c92a121ec9829988f3b22328470df3d548f03a3970335694b50206676afaeb7e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/Ryujinx.exe
Size

57.1MB
MD5

c549f9b0b42d339dccc7d0ca01050e2d
SHA1

6992a948b69a1ca8bb9c5439224667abff119714
SHA256

ca90ab3fbb660c5a562967786414fbf7ecb0c4579c77c4a353cad7c130505d57
SHA512

58ee0eb67787636ed7ba8ab8edc9d1bfb8f71fb65bb34da06942880397103368c07377da2afe698d348721865967faced97b07653d96b5b386e239871c864868
SSDEEP

393216:9G251FGAsxevvPx3GrGLODPYMOBz0E/su+0BY2M8U:9D1Ftx3Gr8ODPwsOBY2Mz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	Ryujinx.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Ryujinx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Ryujinx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Ryujinx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Ryujinx.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	Ryujinx.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4788	Ryujinx.exe

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe
"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"
1⤵
- Checks computer location settings
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

Filesize
512B

MD5
990ee6cf6d22972d23a0d0be94a318f4

SHA1
4baf2644895416ae4a2bc23ba721f48dd4eb7920

SHA256
dafcb6cf691e3f001df5a3c80dd84a025761da3ce197e1782dbdd8f9315660cd

SHA512
46a39ed005417480ba413f9162d3ab992028f51e156f5b04f85ffcac61a780e67ce985d0c524b9426da81ca0d28c9692a53a442d858d09086f23d94876fe2f92

Download Submit
C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData_

Filesize
512B

MD5
c51117df1cf3ae1716b979aa46fcdb1f

SHA1
8ae83fd6dfca97793da723ff083bcc36a3db16ce

SHA256
9c93a55257989c18419f93c7d6793d8c0f318efbc989d8e26e2129f196f33674

SHA512
d02af051c17b3cea6a4dc09fef8ccc51fa08b7fa4a4573f6a5a0a9a4f49b9b0b60ca176b8a22ef6f7c41130d957f8163613f14420f7a4a42fd5d32ce02586666

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads