Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
poisson.exe
Resource
win10v2004-20250502-en
General
-
Target
poisson.exe
-
Size
64KB
-
MD5
953e68edbc8049cffa5e9334608babc7
-
SHA1
8650fb2d0c190c704cb86dbd57e25852bf8d9e31
-
SHA256
15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e
-
SHA512
f488d726649c6a1b29376bff28a649a69221e8f62dd96f67b8dafb182b71c755589c2f5a48bc45c45c0085ef759ff3293440b3c55358cea0ce2efe6175b85c17
-
SSDEEP
1536:3gyNSHtoW8lnk5dksapxWZhx7ajQIc5HhO:3gyNCoR6PJzh8
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" poisson.exe -
Disables Task Manager via registry modification
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper poisson.exe -
Kills process with taskkill 1 IoCs
pid Process 5016 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "172" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1064 NOTEPAD.EXE -
Runs regedit.exe 1 IoCs
pid Process 4996 regedit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 812 LogonUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1180 wrote to memory of 4480 1180 poisson.exe 94 PID 1180 wrote to memory of 4480 1180 poisson.exe 94 PID 4480 wrote to memory of 5016 4480 cmd.exe 95 PID 4480 wrote to memory of 5016 4480 cmd.exe 95 PID 1180 wrote to memory of 3800 1180 poisson.exe 96 PID 1180 wrote to memory of 3800 1180 poisson.exe 96 PID 1180 wrote to memory of 2408 1180 poisson.exe 103 PID 1180 wrote to memory of 2408 1180 poisson.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\poisson.exe"C:\Users\Admin\AppData\Local\Temp\poisson.exe"1⤵
- Disables RegEdit via registry modification
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM *2⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\taskkill.exetaskkill /F /IM *3⤵
- Kills process with taskkill
PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start explorer.exe2⤵PID:2408
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lol.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1064
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:3948
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
PID:4996
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵PID:4952
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3939055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:812
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD569702271784613bd8494690f5b95a615
SHA19f1a9800c26a16ad9e413060e9c4becc075f7b3b
SHA2566078b7b112253bb7f7a9b7658f46d275bd4ca82c279c175e90d90138a7f1fe01
SHA51295ef8cf303df36be6755572fa97c8deb76060b5c30ef2999d5c5789e0bdfefa53cc2d3b1317bde0d2e7118da255b37f50a5af92aca6318bb4ce453bec52f7ba7