Analysis
-
max time kernel
104s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe
-
Size
95KB
-
MD5
a1abf560f59533c62ca03ae69d77bbc9
-
SHA1
a788eca75acf0a633ab51db2d2ae00b5ee175d90
-
SHA256
5e43d254611933170aebf6d8f7e9779f57c3ac5ace1f39fcbe16b717574c1b4f
-
SHA512
71870fd747f7cc2eb125545cce4b0e481e9eebd9616c362aa5788a3c2f9c22b4dfb22c71d4d78642d7ffedeef26921a10b4030251ffe715107106e2bb8940cc7
-
SSDEEP
1536:Fc8N7UsWjcd9w+AyabjDbxE+MwmvlzuazT3TBIpgAAykleHltJ:ZRpAyazIliazTVIpLia
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4320 CTS.exe 4676 CTS.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CTS.exe 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe CTS.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2420 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe Token: SeDebugPrivilege 4320 CTS.exe Token: SeDebugPrivilege 4676 CTS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2420 wrote to memory of 4320 2420 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 86 PID 2420 wrote to memory of 4320 2420 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 86 PID 2420 wrote to memory of 4320 2420 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe 86 PID 4880 wrote to memory of 4676 4880 cmd.exe 88 PID 4880 wrote to memory of 4676 4880 cmd.exe 88 PID 4880 wrote to memory of 4676 4880 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\CTS.exeC:\Windows\CTS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5c63a4f2530e5e25970a60b79453fe44c
SHA19c6e6fdf3ef52418b5e2e63336bea6f7fce187ae
SHA2568110f905804cbcb479049efe3a80cada5e6d83a18d5e1a071da817240894005c
SHA5125b66f17410e8ad0cdbdded2f73d0246b4a93e1131d91b0a9325f7c7c2d9ab1640ed4f5841379ee1e5c72f975f433c61ae804a58de60455a70d1820a5f2538fdb
-
Filesize
95KB
MD58b0ec501fb7e2c7e172d597b17828390
SHA1c7acede98afdb3775e3760a978fcef00f122ed73
SHA256e9606342bf42afa2b6d7383c353963b074351365e0ea604f59af3bdeece082dc
SHA51234dc2ecb7dc4c5c0c052016d667a07f344b2560bee24276584e6510236237c413cc078f5b304f0bb5eb8be69f12540f1604e0b0433f46cfb8933d34f341515fd
-
Filesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432