Analysis
-
max time kernel
62s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 14:44
Static task
static1
Behavioral task
behavioral1
Sample
poisson.exe
Resource
win10v2004-20250502-en
General
-
Target
poisson.exe
-
Size
64KB
-
MD5
953e68edbc8049cffa5e9334608babc7
-
SHA1
8650fb2d0c190c704cb86dbd57e25852bf8d9e31
-
SHA256
15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e
-
SHA512
f488d726649c6a1b29376bff28a649a69221e8f62dd96f67b8dafb182b71c755589c2f5a48bc45c45c0085ef759ff3293440b3c55358cea0ce2efe6175b85c17
-
SSDEEP
1536:3gyNSHtoW8lnk5dksapxWZhx7ajQIc5HhO:3gyNCoR6PJzh8
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" poisson.exe -
Disables Task Manager via registry modification
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper poisson.exe -
Kills process with taskkill 1 IoCs
pid Process 3316 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4456 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 304 wrote to memory of 4720 304 poisson.exe 99 PID 304 wrote to memory of 4720 304 poisson.exe 99 PID 4720 wrote to memory of 3316 4720 cmd.exe 100 PID 4720 wrote to memory of 3316 4720 cmd.exe 100 PID 304 wrote to memory of 4624 304 poisson.exe 101 PID 304 wrote to memory of 4624 304 poisson.exe 101 PID 304 wrote to memory of 1592 304 poisson.exe 105 PID 304 wrote to memory of 1592 304 poisson.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\poisson.exe"C:\Users\Admin\AppData\Local\Temp\poisson.exe"1⤵
- Disables RegEdit via registry modification
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM *2⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\taskkill.exetaskkill /F /IM *3⤵
- Kills process with taskkill
PID:3316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start explorer.exe2⤵PID:1592
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lol.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4456
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD569702271784613bd8494690f5b95a615
SHA19f1a9800c26a16ad9e413060e9c4becc075f7b3b
SHA2566078b7b112253bb7f7a9b7658f46d275bd4ca82c279c175e90d90138a7f1fe01
SHA51295ef8cf303df36be6755572fa97c8deb76060b5c30ef2999d5c5789e0bdfefa53cc2d3b1317bde0d2e7118da255b37f50a5af92aca6318bb4ce453bec52f7ba7