d74d8f3eba3f87531e69ffcfb8c0e5dc73d9631dd63647554ba725b4e3817775

Analysis

max time kernel
287s
max time network
244s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/06/2024, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/Ryujinx.Ava.exe
Size

59.2MB
MD5

658a3d714497197bac16168fe32bb1e1
SHA1

eeb97a4059c01318cbffa65b918c8948f38afd10
SHA256

640e46cd5308ec137c2f55f3752b540982436271ed67f3555bc9b52f7feead68
SHA512

da4868ceff50c8c481831348796d5f5318c06fdd08441272e245e94746e7497fefc7eaf7767272bd6e95b68b6c374b64dcb17606967876cc5b8fbe6a15611fe0
SSDEEP

393216:3kDkpjhB2dhe9J+2h1PHpbK++M2GKqjJh2kQEJLqJquD/N:3PpO+j1PJbK++M2GKqFTTqJquD/N

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Ryujinx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Ryujinx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Ryujinx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Ryujinx.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	Ryujinx.Ava.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1556	Ryujinx.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1556	2028	Ryujinx.Ava.exe	81
PID 2028 wrote to memory of 1556	2028	Ryujinx.Ava.exe	81

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe
"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe
  "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ryujinx\Config.json

Filesize
4KB

MD5
3a626753d8c1e8270684db2a7fbf86c8

SHA1
6ee37f65103d7cf50d0738b4cc89eb541db61f6f

SHA256
9c94eea0de582e218dbed34dd7f22255b94df9238ef597c41d0b93117ded1aa3

SHA512
b4def7780d81c1d948921921c7415b6be7b60817ceea9bd24f8d0395fd22026dd6506e8203dad3dd16ef1c36c9d57ccf83019a3ce6d13e0e6a3a455666670bb4

Download Submit
C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

Filesize
512B

MD5
c2ef2dbe762de04a448ba88653f279cb

SHA1
4a859fd02ce8ac88cc282498a8f2f50eca6c825f

SHA256
c122e9506bd77db7258cfbbf49d2f2074c8d32313a484dc000260321d862fd95

SHA512
82c6a7607f0833bf3639e6f97dab2ecb1e46afa43aa7dbfe6edd6ed39ed3cdc8a31989ca13c33431e13811eb7941eb4c32d79bb3354ca26fcfa35b723444f5b0

Download Submit
C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData_

Filesize
512B

MD5
2f453b97746934e72a8c32e3830800ee

SHA1
4742e6b13f64d3bd6cb3c836d337a3f5de0c74af

SHA256
06a3e5a78618e46761a2ec56f172ab3e79af51e672ff8c3f6ca1db7a44a5d418

SHA512
f26d91c69d469086e85197e8907fc4de13ef120af5714f126377681d9ab9ee3c3b7316b2449ffeecd8ff4045e52c72fd56a622ca2a467a45226f4373424d6748

Download Submit