Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 10:01

General

  • Target

    2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe

  • Size

    38KB

  • MD5

    ffe5d3a78b5d45ba66dc102388e5b6ca

  • SHA1

    adb6b804e04f17ebf99e916fa0ace43fbcbf1bb2

  • SHA256

    2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5

  • SHA512

    80a5365df056a45816704035daef2f8cb9500a7259b4ec2ccd4f288303624dd34e8cc48738c4b7e19f78fed5f8a7d769ffe94fd2767e1fd450f9a578e0375a58

  • SSDEEP

    768:s7BlpppARFbhdLz8ae+rOn8ae+rOfXqJ7gJ7ITr:s7ZppApdIISJ7gJ7c

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5198) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe
    "C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4792

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

          Filesize

          38KB

          MD5

          1af51b178a8189099b0157883b61d966

          SHA1

          b3e73a101315566582e695b9821846342c4d28df

          SHA256

          36306b3205f7029d6de8d673bf25989da6d5fe2a84e9e1dafdadb8aa3cb5f190

          SHA512

          a5e44575c58969e2161cf91190e36c42e2dd66e63557e49aefe89af5c50aaa6600342821da11d06731a9756fac4434aa251480b51b4dc4249306b6d39301ff5a

        • C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

          Filesize

          124KB

          MD5

          6f31bd01fc83eb42e5c87812e37ed0dd

          SHA1

          981f161d187cad691c574fe6cc3b598e3b96da79

          SHA256

          5be2334601a08ecc6806d3a0c342e6f1f132d5373446c277ff65732f5391b1db

          SHA512

          7f7822ed31e029e21af56b48d1bc3b214787750aa005cb663bf043854049250462eb4bd0fae7a66ba125761c795a85f8bb47e4bb6b89ca40614ff2b5c6535d38