Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l2kqwabn6x
Target 241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163
SHA256 241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163

Threat Level: Known bad

The file 241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5039) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:01

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:04

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5039) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\da.pak.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fr.pak.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\id.pak.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\dxcompiler.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe

"C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3951986358-4006919840-1009690842-1000\desktop.ini.tmp

MD5 4de0531bc4be24cd59663898d0869361
SHA1 979bea5520b05bc05b59410220620be03b2008ec
SHA256 94c0fc745f7a90483db79cc375cd77ef1862235ec258b734632bbf96348c2a59
SHA512 d1347d33a8c7068b9e0a29ae360c512c73764c6d5cf866929d04002662860841abca11a08826ad1adb25f35c21f212a5a417271995404310401aa659545c76ec

C:\e871de07eca81c0a47\2010_x86.log.html.tmp

MD5 b8e2285d1c3119fa77079f23ac8414f3
SHA1 e81cd8155cdc8af8ae37f9337c396b8949a7ab2e
SHA256 84143f1426cd2dc4c2c8c4161722dc9b6f918318cb238d3a4952e491fc627aac
SHA512 0ce4290e6570a837bb20708e3e3ed1d943f01388c9e58f7512c6cfb8708cd3c9ce6cc94542b78448b8e0498e1a6dadb19fc29a0c25cad56012ee6b483bbcb222