Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/05/2025, 10:04

General

  • Target

    28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe

  • Size

    34KB

  • MD5

    c723f0584ef526efa1f1eaea94df14d8

  • SHA1

    b984a485db4a2f68effbe007c5f78585ddc53b0a

  • SHA256

    28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f

  • SHA512

    ac3db58129c3e04a214ef3deee51a01bb2298523979724e1ddbd27a3ffc46bc5851301226592539453ff7f245a66c7d15e34a0751d360f94ddda69f2ef022bb9

  • SSDEEP

    768:s7BlpppARFbhdLz8ae+rOn8ae+rO+4500n1kJ00n1khxhxz:s7ZppApdII+49101az1

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5348) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe
    "C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4452

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1178639776-3244803473-3821071008-1000\desktop.ini.tmp

          Filesize

          35KB

          MD5

          fc49bf11d74ebb3a749184129178f6c8

          SHA1

          63568fd6b927dab55c9dca50301a6bc6cc120ed2

          SHA256

          28f7b6bf7fde756cda35e57fea10ebcd6434d80923c453ffdbd96aa5d6759243

          SHA512

          af4228ac59a32d21c4496f2b4c4aa6a49639792e97753f12ffb84655990b1d032df1b5478fec8778819b0067ffbf6fed5477cbdf2836bad0f6e74b577fe38c34

        • C:\f8efe770fb160c3e4e\2010_x86.log.html.tmp

          Filesize

          115KB

          MD5

          cb9bbb5159bbe5d1de38ddcfa27b990a

          SHA1

          0e64dff827cb6b66241036007b543d5ba0e26bc6

          SHA256

          ff7fcc5cb526996d5fea60ba2fe4fbfd0c7d6e3d6714a1c613f723af72c36902

          SHA512

          30bd2a369dc4605d5175bd65d62aaeece2776bf2b68d4497bd3df1f8e905d6f0167bedf9b38158d0c58463cb8d3a5118749235558f5750b574c9cfd5f0d447d0