Analysis

  • max time kernel
    150s
  • max time network
    110s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/05/2025, 10:01

General

  • Target

    2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe

  • Size

    38KB

  • MD5

    ffe5d3a78b5d45ba66dc102388e5b6ca

  • SHA1

    adb6b804e04f17ebf99e916fa0ace43fbcbf1bb2

  • SHA256

    2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5

  • SHA512

    80a5365df056a45816704035daef2f8cb9500a7259b4ec2ccd4f288303624dd34e8cc48738c4b7e19f78fed5f8a7d769ffe94fd2767e1fd450f9a578e0375a58

  • SSDEEP

    768:s7BlpppARFbhdLz8ae+rOn8ae+rOfXqJ7gJ7ITr:s7ZppApdIISJ7gJ7c

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5244) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe
    "C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4192

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.tmp

          Filesize

          38KB

          MD5

          aa590ddfc20a353efd70f5d53d31c53e

          SHA1

          5f2d729d2f4560d5aa1ce9a5ef1d745a54b316c2

          SHA256

          d8cc67c5414b6c077e996277a920c731d885c4cebd9de1ba4ebf997b280bc827

          SHA512

          dfe003383335b2b3885fff01cf3303051799a0ddc832cad8ab6d85af8f427b84ca1c768e94c0132f5669a865a5c1d14b7611e9b846a1933ba745921d88791720

        • C:\ef24ccacc0fb7a1128713900cef14716\2010_x64.log.html.tmp

          Filesize

          124KB

          MD5

          dc1fc0c14b336e7e636231bbb3020576

          SHA1

          8a303950ee22b0bf0d824e5bbb5446dd9363543b

          SHA256

          48730f53c0ed1f7da8108cf166df3d8e60d5a4b327cf3693d6554a119450021f

          SHA512

          714f773c30d7db294713f12da01dbdb44f94c813facc3eef274914ee066d3e83080f586f733eabb6bcbbeae3b3ee0406c3a294af6e16d22a9f945049a43aedae