Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l2vwvabn7t
Target 60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55
SHA256 60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55

Threat Level: Known bad

The file 60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5275) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:02

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:02

Reported

2025-05-29 10:04

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5275) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fa.pak.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Principal.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Resources.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn.tmp C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe

"C:\Users\Admin\AppData\Local\Temp\60ff2e2c618390b9b37e8722df41a356096088e6d456f9028d2578d77bcc7b55.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini.tmp

MD5 3f22a864cd1f73c06b674d6dd749e4a9
SHA1 de9e2e25b4841d0e42c5dfcce6d98a19d90c6317
SHA256 3c0bb763bdb919989e6d3814239fd92888e69dd2c954751cf7ce1a058ed17bed
SHA512 4c734ee48121133ca3f596cfacdf667dce802f9279ae378a5f181c5f259d7c47f2a6effaf5f84a5bc216fed727acc779823fa728f3e8a29d653f58cb14ee3e4a

C:\f32c6debfbe15d219b06a854\2010_x64.log.html.tmp

MD5 7935129a8b98731716e38c6c3d6c5f61
SHA1 0cd05f5d32a2b87760169d5e5196263f1c8f11de
SHA256 b0decab81fa4658ee70e3001275360455032260cd9db14475f7d0decd85ab5d6
SHA512 b6f46bcdf4fdb301d6934a46a24213e4560048245cd2e1506399fd92dd5ecbb4d7e58f85b50998c8ae73e5c8c982b2777f7e07c7b453d7dc24a81f4d2ffb294f