Analysis
-
max time kernel
104s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:40
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
-
Size
95KB
-
MD5
a1abf560f59533c62ca03ae69d77bbc9
-
SHA1
a788eca75acf0a633ab51db2d2ae00b5ee175d90
-
SHA256
5e43d254611933170aebf6d8f7e9779f57c3ac5ace1f39fcbe16b717574c1b4f
-
SHA512
71870fd747f7cc2eb125545cce4b0e481e9eebd9616c362aa5788a3c2f9c22b4dfb22c71d4d78642d7ffedeef26921a10b4030251ffe715107106e2bb8940cc7
-
SSDEEP
1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazT3TBIpgAAykleHltJ:ZRpAyazIliazTVIpLia
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3380 CTS.exe 1092 CTS.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CTS.exe 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe CTS.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4076 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Token: SeDebugPrivilege 3380 CTS.exe Token: SeDebugPrivilege 1092 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4076 wrote to memory of 3380 4076 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 86 PID 4076 wrote to memory of 3380 4076 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 86 PID 4076 wrote to memory of 3380 4076 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 86 PID 4992 wrote to memory of 1092 4992 cmd.exe 88 PID 4992 wrote to memory of 1092 4992 cmd.exe 88 PID 4992 wrote to memory of 1092 4992 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\CTS.exeC:\Windows\CTS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD58c919278f9d88f66c3f664bf0b6c581c
SHA106b910087ddf9e8d88a9e036b7ab0935f4f1107b
SHA25667058ac4803585434959740415e3012cf20fd6bc7decd306f041129e6458bb1e
SHA5124a6ca4c99d201411c601f45ababe7e57749fa132b50a67ae6bfee1b34ec8be7321985ce60ed146f6f48ea2ad900223d91e3d141f8a7dbe87da73f345a37e143d
-
Filesize
95KB
MD5dd9d379d8e01ed1830b29cb2da62ea97
SHA1fda5addba75a280aa38b6e679519d3f4c16d89d9
SHA25698d358681396c553cd47ac881f6f932cc8dba933bac9f7064e66ca90c77d0463
SHA5121724744f85240e52620206b412a1fde2edd908e447652ece04250e6aa1da0534909ed22300c6e50fea8f88f5d35034b3970191699251360c6472064b6b64a435
-
Filesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432