Overview

overview

3

Static

static

3

publish/OpenAL32.dll

windows11-21h2-x64

1

publish/Ry...va.exe

windows11-21h2-x64

3

publish/Ryujinx.exe

windows11-21h2-x64

3

publish/SDL2.dll

windows11-21h2-x64

1

publish/av...v2.dll

windows11-21h2-x64

1

publish/av...59.dll

windows11-21h2-x64

1

publish/avutil-57.dll

windows11-21h2-x64

1

publish/glfw3.dll

windows11-21h2-x64

1

publish/li...rp.dll

windows11-21h2-x64

1

publish/li...rp.dll

windows11-21h2-x64

1

publish/li....dylib

windows11-21h2-x64

3

publish/li...io.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    17s
  • max time network
    21s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-06-2024 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    publish/Ryujinx.exe

  • Size

    59.2MB

  • MD5

    658a3d714497197bac16168fe32bb1e1

  • SHA1

    eeb97a4059c01318cbffa65b918c8948f38afd10

  • SHA256

    640e46cd5308ec137c2f55f3752b540982436271ed67f3555bc9b52f7feead68

  • SHA512

    da4868ceff50c8c481831348796d5f5318c06fdd08441272e245e94746e7497fefc7eaf7767272bd6e95b68b6c374b64dcb17606967876cc5b8fbe6a15611fe0

  • SSDEEP

    393216:3kDkpjhB2dhe9J+2h1PHpbK++M2GKqjJh2kQEJLqJquD/N:3PpO+j1PJbK++M2GKqFTTqJquD/N

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe
    "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c start https://github.com/Ryujinx/Ryujinx/wiki/Ryujinx-Setup-^&-Configuration-Guide#initial-setup---placement-of-prodkeys
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Ryujinx/Ryujinx/wiki/Ryujinx-Setup-&-Configuration-Guide#initial-setup---placement-of-prodkeys
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad60e3cb8,0x7ffad60e3cc8,0x7ffad60e3cd8
          4⤵
            PID:3604
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,12306627262030039656,2892312675321992655,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
            4⤵
              PID:2300
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,12306627262030039656,2892312675321992655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3428
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,12306627262030039656,2892312675321992655,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
              4⤵
                PID:2760
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12306627262030039656,2892312675321992655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                4⤵
                  PID:1816
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12306627262030039656,2892312675321992655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
                  4⤵
                    PID:4924
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,12306627262030039656,2892312675321992655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2864
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:4948
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:1580

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  0c705388d79c00418e5c1751159353e3

                  SHA1

                  aaeafebce5483626ef82813d286511c1f353f861

                  SHA256

                  697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

                  SHA512

                  c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  0d84d1490aa9f725b68407eab8f0030e

                  SHA1

                  83964574467b7422e160af34ef024d1821d6d1c3

                  SHA256

                  40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

                  SHA512

                  f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                  Filesize

                  5KB

                  MD5

                  06bcbb52dbbb2b3574f508cc4924cad0

                  SHA1

                  2a0ce09a2e1326b4409d3194d7fe4eb356c15fd7

                  SHA256

                  51924be59bbdb7f738d04f3247227679a8c387d1edae198a3f1280bddad674c0

                  SHA512

                  5095dbd4987dbe17f7375bfa7d9b274af2fdad303189c8176a936b503c17ec62649b57a5ad27c25cb4c1e3332eea8907e2d511136a6c0ed58de26228317347da

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                  Filesize

                  8KB

                  MD5

                  a4da667841826de624016a86d4b11aef

                  SHA1

                  68c5db807b98bf883bcbd1c984ccf17bacb58dad

                  SHA256

                  05f2886fe6c438fc9a76f23d28c59344bbd54ef22e670f7e2848d3f4705a228b

                  SHA512

                  c7d10fb97aef7811efd1778b11e849e87bf037a2d5e7cf3c29d58c3c8c580eefe9bed06ca4a8c4515b9295ac5d824ddc9f1795d9acbd9a8835a79504deacb6c6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData0
                  Filesize

                  512B

                  MD5

                  e6b78acc908c988a8815feb4e28ab22c

                  SHA1

                  2adcb8d8b7284977ea0dd8c0e61a81b8a5c1851f

                  SHA256

                  1adfa0e121457d1e2a5a27ee9ea4aff8a7c0c887ea3e737a1347556c195c7ab0

                  SHA512

                  f9240658c35da63fb1463cca83a97f190e6983166cec0ba38074796187599f5a71c916329d1b56fdc8043a1d101753f71712b7b811bdb0c6ba38173e0dfd628d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1
                  Filesize

                  512B

                  MD5

                  a9524bd34ab4dedb4b43b2a55129a186

                  SHA1

                  c8fa0a68189ffed9d2fadfe684ba84e7a9ac9d39

                  SHA256

                  f16694c7d8c7f63590240d8a6b7e9e7209bcb2c19de6bfce63723c5583c7f81e

                  SHA512

                  365f2b0eb09d77b08b5988a6b3b3229d7a1e078454736ac240fd55fee12f99f8619adc1925ff423849b0df5fde4cec35430e9a08b57292538ffbb9e86ce36120

                  Download Submit