Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 10:07
Behavioral task
behavioral1
Sample
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Resource
win11-20250502-en
General
-
Target
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
-
Size
152KB
-
MD5
d3d0b83acb1010b38bd7b4c9c6d2a4c9
-
SHA1
44af10e830257831f5ea90be0c74fc0b1fa43510
-
SHA256
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2
-
SHA512
562fc402f086946c40d14ae0a684db35b9f6a7bf24d6d74c17c9a05a194d3f4fabddda0e2f6f24cbadb63f74d5beb9e52933492cbabda128dd665373e7dbb807
-
SSDEEP
3072:spWpkqcPZkxjRbMl2k7ueySZl/L52hRDdfYh6qtz7wqLTfzv/q:NWNZkxB82k7uRST/2RDdAh5lRLLu
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 2 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/files/0x000500000002279a-1.dat family_cosmu behavioral1/files/0x000400000001ee71-5.dat family_cosmu -
Renames multiple (4834) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.IO.Packaging.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ReachFramework.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.ResourceManager.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Input.Manipulations.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\af.pak.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Specialized.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Security.Cryptography.Pkcs.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\UIAutomationTypes.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\LICENSE.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4360
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5338e784b025f163f80ceda99a3a763d0
SHA172368fe840f2315a413d5247b04592eb474f29d0
SHA256fc14b0ac8cbb31a9fba47f496fc7fa1eb3792e2d73aec81e2ef29c31df8ea098
SHA5128ace6c2fcade70d9362da41b314f379dd8a753e2857760aa3e2b0b5080189bda39fbc7b3e6f0d90909ca236ba05e0996dae2354afb1eafd168cf49d9a0f12f22
-
Filesize
238KB
MD5f333544a1b3928e5258cd3013a0c68c8
SHA17c975346b4e2600b0b99a2fcbbe544011cf3ab0a
SHA256e8067473e14624bc91be379458a0d818dd9f7f592dc3a5466aebc5100d82bf8b
SHA512509a231d5ea0bbde6abd2cde9ca65cb3c664bf486a1ba795585be23a8a41fe7a3fe64111d822aca928d740a8aa4a3b2d6c96ac6d16f805db1734407f8f5a5b57