Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe
Resource
win11-20250502-en
General
-
Target
6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe
-
Size
32KB
-
MD5
007eb12f5a1130fe347452f7b4def493
-
SHA1
54c3e64f02d562761e5c6acda69d05b422b60f0e
-
SHA256
6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875
-
SHA512
606629d1e5eb699eb82ac2f6fc920d7611d5573c6e9365278d53d685a8d60aaee913030e14f6a48a8a0552a8bc26603d6a63dcf3fa8e419a3b72005601caf61c
-
SSDEEP
768:uZ4FLz8ae+rOn8ae+rO+4500n1kJ00n1kc:uGII+49101V
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/memory/1912-801-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (5250) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\7-Zip\Lang\fa.txt.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\7-Zip\Lang\fr.txt.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationTypes.resources.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.CompilerServices.Unsafe.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\7-Zip\Lang\co.txt.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe File created C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.tmp 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe"C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1912
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5bf697859ee0b7caf586d317b455f842e
SHA115c6fc534aad697edd2487639ce3521cd5b494f2
SHA2562c1dbb1c190e1ad13016071a10731953c9e95e20fadd07cef2ff3bb77ed07d8f
SHA512753c7c8d52c128ba52d9581559b10ecf7e033366604e9f0c9f0d10f0412a2440d59c96cc20aedacd1436a7012e09f777e79236e4e45f2fded5e140b4bd6c2bfe
-
Filesize
118KB
MD56cb08c89b3b2d6547dfbfd18fd5211b0
SHA111866ef40e2d5b4c20d97423612303a34c4eaddc
SHA25662ff55ae2d9f2ed6c0b41c80a38ed2e3d5416882ae1b45ae75e89cc774175149
SHA51222ffde0307e9dc66264ef4c21005442ee51fd0dca16cbcb0b1cd44c2bd4c641717d4b2e6b8450566980f3d9a4f58e81ae00d4b88e62c5ca1022dee5f1d18637f