Analysis Overview
SHA256
241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163
Threat Level: Known bad
The file 241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163 was found to be: Known bad.
Malicious Activity Summary
Detects Cosmu payload
Cosmu
Cosmu family
Renames multiple (5039) files with added filename extension
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-29 10:01
Signatures
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-29 10:01
Reported
2025-05-29 10:04
Platform
win10v2004-20250502-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Cosmu
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Renames multiple (5039) files with added filename extension
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\UIAutomationClientSideProviders.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Diagnostics.EventLog.Messages.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\da.pak.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fr.pak.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\id.pak.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\yo.txt.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Input.Manipulations.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\133.0.6943.60\dxcompiler.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.NETCore.App.deps.json.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\ReachFramework.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\kaa.txt.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.CodeDom.dll.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
| File created | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe
"C:\Users\Admin\AppData\Local\Temp\241eafe0509458d94b68bff75fd8ad2c8d13e67bdcafe579ada2f7736c11a163.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-3951986358-4006919840-1009690842-1000\desktop.ini.tmp
| MD5 | 4de0531bc4be24cd59663898d0869361 |
| SHA1 | 979bea5520b05bc05b59410220620be03b2008ec |
| SHA256 | 94c0fc745f7a90483db79cc375cd77ef1862235ec258b734632bbf96348c2a59 |
| SHA512 | d1347d33a8c7068b9e0a29ae360c512c73764c6d5cf866929d04002662860841abca11a08826ad1adb25f35c21f212a5a417271995404310401aa659545c76ec |
C:\e871de07eca81c0a47\2010_x86.log.html.tmp
| MD5 | b8e2285d1c3119fa77079f23ac8414f3 |
| SHA1 | e81cd8155cdc8af8ae37f9337c396b8949a7ab2e |
| SHA256 | 84143f1426cd2dc4c2c8c4161722dc9b6f918318cb238d3a4952e491fc627aac |
| SHA512 | 0ce4290e6570a837bb20708e3e3ed1d943f01388c9e58f7512c6cfb8708cd3c9ce6cc94542b78448b8e0498e1a6dadb19fc29a0c25cad56012ee6b483bbcb222 |