Resubmissions

18/05/2025, 14:44

250518-r376fser21 8

18/05/2025, 12:24

250518-plagradl3v 8

Analysis

  • max time kernel
    62s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 14:44

General

  • Target

    poisson.exe

  • Size

    64KB

  • MD5

    953e68edbc8049cffa5e9334608babc7

  • SHA1

    8650fb2d0c190c704cb86dbd57e25852bf8d9e31

  • SHA256

    15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e

  • SHA512

    f488d726649c6a1b29376bff28a649a69221e8f62dd96f67b8dafb182b71c755589c2f5a48bc45c45c0085ef759ff3293440b3c55358cea0ce2efe6175b85c17

  • SSDEEP

    1536:3gyNSHtoW8lnk5dksapxWZhx7ajQIc5HhO:3gyNCoR6PJzh8

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\poisson.exe
    "C:\Users\Admin\AppData\Local\Temp\poisson.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM *
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM *
        3⤵
        • Kills process with taskkill
        PID:3316
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      2⤵
        PID:4624
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start explorer.exe
        2⤵
          PID:1592
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lol.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4456

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Desktop\lol.txt

              Filesize

              141B

              MD5

              69702271784613bd8494690f5b95a615

              SHA1

              9f1a9800c26a16ad9e413060e9c4becc075f7b3b

              SHA256

              6078b7b112253bb7f7a9b7658f46d275bd4ca82c279c175e90d90138a7f1fe01

              SHA512

              95ef8cf303df36be6755572fa97c8deb76060b5c30ef2999d5c5789e0bdfefa53cc2d3b1317bde0d2e7118da255b37f50a5af92aca6318bb4ce453bec52f7ba7

            • memory/304-1-0x00007FF6747F0000-0x00007FF674803000-memory.dmp

              Filesize

              76KB

            • memory/304-2-0x00007FF6747F0000-0x00007FF674803000-memory.dmp

              Filesize

              76KB