Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-r376fser21
Target poisson.exe
SHA256 15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e
Tags
defense_evasion ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

15437935f0c1c254b6417bcb83a5549dc4fd74f9380554f7df0a369f38cfdc9e

Threat Level: Likely malicious

The file poisson.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion ransomware

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Sets desktop wallpaper using registry

Unsigned PE

Kills process with taskkill

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 14:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 14:44

Reported

2025-05-18 14:45

Platform

win10v2004-20250502-en

Max time kernel

62s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\poisson.exe"

Signatures

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\poisson.exe N/A

Disables Task Manager via registry modification

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper C:\Users\Admin\AppData\Local\Temp\poisson.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\poisson.exe

"C:\Users\Admin\AppData\Local\Temp\poisson.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM *

C:\Windows\system32\taskkill.exe

taskkill /F /IM *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start explorer.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lol.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 92.123.128.154:443 www.bing.com tcp
GB 92.123.128.154:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 172.217.168.195:80 c.pki.goog tcp

Files

memory/304-1-0x00007FF6747F0000-0x00007FF674803000-memory.dmp

memory/304-2-0x00007FF6747F0000-0x00007FF674803000-memory.dmp

C:\Users\Admin\Desktop\lol.txt

MD5 69702271784613bd8494690f5b95a615
SHA1 9f1a9800c26a16ad9e413060e9c4becc075f7b3b
SHA256 6078b7b112253bb7f7a9b7658f46d275bd4ca82c279c175e90d90138a7f1fe01
SHA512 95ef8cf303df36be6755572fa97c8deb76060b5c30ef2999d5c5789e0bdfefa53cc2d3b1317bde0d2e7118da255b37f50a5af92aca6318bb4ce453bec52f7ba7