ced9be4b013de155b7b413926254b898dc3364e71d339893d3014c065dbf41b2

General

Target

KryxiviaInstaller.exe
Size

5.2MB
MD5

359e6b859b5c3d0714015952eef68f7d
SHA1

2c82924ccce46d992588ea88bea2ba7d48a1e4d5
SHA256

ced9be4b013de155b7b413926254b898dc3364e71d339893d3014c065dbf41b2
SHA512

0347a6ae8b1e72bf3f86e65d7b70ed6d94e794292040a79921b48142ae2e1309337aef04cb4f6251f93e88aaf9884a4ddaa58b725e6a85f05321acb078cd50fc
SSDEEP

98304:ST/yH02PyfKIRetXCnZsrr+Qeack4iHKpgJKHA3x1j5mLBrG5dkjC6:2yHpPX3eqGpa3KpgJKHevj5mLByzkW6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

KryxiviaUpdater.exe

pid process

316 KryxiviaUpdater.exe
Loads dropped DLL 2 IoCs

Processes:

KryxiviaInstaller.exe

pid process

1736 KryxiviaInstaller.exe
1736 KryxiviaInstaller.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
316	KryxiviaUpdater.exe

pid	process
1736	KryxiviaInstaller.exe
1736	KryxiviaInstaller.exe

Drops file in Program Files directory 27 IoCs

Processes:

KryxiviaInstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.WindowsAPICodePack.Shell.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Uninstall Kryxivia.dat	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Uninstall Kryxivia.exe	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.Core.pdb	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.WindowsAPICodePack.ExtendedLinguisticServices.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaAutoUpdater.pdb	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.Core.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.pdb	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.WindowsAPICodePack.Sensors.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\log4net.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.IdentityModel.Abstractions.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.IdentityModel.Logging.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.IdentityModel.Tokens.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.WindowsAPICodePack.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\DotNetZip.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.WindowsAPICodePack.ShellExtensions.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\System.IdentityModel.Tokens.Jwt.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaAutoUpdater.exe.config	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Newtonsoft.Json.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Uninstall Kryxivia_lang.ifl	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\log4net.config	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Microsoft.IdentityModel.JsonWebTokens.dll	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\kryxivia.ico	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.exe.config	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaAutoUpdater.exe	KryxiviaInstaller.exe
File created	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.exe	KryxiviaInstaller.exe
File opened for modification	C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\Uninstall Kryxivia_lang.ifl	KryxiviaInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

KryxiviaInstaller.exe

pid process

1736 KryxiviaInstaller.exe

pid	process
1736	KryxiviaInstaller.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

KryxiviaInstaller.exe

description	pid	process	target process
PID 1736 wrote to memory of 316	1736	KryxiviaInstaller.exe	KryxiviaUpdater.exe
PID 1736 wrote to memory of 316	1736	KryxiviaInstaller.exe	KryxiviaUpdater.exe
PID 1736 wrote to memory of 316	1736	KryxiviaInstaller.exe	KryxiviaUpdater.exe
PID 1736 wrote to memory of 316	1736	KryxiviaInstaller.exe	KryxiviaUpdater.exe
PID 1736 wrote to memory of 316	1736	KryxiviaInstaller.exe	KryxiviaUpdater.exe
PID 1736 wrote to memory of 316	1736	KryxiviaInstaller.exe	KryxiviaUpdater.exe
PID 1736 wrote to memory of 316	1736	KryxiviaInstaller.exe	KryxiviaUpdater.exe

C:\Users\Admin\AppData\Local\Temp\KryxiviaInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\KryxiviaInstaller.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1736

C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.exe
"C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.exe"
2⤵
- Executes dropped EXE
PID:316

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.exe
Filesize
3.1MB

MD5
2602e822629da9ac2dc971fab4fb500d

SHA1
7e16896209adfdf0a483dc4698c9aaefbb9cc3d5

SHA256
39127a6180d8028c9559f1e7c6edc013137ed7e99e02213b713af507c66c2ec0

SHA512
f14981c94ea9a17867ce7dcc70d15f5d07c7a96be0d2aafc68e18694bfa701280652ea33cc76972ef40b0a9fd8d06cd303daed993063ebbbefa914a400a39e8d

Download Submit
C:\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.exe.config
Filesize
174B

MD5
2a2df45a07478a1c77d5834c21f3d7fd

SHA1
f949e331f0d75ba38d33a072f74e2327c870d916

SHA256
051099983b896673909e01a1f631b6652abb88da95c9f06f3efef4be033091fa

SHA512
1a6dd48f92ea6b68ee23b86ba297cd1559f795946ecda17ade68aea3dda188869bba380e3ea3472e08993f4ae574c528b34c3e25503ee6119fd4f998835e09d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{5B4CDABA-3873-4256-A7DB-6B436D4762E9}\default.ifl
Filesize
2KB

MD5
2922d0c758d9c3c10cbdc59f91979d0c

SHA1
feb69bdf58d06cca776db63036811af0764ca013

SHA256
20f6d12eac29bd6ddc6a99dd276c5e200fac25c976ab4293195b58ec164c253f

SHA512
d15e888bae4e23ce5d61becc3c47d9b5f61fbbe4612cf90677314570fe1df1f4fde6c519b789ad46cc50d19c2b3701bc9bd968e85bb618fb7127950d4ae92695

Download Submit
\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.exe
Filesize
3.1MB

MD5
2602e822629da9ac2dc971fab4fb500d

SHA1
7e16896209adfdf0a483dc4698c9aaefbb9cc3d5

SHA256
39127a6180d8028c9559f1e7c6edc013137ed7e99e02213b713af507c66c2ec0

SHA512
f14981c94ea9a17867ce7dcc70d15f5d07c7a96be0d2aafc68e18694bfa701280652ea33cc76972ef40b0a9fd8d06cd303daed993063ebbbefa914a400a39e8d

Download Submit
\Program Files (x86)\Kryxivia\Kryxivia Uplauncher Beta\KryxiviaUpdater.exe
Filesize
3.1MB

MD5
2602e822629da9ac2dc971fab4fb500d

SHA1
7e16896209adfdf0a483dc4698c9aaefbb9cc3d5

SHA256
39127a6180d8028c9559f1e7c6edc013137ed7e99e02213b713af507c66c2ec0

SHA512
f14981c94ea9a17867ce7dcc70d15f5d07c7a96be0d2aafc68e18694bfa701280652ea33cc76972ef40b0a9fd8d06cd303daed993063ebbbefa914a400a39e8d

Download Submit

Resubmissions

Analysis

Sharing