ea8569d5989ca51bf233a63cde03c998f6f1b1addd01906c96647e0a9915ebf5

Analysis

max time kernel
149s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

citra-windows-msvc-20240303-0ff3440\citra-qt.exe
Size

27.5MB
MD5

c1331abf422e09065a0cd2c967e10e39
SHA1

9110fe0d9d063a2a02d04f36d600a96ba3ad66fe
SHA256

8450b9bf8caec4e9ede9fd20495d0dae52c36e37c119c4be6aee706f66a62ac2
SHA512

fd2d52133aec16517a4a1ff59b261b7450d1021e8f00f18f1f7678c21b376c24c4e97a99d74a6ed42fcbcfc05272a12c415a99d48a56f266561617cc5b1b0142
SSDEEP

393216:4YnBTuiKj4mDvlXb/NG7bzbSGJNoheiYL5R2WGnf2yoQzBsW1Ukcl4n4/Aw7wZvs:4IBCeW0Ivi

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	citra-qt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	citra-qt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	citra-qt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	citra-qt.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400\ = "URL:Run game 719647875465871400 protocol"	citra-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400\DefaultIcon	citra-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400\shell\open	citra-qt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\citra-windows-msvc-20240303-0ff3440\\citra-qt.exe"	citra-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400	citra-qt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\citra-windows-msvc-20240303-0ff3440\\citra-qt.exe"	citra-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400\shell\open\command	citra-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400\shell	citra-qt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\discord-719647875465871400\URL Protocol	citra-qt.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3492	citra-qt.exe
3492	citra-qt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3492	citra-qt.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3492	citra-qt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3492	citra-qt.exe
4724	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\citra-windows-msvc-20240303-0ff3440\citra-qt.exe
"C:\Users\Admin\AppData\Local\Temp\citra-windows-msvc-20240303-0ff3440\citra-qt.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3492-1-0x00007FF99F1B0000-0x00007FF99F7DA000-memory.dmp

Filesize
6.2MB

Download
memory/3492-0-0x00007FF7997A0000-0x00007FF79A7A0000-memory.dmp

Filesize
16.0MB

Download
memory/3492-3-0x000002B38CB80000-0x000002B38CB90000-memory.dmp

Filesize
64KB

Download