Analysis

  • max time kernel
    103s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2025, 07:22

General

  • Target

    2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe

  • Size

    73KB

  • MD5

    036e6b77732d4d91818358a5bba22f83

  • SHA1

    d83500f6c818e15c46a123ca8ec877ac3e07cc2e

  • SHA256

    6b98c9a69d330bd990981566222104fdeb12457e949ec714c7a1fe04b68b6cfd

  • SHA512

    49448d4aef61c635a6c740cb3e66283428909a8209e7755fa3e30b865e660527ce2904d7f0f43f9df8d88103da8a72799e220235321f02bf6c22b3be91c120e2

  • SSDEEP

    1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlDuazTqr:ZRpAyazIlyazT+

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3844
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\CTS.exe
      C:\Windows\CTS.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1072

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

          Filesize

          73KB

          MD5

          408ced9550f45fc40343751af19a004f

          SHA1

          0572070396a51313bd8458dc1117c9bf76f3e765

          SHA256

          a4a43c83ba114d1dc4a47724729a719e5780e5d6fab17019866b33d5a2a99f02

          SHA512

          3f4d8c3fb401f4289284eedda9d5e51a9e03c5154ef1951a7869e720a504d42b0dc967b18311976922227abdaa03d6c55215f02c70236591edfe38da3073ce35

        • C:\Users\Admin\AppData\Local\Temp\eNomJC4OdzTFkB9.exe

          Filesize

          73KB

          MD5

          a9d75b6ed9fa693e339b07af3c284339

          SHA1

          9a48ede5bf05ed32015a72ff172a1fdc4a495dc0

          SHA256

          e41a8ad839b15bc01b859dd2db2a873b31e07e725871b1b50f6bb45b6c9c1ec4

          SHA512

          715eedb7742185bc4a53bf24f544f235ce8c44b948dfffc2d243300237662b6471dbd607ee7339ea78fee1aa5d95233265ae09ca33078d680486d681c789eb49

        • C:\Windows\CTS.exe

          Filesize

          71KB

          MD5

          f60519a4b9abe303feb4b5b3666a551e

          SHA1

          d5bb38474958a5f51fb74886482fa44e873898f5

          SHA256

          6be608cffb5de883843e26f17b767ebf3e0a7fe41137460b32490bcec58e382d

          SHA512

          3f5f479628de5e4c7911e3730062ac672f721cc513218f38193bfc9426f7fa988b97c9d315689f1b90f15805760b1b284fe4e5ef65fdf482014942f07b1e1bd7