Malware Analysis Report

2025-08-10 20:10

Sample ID 250518-plagradl3v
Target poisson.exe
SHA256 15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e
Tags
defense_evasion ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e

Threat Level: Likely malicious

The file poisson.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion ransomware

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Sets desktop wallpaper using registry

Unsigned PE

Kills process with taskkill

Runs regedit.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 12:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 12:24

Reported

2025-05-18 12:27

Platform

win10v2004-20250502-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\poisson.exe"

Signatures

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\poisson.exe N/A

Disables Task Manager via registry modification

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper C:\Users\Admin\AppData\Local\Temp\poisson.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "172" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\poisson.exe

"C:\Users\Admin\AppData\Local\Temp\poisson.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM *

C:\Windows\system32\taskkill.exe

taskkill /F /IM *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start explorer.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lol.txt

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3939055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
N/A 100.85.210.66:80 c.pki.goog tcp

Files

memory/1180-1-0x00007FF626800000-0x00007FF626813000-memory.dmp

C:\Users\Admin\Desktop\lol.txt

MD5 69702271784613bd8494690f5b95a615
SHA1 9f1a9800c26a16ad9e413060e9c4becc075f7b3b
SHA256 6078b7b112253bb7f7a9b7658f46d275bd4ca82c279c175e90d90138a7f1fe01
SHA512 95ef8cf303df36be6755572fa97c8deb76060b5c30ef2999d5c5789e0bdfefa53cc2d3b1317bde0d2e7118da255b37f50a5af92aca6318bb4ce453bec52f7ba7