Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-h7g1dsgq9z
Target 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys
SHA256 6b98c9a69d330bd990981566222104fdeb12457e949ec714c7a1fe04b68b6cfd
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6b98c9a69d330bd990981566222104fdeb12457e949ec714c7a1fe04b68b6cfd

Threat Level: Shows suspicious behavior

The file 2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 07:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 07:22

Reported

2025-07-01 07:25

Platform

win10v2004-20250610-en

Max time kernel

103s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-01_036e6b77732d4d91818358a5bba22f83_bkransomware_elex_rhadamanthys.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\CTS.exe

C:\Windows\CTS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Windows\CTS.exe

MD5 f60519a4b9abe303feb4b5b3666a551e
SHA1 d5bb38474958a5f51fb74886482fa44e873898f5
SHA256 6be608cffb5de883843e26f17b767ebf3e0a7fe41137460b32490bcec58e382d
SHA512 3f5f479628de5e4c7911e3730062ac672f721cc513218f38193bfc9426f7fa988b97c9d315689f1b90f15805760b1b284fe4e5ef65fdf482014942f07b1e1bd7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 408ced9550f45fc40343751af19a004f
SHA1 0572070396a51313bd8458dc1117c9bf76f3e765
SHA256 a4a43c83ba114d1dc4a47724729a719e5780e5d6fab17019866b33d5a2a99f02
SHA512 3f4d8c3fb401f4289284eedda9d5e51a9e03c5154ef1951a7869e720a504d42b0dc967b18311976922227abdaa03d6c55215f02c70236591edfe38da3073ce35

C:\Users\Admin\AppData\Local\Temp\eNomJC4OdzTFkB9.exe

MD5 a9d75b6ed9fa693e339b07af3c284339
SHA1 9a48ede5bf05ed32015a72ff172a1fdc4a495dc0
SHA256 e41a8ad839b15bc01b859dd2db2a873b31e07e725871b1b50f6bb45b6c9c1ec4
SHA512 715eedb7742185bc4a53bf24f544f235ce8c44b948dfffc2d243300237662b6471dbd607ee7339ea78fee1aa5d95233265ae09ca33078d680486d681c789eb49