Overview
overview
7Static
static
3publish/OpenAL32.dll
windows7-x64
1publish/OpenAL32.dll
windows10-2004-x64
1publish/Ry...va.exe
windows7-x64
7publish/Ry...va.exe
windows10-2004-x64
7publish/Ryujinx.exe
windows7-x64
1publish/Ryujinx.exe
windows10-2004-x64
7publish/SDL2.dll
windows7-x64
1publish/SDL2.dll
windows10-2004-x64
1publish/av...v2.dll
windows7-x64
1publish/av...v2.dll
windows10-2004-x64
1publish/av...59.dll
windows7-x64
1publish/av...59.dll
windows10-2004-x64
1publish/avutil-57.dll
windows7-x64
1publish/avutil-57.dll
windows10-2004-x64
1publish/glfw3.dll
windows7-x64
1publish/glfw3.dll
windows10-2004-x64
1publish/li...rp.dll
windows7-x64
1publish/li...rp.dll
windows10-2004-x64
1publish/li...rp.dll
windows7-x64
1publish/li...rp.dll
windows10-2004-x64
1publish/li....dylib
macos-10.15-amd64
1publish/li...io.dll
windows7-x64
1publish/li...io.dll
windows10-2004-x64
1Resubmissions
16-06-2024 14:53
240616-r9bqtsxdrd 7Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 14:53
Static task
static1
Behavioral task
behavioral1
Sample
publish/OpenAL32.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
publish/OpenAL32.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
publish/Ryujinx.Ava.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
publish/Ryujinx.Ava.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
publish/Ryujinx.exe
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
publish/Ryujinx.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
publish/SDL2.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
publish/SDL2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
publish/av_libglesv2.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
publish/av_libglesv2.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
publish/avcodec-59.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
publish/avcodec-59.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
publish/avutil-57.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
publish/avutil-57.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
publish/glfw3.dll
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
publish/glfw3.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
publish/libHarfBuzzSharp.dll
Resource
win7-20240611-en
Behavioral task
behavioral18
Sample
publish/libHarfBuzzSharp.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
publish/libSkiaSharp.dll
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
publish/libSkiaSharp.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
publish/libarmeilleure-jitsupport.dylib
Resource
macos-20240611-en
Behavioral task
behavioral22
Sample
publish/libsoundio.dll
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
publish/libsoundio.dll
Resource
win10v2004-20240611-en
General
-
Target
publish/Ryujinx.Ava.exe
-
Size
59.2MB
-
MD5
22147894a92b93e8c096721b901ec3d9
-
SHA1
ea2fe5cc929edf3dd6f9ef5c85d03459af107abc
-
SHA256
baaa3069ae7d7149f3062556ff12e9c8478bc88a74fb2b59cfa5a38ef91c05e6
-
SHA512
648b3b349a2a4f2d5cb64a699be574f9fd54ff099b264a239a9596fa95ab05b0ff6692e4badaa80547fb290f0f8e003eb387ceb6388c94c82af9cb26b3c68fb0
-
SSDEEP
393216:3kDkpjhB2dhe9Js2hzPPHpbK+n0GKq8PhHqqJquD/u:3PpO+RbPJbK+0GKqKIqJquD/u
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ryujinx.Ava.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation Ryujinx.Ava.exe -
Deletes itself 1 IoCs
Processes:
Ryujinx.exepid process 2908 Ryujinx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Ryujinx.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags Ryujinx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 Ryujinx.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags Ryujinx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 Ryujinx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Ryujinx.Ava.exedescription pid process Token: SeDebugPrivilege 372 Ryujinx.Ava.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Ryujinx.exepid process 2908 Ryujinx.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Ryujinx.Ava.exedescription pid process target process PID 372 wrote to memory of 2908 372 Ryujinx.Ava.exe Ryujinx.exe PID 372 wrote to memory of 2908 372 Ryujinx.Ava.exe Ryujinx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"2⤵
- Deletes itself
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Ryujinx\Config.jsonFilesize
4KB
MD53a626753d8c1e8270684db2a7fbf86c8
SHA16ee37f65103d7cf50d0738b4cc89eb541db61f6f
SHA2569c94eea0de582e218dbed34dd7f22255b94df9238ef597c41d0b93117ded1aa3
SHA512b4def7780d81c1d948921921c7415b6be7b60817ceea9bd24f8d0395fd22026dd6506e8203dad3dd16ef1c36c9d57ccf83019a3ce6d13e0e6a3a455666670bb4
-
C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1Filesize
512B
MD55128087db232b6eefcf2b6f3b6094dd8
SHA1534af183d50ca1b14f2f4015d3f8666d77607a97
SHA256091f8fe85801923886ce2da547762ae89ca822928ce0c80625685b668e4da3a1
SHA512c102646722d0c8300c1a98dfc2d04aeb37ed42c299a9f86a0e6647486cd6128d4527a4f6e68c7476db77a0b6ec9e73b0ed93868d04da1e723b10104b686db19f
-
C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData_Filesize
512B
MD5e659ad65193c6cebaea6eb132b3176b1
SHA132febfab1dee2c1d566c363f0e7426ac43d3b3e3
SHA2560c6b058e15c7cd1bf66c7eb5315d26a7512c4bd5c0e109df0b06f971d9ecc02b
SHA5127938f76f980873aa247e1d5171b29641cbea976a66e40c012067370164c709a0a64c085ba01a7b0648974aaf0c26a8555290f5f6caf4733656162b0bbdd6f50f