Analysis
-
max time kernel
103s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe
-
Size
73KB
-
MD5
036e6b77732d4d91818358a5bba22f83
-
SHA1
d83500f6c818e15c46a123ca8ec877ac3e07cc2e
-
SHA256
6b98c9a69d330bd990981566222104fdeb12457e949ec714c7a1fe04b68b6cfd
-
SHA512
49448d4aef61c635a6c740cb3e66283428909a8209e7755fa3e30b865e660527ce2904d7f0f43f9df8d88103da8a72799e220235321f02bf6c22b3be91c120e2
-
SSDEEP
1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlDuazTqr:ZRpAyazIlyazT+
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3844 CTS.exe 1072 CTS.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CTS.exe 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe CTS.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2020 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe Token: SeDebugPrivilege 3844 CTS.exe Token: SeDebugPrivilege 1072 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2020 wrote to memory of 3844 2020 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe 88 PID 2020 wrote to memory of 3844 2020 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe 88 PID 2020 wrote to memory of 3844 2020 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe 88 PID 3748 wrote to memory of 1072 3748 cmd.exe 90 PID 3748 wrote to memory of 1072 3748 cmd.exe 90 PID 3748 wrote to memory of 1072 3748 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\CTS.exeC:\Windows\CTS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5408ced9550f45fc40343751af19a004f
SHA10572070396a51313bd8458dc1117c9bf76f3e765
SHA256a4a43c83ba114d1dc4a47724729a719e5780e5d6fab17019866b33d5a2a99f02
SHA5123f4d8c3fb401f4289284eedda9d5e51a9e03c5154ef1951a7869e720a504d42b0dc967b18311976922227abdaa03d6c55215f02c70236591edfe38da3073ce35
-
Filesize
73KB
MD5a9d75b6ed9fa693e339b07af3c284339
SHA19a48ede5bf05ed32015a72ff172a1fdc4a495dc0
SHA256e41a8ad839b15bc01b859dd2db2a873b31e07e725871b1b50f6bb45b6c9c1ec4
SHA512715eedb7742185bc4a53bf24f544f235ce8c44b948dfffc2d243300237662b6471dbd607ee7339ea78fee1aa5d95233265ae09ca33078d680486d681c789eb49
-
Filesize
71KB
MD5f60519a4b9abe303feb4b5b3666a551e
SHA1d5bb38474958a5f51fb74886482fa44e873898f5
SHA2566be608cffb5de883843e26f17b767ebf3e0a7fe41137460b32490bcec58e382d
SHA5123f5f479628de5e4c7911e3730062ac672f721cc513218f38193bfc9426f7fa988b97c9d315689f1b90f15805760b1b284fe4e5ef65fdf482014942f07b1e1bd7