Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 17:40
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
-
Size
95KB
-
MD5
a1abf560f59533c62ca03ae69d77bbc9
-
SHA1
a788eca75acf0a633ab51db2d2ae00b5ee175d90
-
SHA256
5e43d254611933170aebf6d8f7e9779f57c3ac5ace1f39fcbe16b717574c1b4f
-
SHA512
71870fd747f7cc2eb125545cce4b0e481e9eebd9616c362aa5788a3c2f9c22b4dfb22c71d4d78642d7ffedeef26921a10b4030251ffe715107106e2bb8940cc7
-
SSDEEP
1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazT3TBIpgAAykleHltJ:ZRpAyazIliazTVIpLia
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4060 CTS.exe 3156 CTS.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4232 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Token: SeDebugPrivilege 4060 CTS.exe Token: SeDebugPrivilege 3156 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4232 wrote to memory of 4060 4232 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 80 PID 4232 wrote to memory of 4060 4232 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 80 PID 4232 wrote to memory of 4060 4232 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 80 PID 4624 wrote to memory of 3156 4624 cmd.exe 82 PID 4624 wrote to memory of 3156 4624 cmd.exe 82 PID 4624 wrote to memory of 3156 4624 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\CTS.exeC:\Windows\CTS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD5b1326db3654b2dcda0b38bd5534beae9
SHA1ec6d57d6c4c2b7140af3bf526838c2c16edbe382
SHA2568e438a486a6ca73f20e41dd2eea7b7c69e44fc317ad3b40368285b8932399c1b
SHA512d0cc5503f107783507a6603de867a3db3b537abefa23201095f775b1befc874eb877ce09c061e622254614685bc666a6fd4e0c6505e4e7156f1ce316370e38d5
-
Filesize
95KB
MD5af75e05bf1020785e7afb81820d82ae4
SHA151904f3d8b5873066b9bed110a99a2179eb64cb9
SHA25680cc1ad10229331829e42f9c583c2f58b8143f95b584026e2ad2706da9c594e3
SHA5123ca19f280a5e0374237c6496faf387926b77a6840c43c9e45d6386a8b745b4d64029cdc4a82735a8d3e9574d8d7f2f25a23addbf2212de1a8ceeddf1479f0272
-
Filesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432