Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l2lm6sbn6z
Target 21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17
SHA256 21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17

Threat Level: Known bad

The file 21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5036) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:04

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5036) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\TextConversionModule.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.15 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe

"C:\Users\Admin\AppData\Local\Temp\21a2669cd7b95c1063ab86b311b18f54c1f247e4aa22178dff90c400a71b9e17.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3342576763-1998465526-3870295501-1000\desktop.ini.tmp

MD5 422541587a88bc79c5d4387c06afd1f2
SHA1 d897594e6f07393733dafe248f284522a1fe4a1a
SHA256 1b970e34dd6c1dc77a305ddf4bd42cc245c8c9bee772a88034bde5c640762998
SHA512 f23e314741607faae40b00b9d8140426ef102e0cb5f835a1c3bfbd815ed4566e05e8c556f3f6bae7d8d2cf04be6067fec585f36a9821eb5dc7afccc4a0ed0882

C:\fa79de221d524b769d0447\2010_x64.log.html.tmp

MD5 c096d20908483d2f4e8939fad5727d31
SHA1 bf1cc1764853c8de0532782f6d4baeee9d11cc24
SHA256 514bc06a6ecaa803d0ed247c736584accd8f6de5488bf99f5483f3750017d727
SHA512 c240783ab827c859775134a661c187cfa28f6212306ffbc3856db328da13f56c5090ba3245b2cb81693c97e85c3462177652362cb79b240a8ce02f044b5a00b0

memory/2692-797-0x0000000000400000-0x0000000000407000-memory.dmp