dd429671e147ea9f062d6593bb7cc28ac397cb0881b7961a221771173bdcd6ed

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/Ryujinx.Ava.exe
Size

55.5MB
MD5

098c97e190ff141b58caee272571e82b
SHA1

9cef9e3d90420ec2d6d96d182698c94d1975760e
SHA256

e980dfd47460a07f324fde53d8f392c681e68c69bbcfed8eb0a6c05cf70d02c0
SHA512

bfe98052fa822c32fa7b8948ef5121e415dddf8d58081e0228655004b0f88e6fe8b101d5d21fed7a30b552927ac600f6ece5abe65ce10b98fda04751bd752d0d
SSDEEP

393216:qjaZgP8kbrr5pPPH7ZPTywmS+Txm5G8W28Jg:ykghbR5PlPuwKVm5G8W28Jg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Ryujinx.Ava.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Ryujinx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Ryujinx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Ryujinx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Ryujinx.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	Ryujinx.Ava.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4652	Ryujinx.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 4652	2412	Ryujinx.Ava.exe	86
PID 2412 wrote to memory of 4652	2412	Ryujinx.Ava.exe	86

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe
"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.Ava.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe
  "C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ryujinx\Config.json

Filesize
4KB

MD5
3a626753d8c1e8270684db2a7fbf86c8

SHA1
6ee37f65103d7cf50d0738b4cc89eb541db61f6f

SHA256
9c94eea0de582e218dbed34dd7f22255b94df9238ef597c41d0b93117ded1aa3

SHA512
b4def7780d81c1d948921921c7415b6be7b60817ceea9bd24f8d0395fd22026dd6506e8203dad3dd16ef1c36c9d57ccf83019a3ce6d13e0e6a3a455666670bb4

Download Submit
C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData_

Filesize
512B

MD5
b682676e7cd480af53d7546ae58ef705

SHA1
bfd56144da6b2fafdc6fb9d0edc5d00749bea60b

SHA256
7f424b6bffdbca541a54f177424e734c88d704d6ce79f3ea7ecd6d499edf312e

SHA512
1cc4d52ef1f94882c6c5aac480ab42a7d57d5aa74664451278c29008dea1db65216ac51d4d77c0239ee2482a352ecd14edb91d5d5b900324f6e9589da88cf389

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads