Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 10:01

General

  • Target

    2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe

  • Size

    66KB

  • MD5

    4997db6aa7cc0841cbf7db68a988a30a

  • SHA1

    265a56f2c18924103be9710d8fc9ac1267988833

  • SHA256

    2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d

  • SHA512

    5a4509a0009ecbc477c0ce89f3c009ef2afee4528066a21416d66c647a21d3af215a8ec9331ddec891e08f43ebadcdb2fb9cc3e860eda1d4d7727c5445deb5e0

  • SSDEEP

    384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOIW2JhuC2JhuOxAxoraygJmMvJvq:uZ4FLz8ae+rOn8ae+rOoJhiJhY+

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5160) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe
    "C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:5464

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

          Filesize

          66KB

          MD5

          47b312b944c7766e8e2051c0d838a8cc

          SHA1

          dcc5c5fda9cb54719000ea8fcba5a1293511076e

          SHA256

          87b07124002e7a3a127db5a7915bf1f40d5a4179aab1ccd2ecdc4326cfcae4da

          SHA512

          46b07b0252bdfa2b367fdd6c62ba99a9af851fcebc9a8061ff16887eef9cbf0b1796f291cd6a9a28a9496c505f15fcf379e50f384ab4cd9a707256138013f585

        • C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

          Filesize

          152KB

          MD5

          f39956b5c91613f562edf0c708541ee4

          SHA1

          a79a82aea2dfaa86d8420e180f17fa1fcebc88d5

          SHA256

          c2f7aeb030e522fd317b0167f462ba2edbb22f12e156b7d8ff996c0863744be1

          SHA512

          c09cfe2f0d1a4250d6d0f3f90cac76c8c88cabbc21f577e81e4eb3537a34d08c5980033600218b1b9b4be99960ed32eea04ade551c2cdd93d0be18d52ce80fd6

        • memory/5464-795-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB