ca85e514d3c70a5fe9838682ae64a4392c1589cbfc5591828dd8d7cd102194ad

Analysis

max time kernel
133s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ryujinx.exe
Size

56.2MB
MD5

d064e134f9bb8f531490e47fd03c8bb5
SHA1

abe030418fe6b781c7a6ce17b8a5ee5f92383ab9
SHA256

173dff8e81017f72c5b82dd45f21c3126e9251d8d84ee5e613da32b3548c6a94
SHA512

fb57a19b0f586351b18e5778d0da1a0a96a80b98cec982a5db48e110c397a98df93675009d0073962bac73d83b527b0ba5b2b32c1200b02b70aee0988b3b298f
SSDEEP

393216:qjaZgP8k+er5lPPzj4/LTie325Gzha7mP:ykgh+eVPzjeL2825Gzha7mP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Ryujinx.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Ryujinx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Ryujinx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Ryujinx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Ryujinx.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	Ryujinx.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3804	Ryujinx.exe

C:\Users\Admin\AppData\Local\Temp\Ryujinx.exe
"C:\Users\Admin\AppData\Local\Temp\Ryujinx.exe"
1⤵
- Checks computer location settings
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

Filesize
512B

MD5
acf4c1c38687ee6dd9d98880ceaab787

SHA1
8ebd599646f8ea514b536b91d473f0a19d61f70e

SHA256
3de6c89868d2f05e09e5a3fa732030ea46aa0b4f41def2bd3362d9695acbeb12

SHA512
cdb8569dd3200e9ea0f5070825f130d92ab8be588578a23ff2701d0ddbee336544dcfd4abbaf7f6a26109af27068c19fca3155f86b4fa81c8d3b1b8af4c98a33

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads