b6d420887f6e68e76f2950255ba566aac3d04ca235d6db757d29db12f1b95d20

Analysis

max time kernel
104s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CosmoHWIDspoofer.exe
Size

10.2MB
MD5

d2051fb11ff11066577e94ac352dd53f
SHA1

1d9b4f051e009b1ad0fbb75056fa4e2e048d179c
SHA256

b6d420887f6e68e76f2950255ba566aac3d04ca235d6db757d29db12f1b95d20
SHA512

ff2dc20bb72174ca1169910e45d62e1c4ab9c9973f0b8ea16a2c7db4b4b942db86f5f0b13b25e26a0e8a6df316aa5a89ec54e9a0437dfb2725ac78b2eb5917c3
SSDEEP

196608:iOCoVv26AhR3bPcStA5GjhtZo08pev5YZ+I2+xApmDNmN81G6gWU:iOPY6AhR3bdt9hP8I5pmR4kvU

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 21 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000241a5-45.dat	acprotect
behavioral1/files/0x0007000000024180-51.dat	acprotect
behavioral1/files/0x000700000002418f-53.dat	acprotect
behavioral1/files/0x0007000000024183-78.dat	acprotect
behavioral1/files/0x000700000002418e-80.dat	acprotect
behavioral1/files/0x000700000002418a-76.dat	acprotect
behavioral1/files/0x0007000000024189-75.dat	acprotect
behavioral1/files/0x0007000000024188-74.dat	acprotect
behavioral1/files/0x0007000000024187-73.dat	acprotect
behavioral1/files/0x0007000000024186-72.dat	acprotect
behavioral1/files/0x0007000000024185-71.dat	acprotect
behavioral1/files/0x0007000000024184-70.dat	acprotect
behavioral1/files/0x0007000000024182-68.dat	acprotect
behavioral1/files/0x0007000000024181-67.dat	acprotect
behavioral1/files/0x000700000002417f-66.dat	acprotect
behavioral1/files/0x000700000002417e-65.dat	acprotect
behavioral1/files/0x00070000000241a8-64.dat	acprotect
behavioral1/files/0x00070000000241a7-63.dat	acprotect
behavioral1/files/0x00070000000241a6-62.dat	acprotect
behavioral1/files/0x00070000000241a4-61.dat	acprotect
behavioral1/files/0x0007000000024191-60.dat	acprotect

Loads dropped DLL 6 IoCs

pid	Process
1020	CosmoHWIDspoofer.exe
1020	CosmoHWIDspoofer.exe
1020	CosmoHWIDspoofer.exe
1020	CosmoHWIDspoofer.exe
1020	CosmoHWIDspoofer.exe
1020	CosmoHWIDspoofer.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000241a5-45.dat	upx
behavioral1/memory/1020-49-0x0000000074840000-0x0000000074C81000-memory.dmp	upx
behavioral1/files/0x0007000000024180-51.dat	upx
behavioral1/memory/1020-54-0x0000000074790000-0x00000000747AF000-memory.dmp	upx
behavioral1/files/0x000700000002418f-53.dat	upx
behavioral1/files/0x0007000000024183-78.dat	upx
behavioral1/memory/1020-79-0x0000000074770000-0x0000000074780000-memory.dmp	upx
behavioral1/files/0x000700000002418e-80.dat	upx
behavioral1/memory/1020-81-0x0000000074510000-0x000000007476B000-memory.dmp	upx
behavioral1/files/0x000700000002418a-76.dat	upx
behavioral1/files/0x0007000000024189-75.dat	upx
behavioral1/files/0x0007000000024188-74.dat	upx
behavioral1/files/0x0007000000024187-73.dat	upx
behavioral1/files/0x0007000000024186-72.dat	upx
behavioral1/files/0x0007000000024185-71.dat	upx
behavioral1/files/0x0007000000024184-70.dat	upx
behavioral1/files/0x0007000000024182-68.dat	upx
behavioral1/files/0x0007000000024181-67.dat	upx
behavioral1/files/0x000700000002417f-66.dat	upx
behavioral1/files/0x000700000002417e-65.dat	upx
behavioral1/files/0x00070000000241a8-64.dat	upx
behavioral1/files/0x00070000000241a7-63.dat	upx
behavioral1/files/0x00070000000241a6-62.dat	upx
behavioral1/files/0x00070000000241a4-61.dat	upx
behavioral1/files/0x0007000000024191-60.dat	upx
behavioral1/files/0x0007000000024190-59.dat	upx
behavioral1/memory/1020-56-0x0000000074780000-0x000000007478C000-memory.dmp	upx
behavioral1/memory/1020-82-0x0000000074840000-0x0000000074C81000-memory.dmp	upx
behavioral1/memory/1020-83-0x0000000074790000-0x00000000747AF000-memory.dmp	upx
behavioral1/memory/1020-84-0x0000000074840000-0x0000000074C81000-memory.dmp	upx
behavioral1/memory/1020-92-0x0000000074510000-0x000000007476B000-memory.dmp	upx
behavioral1/memory/1020-91-0x0000000074770000-0x0000000074780000-memory.dmp	upx
behavioral1/memory/1020-90-0x0000000074780000-0x000000007478C000-memory.dmp	upx
behavioral1/memory/1020-89-0x0000000074790000-0x00000000747AF000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CosmoHWIDspoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CosmoHWIDspoofer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 1020	3308	CosmoHWIDspoofer.exe	86
PID 3308 wrote to memory of 1020	3308	CosmoHWIDspoofer.exe	86
PID 3308 wrote to memory of 1020	3308	CosmoHWIDspoofer.exe	86

C:\Users\Admin\AppData\Local\Temp\CosmoHWIDspoofer.exe
"C:\Users\Admin\AppData\Local\Temp\CosmoHWIDspoofer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\CosmoHWIDspoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\CosmoHWIDspoofer.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1020

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI33082\VCRUNTIME140.dll

Filesize
74KB

MD5
31ce620cb32ac950d31e019e67efc638

SHA1
eaf02a203bc11d593a1adb74c246f7a613e8ef09

SHA256
1e0f8f7f13502f5cee17232e9bebca7b44dd6ec29f1842bb61033044c65b2bbf

SHA512
603e8dceda4cb5b3317020e71f1951d01ace045468eaf118b422f4f44b8b6b2794f5002ea2e3fe9107c222e4cb55b932ed0d897a1871976d75f8ee10d5d12374

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_asyncio.pyd

Filesize
28KB

MD5
4da968a8df3375e9b4c545d5b26785db

SHA1
b1fc2408cad91604dddb0db9ead3f16c8fd33bcf

SHA256
52368b5683f461e0fed80c559c64ac6b2df1b2e37b6a86597d503c045d69ca5a

SHA512
0ce23e2b8402765a83de886aaa2587bea73d83da63c5873f6091554035414726dc7e84f6168bca23483eb28599418693aeb75c0c8d4ad9a879fa67433bb38986

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_bz2.pyd

Filesize
39KB

MD5
38d5227674571f67443380eab2cdd469

SHA1
bec0e7efc2bc3badf30d13df7cf5f391428f3f1c

SHA256
b4d0f1643b1fd4c2d2febbb508b11bec0b4e247569e3d9b3d6ae6943b8d77a72

SHA512
05489f8faaf06f709a6faf91e86066132f3705b1c12fb18b6c7487f35bcbe223de782874c7686d93bcacb5d02e84ee380d03ceff7c3746ed8533a968e11a23fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_ctypes.pyd

Filesize
48KB

MD5
35e83a17f43047cb2d7b1dc76214bba6

SHA1
addcf26314da71995333bd4ef264b73a9483853d

SHA256
f4b9d46eb465dc3d623aec5d0a2ff3e841cf24c2811d22c7266124bccc665a42

SHA512
de3f05974afad7ab2edee4f50c5c13fb7664898192e01f4140aa41e4b30310453e49066e8b8f171b4312680724e5a5ba49b5b7a7ea9cb84f0fc02d2ac830865e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_decimal.pyd

Filesize
73KB

MD5
84f2fdae1a95d803785dd970455e5903

SHA1
ec5be0860f64467c033e0f1f1ce15b6d2d959239

SHA256
dac4b472fd32439483f2aad605802be9bbeee609f003c7d27a96bcdd93826ab7

SHA512
71d22c76102497262e008e07c652cdce3ce47730f2962066240a037daedd1d42171efa3fb177524ce76a469cd49bc740db504ebe580f8fc909e4a2b3465290c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_elementtree.pyd

Filesize
46KB

MD5
a6e641f071ec2cd76ad0857ffaf27b80

SHA1
47dc199b46f35769556376750c8f41bdfb6c9751

SHA256
4feafbdebae58dc0601b7c41ec30eb33144ca672ec8f436a01b9b7b485d5b8e8

SHA512
33607fb2ba9b5b13f14b3cccedfaddab81f8222a305a6de484cde281da0957ce14210b9afd01d80cae176e3290ca6b82d20688ed839703844496ab2869327ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_hashlib.pyd

Filesize
25KB

MD5
65259659ec674bc9d04c4950caedc5c1

SHA1
5e0bdf55423ad25d074986214eb106ab2153762f

SHA256
9d529152181cf39fbb2090b6bfd3c8e0ef1f22e5ecd7223de7b88354c20e9913

SHA512
6218e0b4349c78c4441aaf2f120744f441284880d4039681290f52fad1aa672efc8fb306bfeb559a2937e5c9bce8de4d19a5467d7f6c13149de5a53a4b86c29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_lzma.pyd

Filesize
74KB

MD5
a6783fda33e2b8f0781ca098c733f0d8

SHA1
64ce7362d09f5451664125527fbfa43327333783

SHA256
3190f7d670e27e199e13016801563e3f2260911b0bdc568d025a3a0230a76af8

SHA512
0c5d28292f5c7c0bd4ff99b84910dc453832c3eadf261b1cd33f7563de631632eb404545e4d4510d429bf45ce1edae0036efcc1bbe423ab1f2622f9a2300c69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_multiprocessing.pyd

Filesize
20KB

MD5
332ac21d55993808c10c03a4688351e6

SHA1
1d3876de9fe6a056fa843855c0eefe4272a081a0

SHA256
cedc45a5e46e041fcc1e68569ec9684726bdc74ee4616e4b33289317c0d4e932

SHA512
e47b952acae88a4e5f7ed1a4b8ceb4dde8c0994e8c25f8592f8cd18fed4a10b618657ecdc3e02e9ed8692e5a4e560bc03481470b1f17da08470a4469b1eea847

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_overlapped.pyd

Filesize
24KB

MD5
a4c73da03ebf5351392e8561e1bc9a39

SHA1
e0a54db5b84a4402ce73894574186cd71f73478a

SHA256
67608e5831dfc3514dfb21b9484147a8e2d1bcf5b79ef833f287fddda7640f2e

SHA512
d425d83ae9b66550d04e27c82de99b28f5104e602b7c4508b5352528af85e729a028dc4ceb48d7b7922eb9434b8ff7c8646e1d46239d29332dd4563844dc1801

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_queue.pyd

Filesize
20KB

MD5
63b09777786af377aecab3a765fc8acc

SHA1
b1fa8a9507548bd24274513e718345bd9738ac62

SHA256
ed2d026d97267ee02e507c2cd8761bb5d04ff37bbfae9a3e193b2b005faa02b0

SHA512
2db58b9dc8d8bdbfa5a66a6de8905111251da8066300edeabb371417ee0b8cfe2ac8d97c34d67c72da85cb328258e037f87cbaecde93b111b164676749589a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_socket.pyd

Filesize
34KB

MD5
b762e4a767eb526e9c03993133eb5be4

SHA1
b537e4d47ad94402e5159086741c25c559fcc196

SHA256
7aafaa8a3a679f3a9c91fba3ffd5b9036c2d2ff5a0cf50eb2e47c75a6898892f

SHA512
071611688109dc7312740fe9eeb71e5129dc515d27adffd1bc8bd0bf0e02dfc2a8adeb6aebbb06a005381c49ef637184927e2eec43d37ddca232b00733334502

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_sqlite3.pyd

Filesize
34KB

MD5
cf45ebd2de10b80d13e6d3a32030d321

SHA1
a0666865763f02a3bd59b38b26e8ef741d3d4b2a

SHA256
f73ac6866b6acf7afd2a18bf95202edc9a97666e6ba9f30c96987e0481459335

SHA512
5abd3116ead84b3944cef5dcce425a8008082fe6615289cba1b16b1167b1f3a5d5fa8c9d908b42cee99738f199a1bb0d5e0d709532ef0cda47230ee5e46bd76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_ssl.pyd

Filesize
53KB

MD5
f55ce9a16509e997d0ad5ea5c640642d

SHA1
6e9f6385310231dc09f0bee7e5dba91a94c0bcfa

SHA256
9a242a3d90770805261c6fa829a61efc487d2a3580b0cf8601df08675ada6c4d

SHA512
aa587c9f1a15fd3a0d94acb395dc0027f17b5171a296f4a2b82587724ebe8bde2468ac5d0689cb330d3d1c9858c2bd5af8096a972b5e15e5d4cb3fa054636a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\_uuid.pyd

Filesize
17KB

MD5
54f10c6f7f793fc393bc138c822bf918

SHA1
61a7cb976124e70c36dec56752e25f7d1efcc30c

SHA256
9de300ca515e6c7dc1518b662ccab87f8a23d86f3a387abff71ce2e9a3e0f809

SHA512
1696741d41a1d2c905cb470cb00c25c44094c121d3e93ff143b70ae49855719a723f90063e77d22b3b972f5c487bedef0238f6c2f39d5814d140c54f08013017

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\base_library.zip

Filesize
858KB

MD5
b9c12c36992fc893892a07c7f561df57

SHA1
a16899f9d47a58a9650b040a8e092e8c444d3028

SHA256
4e29ce813bd807676854b6830cbb59ec0412a6f0051146d7c56a0fa3c6ed0edf

SHA512
4ce1a96540a595337a3abb1d0583817aebd7e1a9285f74249c7a19e275e947240adf806431c484ae438cd9f757ced1aeb750681fe3a1b2745d27fa901568ade3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\crypto_clipper.json

Filesize
155B

MD5
8bff94a9573315a9d1820d9bb710d97f

SHA1
e69a43d343794524b771d0a07fd4cb263e5464d5

SHA256
3f7446866f42bcbeb8426324d3ea58f386f3171abe94279ea7ec773a4adde7d7

SHA512
d5ece1ea9630488245c578cb22d6d9d902839e53b4550c6232b4fb9389ef6c5d5392426ea4a9e3c461979d6d6aa94ddf3b2755f48e9988864788b530cdfcf80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\libcrypto-1_1.dll

Filesize
749KB

MD5
28b61d0e3ba8e0d6f766cdc4203287b1

SHA1
2deeb4b3014c9b7642e944d5aa7068c6e3e556b2

SHA256
5c5563604dca182e71d9161c2c863dbfe00633235868e069fcf2e634351e32d3

SHA512
7f551733e948db223fb09f225c0d8242beec96c9d56e7038a5f9f46f26c50dbf7791a7c14203e75eebf31ca346b1949c11915b53c73964938edc1774a6e6679a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\libffi-7.dll

Filesize
22KB

MD5
be02e3ba1fddb2bef792c6f179442431

SHA1
1b87681c55e0d343c217ceaee48f6e5a73b33ce1

SHA256
c763cceb2134aef0cfa4dbd201e9f60c1441e169886d8a80e09eff855396f997

SHA512
a5e5d383c419433592a6d8c6a36e0ecb8a2ddb5b15dffa22b94fe2cbda1fae07404ae2fdce93222c2c10397375eb7725d4dd44afe8624222adfa7724ba54f021

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\libopus-0.x64.dll

Filesize
217KB

MD5
e56f1b8c782d39fd19b5c9ade735b51b

SHA1
3d1dc7e70a655ba9058958a17efabe76953a00b4

SHA256
fa8715dd0df84fdedbe4aa17763b2ab0db8941fa33421b6d42e25e59c4ae8732

SHA512
b7702e48b20a8991a5c537f5ba22834de8bb4ba55862b75024eace299263963b953606ee29e64d68b438bb0904273c4c20e71f22ccef3f93552c36fb2d1b2c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\libssl-1_1.dll

Filesize
168KB

MD5
ba40b6126b8f2b496e191f66dbe306e3

SHA1
f8c2c50d36799695d80fc77315e911a85c24d70c

SHA256
684510cf3e6b65bcad33cc75ccdf71f67d7c32180e03e1b086b4fdd6664cdcf4

SHA512
173e69bf1c7ff8703f0ae7a9e3e9ec84c9e0be0790ad88bf6d5963c3eee1a8f4af925cb0d1dce70f39597cfa55e39fdbbfcbb1c919a68de1daf79949456a68dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\pyexpat.pyd

Filesize
65KB

MD5
4b863e7fa2a640e164ddb1be17e86089

SHA1
602fb5959b5001c113888a0b0245407f062ea964

SHA256
975db8da530b49f7431c4701d5ce6d3760eca682dc070468d803cedecd97bf0e

SHA512
9f1bcb1db4388c4039bb2509d83d5185d2642bf29d2329df16af2bd2263c257d993a863d23e69fe097b452a3b1a728d5c979c9524e8ec6027c9ec784ab0786e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\python310.dll

Filesize
1.2MB

MD5
6a906dbe99f466748bb6c265a2ff7074

SHA1
4f399cb774f1fa9c01f365b7df87d07e8fbb0186

SHA256
8bf1567e6fe97ef7da18dfe95235eb105ed4b504d0a4d03632e14d9c8b61c7b0

SHA512
d3ca7cc0a1464a366f2d1fe8409bcfc8de7e2dc11af04a553bb150757112c24d189c1ea7e45638ca6a499a369ff1b21e0de60a1a31c8d3804d2dad6bd5d057b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\select.pyd

Filesize
19KB

MD5
845bc7cbc901df09d049c0e85820429c

SHA1
1bc09f886532db7ff9417f425cb4ae8efff54fdd

SHA256
2e279b4957270980e93ab2a4ada2d75ffc7e84711337f921f9623baf009b175d

SHA512
835ffac00b0b94ce82824d4c365be3ba8930592ed5c106760c7beb6861202a112f2e639cd816624e38d01849941b0087d02fd33e906e4641b4282492a2867f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\sqlite3.dll

Filesize
483KB

MD5
43865ed06e0d0ca408af9d5d78fbd41a

SHA1
48e9e6862a787038f39cb853535aa0976d7ad3d5

SHA256
6549e348192c1988790f81c306a7ac2be0956e3ae61e1fc792f8f8d44e6ff46a

SHA512
890d48a4c0cbbe9e6534095dde24d853a075b7c265ffd814ad743c2534a2b66ff05cfac0828d93ac05313f9af75d5af77ba8a928a81de4302620a7f233e53c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\unicodedata.pyd

Filesize
281KB

MD5
a5868f8b17c557895359735093789c80

SHA1
66139478a335cbc29f0826344661f82edce9d6f5

SHA256
b8b7d599feaf40924539edb4d5271b214756ebcfe424dde4cc484794b37c2ff0

SHA512
d62fd5fde488a4aaaa308534515450a3122e54fa5f11a064a882d7db8a4260d4eb5d1d8644df4887eb94b16100427a7be466b71351f7492d41e51a339dfae6af

Download Submit
memory/1020-49-0x0000000074840000-0x0000000074C81000-memory.dmp

Filesize
4.3MB

Download
memory/1020-79-0x0000000074770000-0x0000000074780000-memory.dmp

Filesize
64KB

Download
memory/1020-54-0x0000000074790000-0x00000000747AF000-memory.dmp

Filesize
124KB

Download
memory/1020-81-0x0000000074510000-0x000000007476B000-memory.dmp

Filesize
2.4MB

Download
memory/1020-56-0x0000000074780000-0x000000007478C000-memory.dmp

Filesize
48KB

Download
memory/1020-82-0x0000000074840000-0x0000000074C81000-memory.dmp

Filesize
4.3MB

Download
memory/1020-83-0x0000000074790000-0x00000000747AF000-memory.dmp

Filesize
124KB

Download
memory/1020-84-0x0000000074840000-0x0000000074C81000-memory.dmp

Filesize
4.3MB

Download
memory/1020-92-0x0000000074510000-0x000000007476B000-memory.dmp

Filesize
2.4MB

Download
memory/1020-91-0x0000000074770000-0x0000000074780000-memory.dmp

Filesize
64KB

Download
memory/1020-90-0x0000000074780000-0x000000007478C000-memory.dmp

Filesize
48KB

Download
memory/1020-89-0x0000000074790000-0x00000000747AF000-memory.dmp

Filesize
124KB

Download