Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 10:02

General

  • Target

    60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe

  • Size

    27KB

  • MD5

    cbd64e1517bc97367d6a060054438dad

  • SHA1

    1e3c439611c0bc0aa82eb91d24b4d2fb98885381

  • SHA256

    60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55

  • SHA512

    22f628136afe53aa2c2a601cdf9aac809fece970ae0398d8110b56879b46cfe57ee3d4d2ce20ead25215b72610a3296e6b26739102d6306cfe4d08b1246fdc25

  • SSDEEP

    768:s7BlpppARFbhdLz8ae+rOn8ae+rOb83656yoNUOIiJfoNUOIiJ2:s7ZppApdIIPMD4Y

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5275) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe
    "C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:844

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini.tmp

          Filesize

          27KB

          MD5

          3f22a864cd1f73c06b674d6dd749e4a9

          SHA1

          de9e2e25b4841d0e42c5dfcce6d98a19d90c6317

          SHA256

          3c0bb763bdb919989e6d3814239fd92888e69dd2c954751cf7ce1a058ed17bed

          SHA512

          4c734ee48121133ca3f596cfacdf667dce802f9279ae378a5f181c5f259d7c47f2a6effaf5f84a5bc216fed727acc779823fa728f3e8a29d653f58cb14ee3e4a

        • C:\f32c6debfbe15d219b06a854\2010_x64.log.html.tmp

          Filesize

          113KB

          MD5

          7935129a8b98731716e38c6c3d6c5f61

          SHA1

          0cd05f5d32a2b87760169d5e5196263f1c8f11de

          SHA256

          b0decab81fa4658ee70e3001275360455032260cd9db14475f7d0decd85ab5d6

          SHA512

          b6f46bcdf4fdb301d6934a46a24213e4560048245cd2e1506399fd92dd5ecbb4d7e58f85b50998c8ae73e5c8c982b2777f7e07c7b453d7dc24a81f4d2ffb294f