Resubmissions

18/05/2025, 14:44

250518-r376fser21 8

18/05/2025, 12:24

250518-plagradl3v 8

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 12:24

General

  • Target

    poisson.exe

  • Size

    64KB

  • MD5

    953e68edbc8049cffa5e9334608babc7

  • SHA1

    8650fb2d0c190c704cb86dbd57e25852bf8d9e31

  • SHA256

    15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e

  • SHA512

    f488d726649c6a1b29376bff28a649a69221e8f62dd96f67b8dafb182b71c755589c2f5a48bc45c45c0085ef759ff3293440b3c55358cea0ce2efe6175b85c17

  • SSDEEP

    1536:3gyNSHtoW8lnk5dksapxWZhx7ajQIc5HhO:3gyNCoR6PJzh8

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\poisson.exe
    "C:\Users\Admin\AppData\Local\Temp\poisson.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM *
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM *
        3⤵
        • Kills process with taskkill
        PID:5016
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      2⤵
        PID:3800
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start explorer.exe
        2⤵
          PID:2408
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lol.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:1064
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
          PID:3948
        • C:\Windows\regedit.exe
          "C:\Windows\regedit.exe"
          1⤵
          • Runs regedit.exe
          PID:4996
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /7
          1⤵
            PID:4952
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa3939055 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:812

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\Desktop\lol.txt

                  Filesize

                  141B

                  MD5

                  69702271784613bd8494690f5b95a615

                  SHA1

                  9f1a9800c26a16ad9e413060e9c4becc075f7b3b

                  SHA256

                  6078b7b112253bb7f7a9b7658f46d275bd4ca82c279c175e90d90138a7f1fe01

                  SHA512

                  95ef8cf303df36be6755572fa97c8deb76060b5c30ef2999d5c5789e0bdfefa53cc2d3b1317bde0d2e7118da255b37f50a5af92aca6318bb4ce453bec52f7ba7

                • memory/1180-1-0x00007FF626800000-0x00007FF626813000-memory.dmp

                  Filesize

                  76KB