Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe
Resource
win10v2004-20250502-en
General
-
Target
5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe
-
Size
36KB
-
MD5
e204ff2be14abe4e9c07a6346d561744
-
SHA1
67407ed4d8099cca875c688d35705cec34d12237
-
SHA256
5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a
-
SHA512
aefb4305f90957dde69ea5a88301377fc288d9fd2cc819bd7b7709d1d90f762a657a96dadd730bc3a8cb4010913abfa58ff02b7470b11cc766a07cfb7ecbb000
-
SSDEEP
768:uZ4FLz8ae+rOn8ae+rOrZkZ/7GoMGKEoMGKh:uGII1GCoM4oMV
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/memory/3820-799-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (5202) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\7-Zip\Lang\hi.txt.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Common Files\System\ado\adovbs.inc.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Java\jdk-1.8\include\jni.h.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\Tec.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\UIAutomationTypes.resources.dll.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe"C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3820
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD595c226bf8baab79f9062651c7e7a93e3
SHA19b9151b72648110516fd4a018393e44f7e004594
SHA2568df730a240d258df2e2bb8ac526ba968a566aeeba22b8e706f4e6777717bf357
SHA512e58d7c384b1786f11dda30a638b561fd4cbae6577256ff0e06ea4624881dbe21558d246c7df46fdda2d878e97c8496c2a57839d99f89ff595aebaa1fe5cef307
-
Filesize
117KB
MD57a36c1763cfcd435eda7df56729128bf
SHA1a745748672668006525058ea11d8d56dca61821b
SHA256ca1c9758ed7a46715f81f9f2399eb66b835923a846b8f6fb0e789081f26be16e
SHA512143c557b2b1c599ea5f84acd33a1263320fa99c84224fc9f707b2412d740e887ab974c3799b57d3da548321839d402af577a1a390811b015a9f4fa6adf832d88