Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/05/2025, 10:01
Static task
static1
Behavioral task
behavioral1
Sample
3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe
Resource
win11-20250502-en
General
-
Target
3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe
-
Size
33KB
-
MD5
081992eb1480801df44c28dcfeee542f
-
SHA1
024ffc4694af9734d1032294171fd20e2618fa2a
-
SHA256
3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52
-
SHA512
dbbb11b7d1cfd55dcd205c3161f9e03ca1c2f66b1705e9c67000657ac6ae46cd07dad4c52199f4c76410d01326a24322816ae1e541a6d0f1a40a3ed583a5aac2
-
SSDEEP
384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOYE/AE/DZKNZKy7MwlwWP3:uZ4FLz8ae+rOn8ae+rOrZkZ/7M45P3
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral2/memory/328-1231-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (5361) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\en-GB.pak.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\Wordcnv.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\manifest.json.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework-SystemCore.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationClientSideProviders.resources.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.ResourceManager.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe File created C:\Program Files\Common Files\microsoft shared\ink\eu-ES\tipresx.dll.mui.tmp 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe"C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:328
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5be3b3cf126d8af7c509e75d751dd47cd
SHA1eacb9b8210fce639fef9500c9f21d7a1c5343aa6
SHA256f1475ca535a2d73ea719a14524036a5e4f1beefb7a547846599ae0c31e83acb8
SHA51243867cc094badd288eaed9cf245e8d4bf51753273ba64a87c72d0870d04c115f47bbfb03e49ceb778a1c5177b99cfb341372325dd6bef8b6f84749dc4ecb858a
-
Filesize
114KB
MD5e585fe76fc991d9e3e8c7efe8814898a
SHA10c89a1bf35f909ec435de952ef98e2052359232e
SHA25652d6b91c7abe0dd87d100d5571483d87d543af68b7f47afe7ad272d435218727
SHA5121714afc4794d3618e72b6016903bdb40b2d4c582983bfd27b1bcbb60874b1aaf84550787dc7760c2b5145b03f39cf6ef00fe503d6712235be79c208272337cfe