Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 10:07

General

  • Target

    7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe

  • Size

    152KB

  • MD5

    d3d0b83acb1010b38bd7b4c9c6d2a4c9

  • SHA1

    44af10e830257831f5ea90be0c74fc0b1fa43510

  • SHA256

    7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2

  • SHA512

    562fc402f086946c40d14ae0a684db35b9f6a7bf24d6d74c17c9a05a194d3f4fabddda0e2f6f24cbadb63f74d5beb9e52933492cbabda128dd665373e7dbb807

  • SSDEEP

    3072:spWpkqcPZkxjRbMl2k7ueySZl/L52hRDdfYh6qtz7wqLTfzv/q:NWNZkxB82k7uRST/2RDdAh5lRLLu

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (4834) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
    "C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4360

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3342576763-1998465526-3870295501-1000\desktop.ini.tmp

          Filesize

          153KB

          MD5

          338e784b025f163f80ceda99a3a763d0

          SHA1

          72368fe840f2315a413d5247b04592eb474f29d0

          SHA256

          fc14b0ac8cbb31a9fba47f496fc7fa1eb3792e2d73aec81e2ef29c31df8ea098

          SHA512

          8ace6c2fcade70d9362da41b314f379dd8a753e2857760aa3e2b0b5080189bda39fbc7b3e6f0d90909ca236ba05e0996dae2354afb1eafd168cf49d9a0f12f22

        • C:\fa79de221d524b769d0447\2010_x64.log.html.tmp

          Filesize

          238KB

          MD5

          f333544a1b3928e5258cd3013a0c68c8

          SHA1

          7c975346b4e2600b0b99a2fcbbe544011cf3ab0a

          SHA256

          e8067473e14624bc91be379458a0d818dd9f7f592dc3a5466aebc5100d82bf8b

          SHA512

          509a231d5ea0bbde6abd2cde9ca65cb3c664bf486a1ba795585be23a8a41fe7a3fe64111d822aca928d740a8aa4a3b2d6c96ac6d16f805db1734407f8f5a5b57