Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l26y4sbn8s
Target 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a
SHA256 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a

Threat Level: Known bad

The file 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5202) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:02

Reported

2025-05-29 10:05

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5202) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Common Files\System\ado\adovbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Tec.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe

"C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp

MD5 95c226bf8baab79f9062651c7e7a93e3
SHA1 9b9151b72648110516fd4a018393e44f7e004594
SHA256 8df730a240d258df2e2bb8ac526ba968a566aeeba22b8e706f4e6777717bf357
SHA512 e58d7c384b1786f11dda30a638b561fd4cbae6577256ff0e06ea4624881dbe21558d246c7df46fdda2d878e97c8496c2a57839d99f89ff595aebaa1fe5cef307

C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp

MD5 7a36c1763cfcd435eda7df56729128bf
SHA1 a745748672668006525058ea11d8d56dca61821b
SHA256 ca1c9758ed7a46715f81f9f2399eb66b835923a846b8f6fb0e789081f26be16e
SHA512 143c557b2b1c599ea5f84acd33a1263320fa99c84224fc9f707b2412d740e887ab974c3799b57d3da548321839d402af577a1a390811b015a9f4fa6adf832d88

memory/3820-799-0x0000000000400000-0x0000000000407000-memory.dmp