Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 10:04
Behavioral task
behavioral1
Sample
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Resource
win11-20250502-en
General
-
Target
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
-
Size
152KB
-
MD5
d3d0b83acb1010b38bd7b4c9c6d2a4c9
-
SHA1
44af10e830257831f5ea90be0c74fc0b1fa43510
-
SHA256
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2
-
SHA512
562fc402f086946c40d14ae0a684db35b9f6a7bf24d6d74c17c9a05a194d3f4fabddda0e2f6f24cbadb63f74d5beb9e52933492cbabda128dd665373e7dbb807
-
SSDEEP
3072:spWpkqcPZkxjRbMl2k7ueySZl/L52hRDdfYh6qtz7wqLTfzv/q:NWNZkxB82k7uRST/2RDdAh5lRLLu
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 2 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/files/0x000a00000002171c-1.dat family_cosmu behavioral1/files/0x000400000001ee71-5.dat family_cosmu -
Renames multiple (4853) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Input.Manipulations.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Timer.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.Win32.Primitives.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Tasks.Extensions.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ReachFramework.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\7-Zip\Lang\hy.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\7-Zip\Lang\br.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Extensions.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\System.Windows.Forms.Primitives.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\7-Zip\Lang\tk.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:208
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD57ce5501a92cb63c648d8728711842b15
SHA12ae06e80b6b297ed8469333d5ec2ab257ae0243f
SHA256fd6baef86f3c17322e8464f4b70977ae2d28fa2a0d10fcfab7134185d1054f48
SHA512f86cf4acbeecd50f21fdfbcf2dc4bce0fd2ee543d3ccffe576efddb9f1c78e521cef1f9dd3ff3814227d5f639f18d433ff7dadc4019f13cbe3dae54252cc8533
-
Filesize
238KB
MD5bf31c96d5b95381fe061b76837e51a69
SHA10f6f2e649d9000e78437c87331323c7c0176bf05
SHA2568dc391f44aa67ca6b4b714b80bf37853005cd485324811cf5b7e029e68c5b496
SHA512de50bd920ad47de68ef4b39ad6b6d59b1d948911d3161b7f3bf8dae4a6848fa4cfb91b7a1689bdd90e77e29495974980aa548089602009311596196f5011abea