d94be8369f739252f33e4271cd9af05c7a59d52de5d8f407d066bbef8780f8b0

General

Target

publish/Ryujinx.exe
Size

87.2MB
MD5

32fdd6e43f8fb16751cfcd0ca7c53cd6
SHA1

472daf886ce761696695dea26e8f7a8bb1a41427
SHA256

e3e58a27ca28a16999538c000a59b6d7c569e4538802b4ccf286404f9678b0ed
SHA512

d284b4c30d53fbab32c077df57635572ff1f332bc82c8c8fc685ccad94164510736b2d0530baf9c9c3e6604cb741c41702a7fbb091bb7bc44aed6e7a6ea9ffc8
SSDEEP

393216:jrRGb1Tx8GbIPjvsMIwf2wZLT+fGfV519PPRmEnJu00xPterXfm3tBy:gbn8GbILUMIwPaa1NPgEnJu00ezfm3q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Ryujinx.exe

Loads dropped DLL 4 IoCs

pid	Process
3712	Ryujinx.exe
3712	Ryujinx.exe
3712	Ryujinx.exe
3712	Ryujinx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Ryujinx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	Ryujinx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Ryujinx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Ryujinx.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	Ryujinx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2956	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	Ryujinx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3712	Ryujinx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3712	Ryujinx.exe
2956	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe
"C:\Users\Admin\AppData\Local\Temp\publish\Ryujinx.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.net\Ryujinx\h1+nkc1LAiPjrlz25_xxtE+Jne1fyuY=\SDL2.dll

Filesize
1.6MB

MD5
26d8af4c3b7e8aa2bdbee75be3506728

SHA1
46c4da0e88e96a8a37a7d853a93e5fba80734dcc

SHA256
c48431a47d57d99d7a056d634427b2b9dd7d640d3e8d9ac14551ee39a9906ecc

SHA512
dd680e83555f62f829dda2671aa29bbae73bcdaf59cbd62fd9108eb5d120f80eb45104a53096e3cd6891f8f9be696d162ddaab971aad50d6a3674024cb2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Ryujinx\h1+nkc1LAiPjrlz25_xxtE+Jne1fyuY=\av_libglesv2.dll

Filesize
4.2MB

MD5
73d2fb4c35d323813a86e3bf5c85c345

SHA1
81f751a34e0c25bdea93902a19a94a49ce1495df

SHA256
85b3aee47c0e0eaf3a5ea5c75ba8131387a12639b6a0ef280c28531fb77695ae

SHA512
e81677cc9b99ff3d54f67000a60489603e01a896f90c4ef0c883b82e2fdb7b90d2899c078958b3f060a20373b99cb6c4deb7f64cc4c7e0ba2a708209f4684ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Ryujinx\h1+nkc1LAiPjrlz25_xxtE+Jne1fyuY=\libHarfBuzzSharp.dll

Filesize
1.5MB

MD5
f121a2afb03f1b8ca1784e544464a346

SHA1
9346297a66989dbe88bc459ee8bf936e7acb3d24

SHA256
f13d0dae00a598620a436fd991219a2e0fe6157eac90faa025d4d76845cd996c

SHA512
ebbb8c2d7d97521286af0f6b02195890b193e660a28e6b1e5112ed9f1fcc081c66587a7a82c8a9468d1a55d477880487d1b3edf1deb2ea285e17d70fbd56c6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Ryujinx\h1+nkc1LAiPjrlz25_xxtE+Jne1fyuY=\libSkiaSharp.dll

Filesize
9.0MB

MD5
6b5e769126b4d38601df662bd08e7163

SHA1
c799c7c3b8209468bb4047b4783f691537d717e9

SHA256
3268b1b2de384d00ed77431fe8a1f053d2c69eee25d07dcfc352491570d63b52

SHA512
168c4a5981aa6513bacaa459bac26a3033315a677547eaa01d901b75e46baef91c6fd63185629a3a218a643fcacfa86ae36b8a5313e11f3bcd311bf4b0c61c6f

Download Submit
C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData0

Filesize
512B

MD5
759135651def0bd8bb3b44ddcbccd0ef

SHA1
68a1453f3f994e1989b34c3b618c8e65e63b36a6

SHA256
dc5de2a5f9291280467cb20a96ccad00c9d088b9b901df9c3571bf5d00668dcf

SHA512
fe3f67204c1a10bc2541ee3d87042a9400b0c955b927d5b14e0c865c740e0769deff37c0b5c1f0d3dfe309171bda0075053569f7542d104b1af1c84ac49eaaa2

Download Submit
C:\Users\Admin\AppData\Roaming\Ryujinx\bis\system\save\8000000000000000\ExtraData1

Filesize
512B

MD5
260114b751d03d451e2c9e829045e31a

SHA1
2315636030264525069bb6e9a69657b23765add5

SHA256
0468632013ee5ee21ca7c5d7abeb4b7aa78dbac42493049f18c0720c1044a4e6

SHA512
468acc7064aa5cf6298c2323617e897cf1b160fd257cb2ddf4a8614c55110cc41c0c2aa0209b28e9384d6cc707be19759d5ca96a5ceac5bc93f687509617ecfa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads