Malware Analysis Report

2025-08-05 14:54

Sample ID 250704-waqsxscr9y
Target 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys
SHA256 5e43d254611933170aebf6d8f7e9779f57c3ac5ace1f39fcbe16b717574c1b4f
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5e43d254611933170aebf6d8f7e9779f57c3ac5ace1f39fcbe16b717574c1b4f

Threat Level: Shows suspicious behavior

The file 2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:43

Reported

2025-07-04 17:45

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_a1abf560f59533c62ca03ae69d77bbc9_bkransomware_elex_rhadamanthys.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\CTS.exe

C:\Windows\CTS.exe

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Windows\CTS.exe

MD5 f9d4ab0a726adc9b5e4b7d7b724912f1
SHA1 3d42ca2098475924f70ee4a831c4f003b4682328
SHA256 b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA512 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 c63a4f2530e5e25970a60b79453fe44c
SHA1 9c6e6fdf3ef52418b5e2e63336bea6f7fce187ae
SHA256 8110f905804cbcb479049efe3a80cada5e6d83a18d5e1a071da817240894005c
SHA512 5b66f17410e8ad0cdbdded2f73d0246b4a93e1131d91b0a9325f7c7c2d9ab1640ed4f5841379ee1e5c72f975f433c61ae804a58de60455a70d1820a5f2538fdb

C:\Users\Admin\AppData\Local\Temp\bR8NkuglfQNyVCK.exe

MD5 8b0ec501fb7e2c7e172d597b17828390
SHA1 c7acede98afdb3775e3760a978fcef00f122ed73
SHA256 e9606342bf42afa2b6d7383c353963b074351365e0ea604f59af3bdeece082dc
SHA512 34dc2ecb7dc4c5c0c052016d667a07f344b2560bee24276584e6510236237c413cc078f5b304f0bb5eb8be69f12540f1604e0b0433f46cfb8933d34f341515fd