Analysis Overview
SHA256
15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e
Threat Level: Likely malicious
The file poisson.exe was found to be: Likely malicious.
Malicious Activity Summary
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Sets desktop wallpaper using registry
Unsigned PE
Kills process with taskkill
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-18 14:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-18 14:44
Reported
2025-05-18 14:45
Platform
win10v2004-20250502-en
Max time kernel
62s
Max time network
63s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\poisson.exe | N/A |
Disables Task Manager via registry modification
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\AppData\Local\Temp\poisson.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 304 wrote to memory of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 304 wrote to memory of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 4720 wrote to memory of 3316 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 4720 wrote to memory of 3316 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 304 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 304 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 304 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
| PID 304 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\poisson.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\poisson.exe
"C:\Users\Admin\AppData\Local\Temp\poisson.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM *
C:\Windows\system32\taskkill.exe
taskkill /F /IM *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start explorer.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lol.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 92.123.128.154:443 | www.bing.com | tcp |
| GB | 92.123.128.154:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 172.217.168.195:80 | c.pki.goog | tcp |
Files
memory/304-1-0x00007FF6747F0000-0x00007FF674803000-memory.dmp
memory/304-2-0x00007FF6747F0000-0x00007FF674803000-memory.dmp
C:\Users\Admin\Desktop\lol.txt
| MD5 | 69702271784613bd8494690f5b95a615 |
| SHA1 | 9f1a9800c26a16ad9e413060e9c4becc075f7b3b |
| SHA256 | 6078b7b112253bb7f7a9b7658f46d275bd4ca82c279c175e90d90138a7f1fe01 |
| SHA512 | 95ef8cf303df36be6755572fa97c8deb76060b5c30ef2999d5c5789e0bdfefa53cc2d3b1317bde0d2e7118da255b37f50a5af92aca6318bb4ce453bec52f7ba7 |