Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/05/2025, 10:03

General

  • Target

    6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe

  • Size

    32KB

  • MD5

    007eb12f5a1130fe347452f7b4def493

  • SHA1

    54c3e64f02d562761e5c6acda69d05b422b60f0e

  • SHA256

    6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875

  • SHA512

    606629d1e5eb699eb82ac2f6fc920d7611d5573c6e9365278d53d685a8d60aaee913030e14f6a48a8a0552a8bc26603d6a63dcf3fa8e419a3b72005601caf61c

  • SSDEEP

    768:uZ4FLz8ae+rOn8ae+rO+4500n1kJ00n1kc:uGII+49101V

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5356) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe
    "C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:5248

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1245416451-815278583-4285364870-1000\desktop.ini.tmp

          Filesize

          32KB

          MD5

          9edb7b55889bcb87634133136dda12bc

          SHA1

          ccffceefc1f902216ce199b3ec963efb8c666ce6

          SHA256

          10f9bcc7d393f20f58b87265f195ff4e9d3d67e83e6c65a2dc6d0672b456e5d3

          SHA512

          1dac5cfaafc6877be8e9cea1a7f09eea240ba8d6d5e75540f8b9aff5ecfe4c7e6466ebbe79835398c99a2ee072de54a90b24ea5aabd2380284dc35f83f841a63

        • C:\09888c3fc6bdc8a345f7\2010_x64.log.html.tmp

          Filesize

          117KB

          MD5

          bb5edc415890069cf64d115e990aa1ee

          SHA1

          01d81d6a425817a106081e82842cfe2215221ef7

          SHA256

          552c54dc84984a101178558aec24302e40ca23b441b76e9018a07701e24b130f

          SHA512

          fa86fce81fd92a0137d57d4060d7cbfcf73b149bd60abb1b4574aafc154b2289f7f7137d18eeb85a6ae6dc0317eca3c0f572cc098332a4484c3b368409a8962e

        • memory/5248-1215-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB