Analysis Overview
SHA256
6b98c9a69d330bd990981566222104fdeb12457e949ec714c7a1fe04b68b6cfd
Threat Level: Shows suspicious behavior
The file 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 07:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 07:22
Reported
2025-07-01 07:25
Platform
win10v2004-20250610-en
Max time kernel
103s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe | C:\Windows\CTS.exe |
| PID 2020 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe | C:\Windows\CTS.exe |
| PID 2020 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe | C:\Windows\CTS.exe |
| PID 3748 wrote to memory of 1072 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\CTS.exe |
| PID 3748 wrote to memory of 1072 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\CTS.exe |
| PID 3748 wrote to memory of 1072 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Windows\CTS.exe
C:\Windows\CTS.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
C:\Windows\CTS.exe
| MD5 | f60519a4b9abe303feb4b5b3666a551e |
| SHA1 | d5bb38474958a5f51fb74886482fa44e873898f5 |
| SHA256 | 6be608cffb5de883843e26f17b767ebf3e0a7fe41137460b32490bcec58e382d |
| SHA512 | 3f5f479628de5e4c7911e3730062ac672f721cc513218f38193bfc9426f7fa988b97c9d315689f1b90f15805760b1b284fe4e5ef65fdf482014942f07b1e1bd7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 408ced9550f45fc40343751af19a004f |
| SHA1 | 0572070396a51313bd8458dc1117c9bf76f3e765 |
| SHA256 | a4a43c83ba114d1dc4a47724729a719e5780e5d6fab17019866b33d5a2a99f02 |
| SHA512 | 3f4d8c3fb401f4289284eedda9d5e51a9e03c5154ef1951a7869e720a504d42b0dc967b18311976922227abdaa03d6c55215f02c70236591edfe38da3073ce35 |
C:\Users\Admin\AppData\Local\Temp\eNomJC4OdzTFkB9.exe
| MD5 | a9d75b6ed9fa693e339b07af3c284339 |
| SHA1 | 9a48ede5bf05ed32015a72ff172a1fdc4a495dc0 |
| SHA256 | e41a8ad839b15bc01b859dd2db2a873b31e07e725871b1b50f6bb45b6c9c1ec4 |
| SHA512 | 715eedb7742185bc4a53bf24f544f235ce8c44b948dfffc2d243300237662b6471dbd607ee7339ea78fee1aa5d95233265ae09ca33078d680486d681c789eb49 |