Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 10:03

General

  • Target

    6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe

  • Size

    32KB

  • MD5

    007eb12f5a1130fe347452f7b4def493

  • SHA1

    54c3e64f02d562761e5c6acda69d05b422b60f0e

  • SHA256

    6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875

  • SHA512

    606629d1e5eb699eb82ac2f6fc920d7611d5573c6e9365278d53d685a8d60aaee913030e14f6a48a8a0552a8bc26603d6a63dcf3fa8e419a3b72005601caf61c

  • SSDEEP

    768:uZ4FLz8ae+rOn8ae+rO+4500n1kJ00n1kc:uGII+49101V

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5250) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe
    "C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:1912

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini.tmp

          Filesize

          32KB

          MD5

          bf697859ee0b7caf586d317b455f842e

          SHA1

          15c6fc534aad697edd2487639ce3521cd5b494f2

          SHA256

          2c1dbb1c190e1ad13016071a10731953c9e95e20fadd07cef2ff3bb77ed07d8f

          SHA512

          753c7c8d52c128ba52d9581559b10ecf7e033366604e9f0c9f0d10f0412a2440d59c96cc20aedacd1436a7012e09f777e79236e4e45f2fded5e140b4bd6c2bfe

        • C:\8e056885788215100b95f8050bba49\2010_x64.log.html.tmp

          Filesize

          118KB

          MD5

          6cb08c89b3b2d6547dfbfd18fd5211b0

          SHA1

          11866ef40e2d5b4c20d97423612303a34c4eaddc

          SHA256

          62ff55ae2d9f2ed6c0b41c80a38ed2e3d5416882ae1b45ae75e89cc774175149

          SHA512

          22ffde0307e9dc66264ef4c21005442ee51fd0dca16cbcb0b1cd44c2bd4c641717d4b2e6b8450566980f3d9a4f58e81ae00d4b88e62c5ca1022dee5f1d18637f

        • memory/1912-801-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB