\org.citra.canary.mingw\installscript.qs

Filesize
545B

MD5
604681512e840941014a3167536e06e3

SHA1
7f85b33b9214b744b8636283ba40f6af2ff22f0f

SHA256
b7172ba8f7ab0c719af45505be95be9d0b74119fbe3984a35e5e6c3ebbaf34a9

SHA512
731825c1840cde6984bb240a62d7582a3d9d556ab926184e8ee59b5fbc590642a0f43867a5feee088e0c5c073915761232397469bb069be15eca540fb22e490c

Download Submit
C:\Users\Admin\AppData\Local\cache\qt-installer-framework\b65cb026-b96f-347e-bb2c-635db96819c0\29c166a88f2a04d8b04d674351f95df21071110e\org.citra.canary.osx\installscript.qs

Filesize
382B

MD5
9d2824258e9a76510720ce881a191a3c

SHA1
f9a710f54e51f2f59363dce4299bc95750a5b96e

SHA256
648b7195937053a429754dd6c955e1316a9c5ae8e15b1a72ced7873276dff8b3

SHA512
114dfb6c50343c6ea4c5087d039c227bc599c58d294d6dd53110d7f34ced2228e4044f0a8105fbd15a37e178d8984d2b87bf047a4abfbe8802750dd3de83bd15

Download Submit
C:\Users\Admin\AppData\Local\cache\qt-installer-framework\b65cb026-b96f-347e-bb2c-635db96819c0\29c166a88f2a04d8b04d674351f95df21071110e\org.citra.nightly.linux\installscript.qs

Filesize
1KB

MD5
690d77367880fbd4273641e676a12f90

SHA1
2297037b7808200eb23ccec59dc56d995aba168d

SHA256
9c29674a9f78f18608c6e050c2edf210c878cc0045e529e0a26a8ae36e5dff5f

SHA512
db88cab2e695954368b5bf713afc8ba301616b27eefe64086b19836ebe5b51fdcd6d99c7742e7811a06d9610ff192899d9aefc3bf52463a7253ef57f86b0ec53

Download Submit
C:\Users\Admin\AppData\Local\cache\qt-installer-framework\b65cb026-b96f-347e-bb2c-635db96819c0\29c166a88f2a04d8b04d674351f95df21071110e\org.citra.nightly.mingw\installscript.qs

Filesize
535B

MD5
6330e48fa027c75c582073a377952073

SHA1
7b17550660da87e9aafda66c320238af54d5b985

SHA256
8d7b1bb2ca9c3774120f7de63b4c0be18759bda033c5ae2dd1ca4d2e66e2cd95

SHA512
471b7c0daa1c62ee1ea287326db2f68c0f5104a1399e938f51a2f0c4c1169b3686af41f6ac547217b578578a6620fba9c589698727f26861b70a818dd8e577b7

Download Submit
C:\Users\Admin\AppData\Local\cache\qt-installer-framework\b65cb026-b96f-347e-bb2c-635db96819c0\29c166a88f2a04d8b04d674351f95df21071110e\org.citra.nightly.osx\installscript.qs

Filesize
369B

MD5
bda5f26bcd9e8f58fc7954ac594a3cd0

SHA1
dfc84f32fbca159b15ba2eecadf2cb3a95d12c2e

SHA256
702e170c62ac6b54a3ea28714a67445525c916e162ed3e19202541258870e51e

SHA512
85a6c0b867c6b48f76927e7ec1e1013ffd6f648a37cda46c8b1199341afa4e488bc644e42fe105c4a7b0f2d03d96926dcab6f8cd5afc35be2b88aca58fa32639

Download Submit
\Users\Admin\AppData\Local\Citra\nightly\citra-qt.exe

Filesize
44.8MB

MD5
f2e26ddbe6d3bdbda4a10c79d1a3e839

SHA1
3042b22e1748da2fc9de42d73ee4addce51f2d30

SHA256
2a3677ef21cf07452522e9482a0a40fb222df85f920c0877c81ec3556cc756a1

SHA512
116f851a1dfe0c75162a9012dacb97f9af8349118fe719590f0465f97b913cc5481c9ec00067d80e5c3812fed13d8c6718a326562d99215e91dbacddb0ec5252

Download Submit
\Users\Admin\AppData\Local\Citra\nightly\citra-qt.exe

Filesize
44.8MB

MD5
f2e26ddbe6d3bdbda4a10c79d1a3e839

SHA1
3042b22e1748da2fc9de42d73ee4addce51f2d30

SHA256
2a3677ef21cf07452522e9482a0a40fb222df85f920c0877c81ec3556cc756a1

SHA512
116f851a1dfe0c75162a9012dacb97f9af8349118fe719590f0465f97b913cc5481c9ec00067d80e5c3812fed13d8c6718a326562d99215e91dbacddb0ec5252

Download Submit
memory/388-11-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/388-12-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/388-10-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/388-1-0x0000000003150000-0x0000000003590000-memory.dmp

Filesize
4.2MB

Download
memory/388-9-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/388-3-0x0000000003590000-0x0000000003790000-memory.dmp

Filesize
2.0MB

Download
memory/388-0-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/388-213-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/388-214-0x0000000002610000-0x0000000002616000-memory.dmp

Filesize
24KB

Download