Analysis Overview
SHA256
15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e
Threat Level: Likely malicious
The file poisson.exe was found to be: Likely malicious.
Malicious Activity Summary
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Sets desktop wallpaper using registry
Unsigned PE
Kills process with taskkill
Runs regedit.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-18 12:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-18 12:24
Reported
2025-05-18 12:27
Platform
win10v2004-20250502-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\poisson.exe | N/A |
Disables Task Manager via registry modification
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\AppData\Local\Temp\poisson.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "172" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1180 wrote to memory of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 1180 wrote to memory of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 4480 wrote to memory of 5016 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 4480 wrote to memory of 5016 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 1180 wrote to memory of 3800 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 1180 wrote to memory of 3800 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 1180 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 1180 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\poisson.exe
"C:\Users\Admin\AppData\Local\Temp\poisson.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM *
C:\Windows\system32\taskkill.exe
taskkill /F /IM *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start explorer.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lol.txt
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3939055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| N/A | 100.85.210.66:80 | c.pki.goog | tcp |
Files
memory/1180-1-0x00007FF626800000-0x00007FF626813000-memory.dmp
C:\Users\Admin\Desktop\lol.txt
| MD5 | 69702271784613bd8494690f5b95a615 |
| SHA1 | 9f1a9800c26a16ad9e413060e9c4becc075f7b3b |
| SHA256 | 6078b7b112253bb7f7a9b7658f46d275bd4ca82c279c175e90d90138a7f1fe01 |
| SHA512 | 95ef8cf303df36be6755572fa97c8deb76060b5c30ef2999d5c5789e0bdfefa53cc2d3b1317bde0d2e7118da255b37f50a5af92aca6318bb4ce453bec52f7ba7 |