Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l2qbcsbn61
Target 2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d
SHA256 2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d

Threat Level: Known bad

The file 2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5160) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:04

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5160) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Security.Cryptography.Pkcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe

"C:\Users\Admin\AppData\Local\Temp\2af938ddfec882e3cf440c2d57f251bba7794317042bc65392bd7b302b0bc07d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

MD5 47b312b944c7766e8e2051c0d838a8cc
SHA1 dcc5c5fda9cb54719000ea8fcba5a1293511076e
SHA256 87b07124002e7a3a127db5a7915bf1f40d5a4179aab1ccd2ecdc4326cfcae4da
SHA512 46b07b0252bdfa2b367fdd6c62ba99a9af851fcebc9a8061ff16887eef9cbf0b1796f291cd6a9a28a9496c505f15fcf379e50f384ab4cd9a707256138013f585

C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

MD5 f39956b5c91613f562edf0c708541ee4
SHA1 a79a82aea2dfaa86d8420e180f17fa1fcebc88d5
SHA256 c2f7aeb030e522fd317b0167f462ba2edbb22f12e156b7d8ff996c0863744be1
SHA512 c09cfe2f0d1a4250d6d0f3f90cac76c8c88cabbc21f577e81e4eb3537a34d08c5980033600218b1b9b4be99960ed32eea04ade551c2cdd93d0be18d52ce80fd6

memory/5464-795-0x0000000000400000-0x0000000000407000-memory.dmp