Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 10:04

General

  • Target

    7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe

  • Size

    152KB

  • MD5

    d3d0b83acb1010b38bd7b4c9c6d2a4c9

  • SHA1

    44af10e830257831f5ea90be0c74fc0b1fa43510

  • SHA256

    7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2

  • SHA512

    562fc402f086946c40d14ae0a684db35b9f6a7bf24d6d74c17c9a05a194d3f4fabddda0e2f6f24cbadb63f74d5beb9e52933492cbabda128dd665373e7dbb807

  • SSDEEP

    3072:spWpkqcPZkxjRbMl2k7ueySZl/L52hRDdfYh6qtz7wqLTfzv/q:NWNZkxB82k7uRST/2RDdAh5lRLLu

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (4853) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
    "C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:208

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3342576763-1998465526-3870295501-1000\desktop.ini.tmp

          Filesize

          153KB

          MD5

          7ce5501a92cb63c648d8728711842b15

          SHA1

          2ae06e80b6b297ed8469333d5ec2ab257ae0243f

          SHA256

          fd6baef86f3c17322e8464f4b70977ae2d28fa2a0d10fcfab7134185d1054f48

          SHA512

          f86cf4acbeecd50f21fdfbcf2dc4bce0fd2ee543d3ccffe576efddb9f1c78e521cef1f9dd3ff3814227d5f639f18d433ff7dadc4019f13cbe3dae54252cc8533

        • C:\fa79de221d524b769d0447\2010_x64.log.html.tmp

          Filesize

          238KB

          MD5

          bf31c96d5b95381fe061b76837e51a69

          SHA1

          0f6f2e649d9000e78437c87331323c7c0176bf05

          SHA256

          8dc391f44aa67ca6b4b714b80bf37853005cd485324811cf5b7e029e68c5b496

          SHA512

          de50bd920ad47de68ef4b39ad6b6d59b1d948911d3161b7f3bf8dae4a6848fa4cfb91b7a1689bdd90e77e29495974980aa548089602009311596196f5011abea