Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l25q2sbn71
Target 256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75
SHA256 256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75

Threat Level: Known bad

The file 256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5329) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:02

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:02

Reported

2025-05-29 10:05

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5329) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\glass.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALA.TTF.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSI.TTF.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe

"C:\Users\Admin\AppData\Local\Temp\256b244320bdb456feb3bccac7cd870698b1fa53b1fd32b39f02e03003284b75.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-343936533-1262634978-1863872812-1000\desktop.ini.tmp

MD5 e87ffac661e69e7a9569ad822027772b
SHA1 10e8f13d5b38ba3ba4eb77d710756c6839921fe5
SHA256 b1b0ef8df090c6820c5169886bdb7432c41e6fd3857130eb392cb7312b75479f
SHA512 da107650ea5f4704f6877a81883a19d09fefa9ae07003ff474ff6d62b747f685ed7e42da1f33174e60ebf44ace2c3f35a0d347bb294a9cbf4b9ab6d2dc045987

C:\f21fae8705b262c53286e8\2010_x86.log.html.tmp

MD5 449ee94a5bb80d20211c8a291f93085f
SHA1 3b069b45ceea0691a48627623234aa534fe40328
SHA256 ff579bb66b26a9ad3b76ab36525b43eabec773605e1886d828061bcaaab5e3df
SHA512 45392d9eec9671f3ba1bf22cebbac2ae46fb546a61ddc944cdc00cdc9db7abbef18727063ef71bdf67e79f2fd19c163687b659f55b04e01c84613c7e503366eb