Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 10:02

General

  • Target

    5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe

  • Size

    36KB

  • MD5

    e204ff2be14abe4e9c07a6346d561744

  • SHA1

    67407ed4d8099cca875c688d35705cec34d12237

  • SHA256

    5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a

  • SHA512

    aefb4305f90957dde69ea5a88301377fc288d9fd2cc819bd7b7709d1d90f762a657a96dadd730bc3a8cb4010913abfa58ff02b7470b11cc766a07cfb7ecbb000

  • SSDEEP

    768:uZ4FLz8ae+rOn8ae+rOrZkZ/7GoMGKEoMGKh:uGII1GCoM4oMV

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5202) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe
    "C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:3820

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp

          Filesize

          36KB

          MD5

          95c226bf8baab79f9062651c7e7a93e3

          SHA1

          9b9151b72648110516fd4a018393e44f7e004594

          SHA256

          8df730a240d258df2e2bb8ac526ba968a566aeeba22b8e706f4e6777717bf357

          SHA512

          e58d7c384b1786f11dda30a638b561fd4cbae6577256ff0e06ea4624881dbe21558d246c7df46fdda2d878e97c8496c2a57839d99f89ff595aebaa1fe5cef307

        • C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp

          Filesize

          117KB

          MD5

          7a36c1763cfcd435eda7df56729128bf

          SHA1

          a745748672668006525058ea11d8d56dca61821b

          SHA256

          ca1c9758ed7a46715f81f9f2399eb66b835923a846b8f6fb0e789081f26be16e

          SHA512

          143c557b2b1c599ea5f84acd33a1263320fa99c84224fc9f707b2412d740e887ab974c3799b57d3da548321839d402af577a1a390811b015a9f4fa6adf832d88

        • memory/3820-799-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB