Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/05/2025, 10:07

General

  • Target

    7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe

  • Size

    152KB

  • MD5

    d3d0b83acb1010b38bd7b4c9c6d2a4c9

  • SHA1

    44af10e830257831f5ea90be0c74fc0b1fa43510

  • SHA256

    7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2

  • SHA512

    562fc402f086946c40d14ae0a684db35b9f6a7bf24d6d74c17c9a05a194d3f4fabddda0e2f6f24cbadb63f74d5beb9e52933492cbabda128dd665373e7dbb807

  • SSDEEP

    3072:spWpkqcPZkxjRbMl2k7ueySZl/L52hRDdfYh6qtz7wqLTfzv/q:NWNZkxB82k7uRST/2RDdAh5lRLLu

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (4926) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
    "C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2368

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1178639776-3244803473-3821071008-1000\desktop.ini.tmp

          Filesize

          153KB

          MD5

          5bfee5826ce7681e090433f46014685e

          SHA1

          edd6440d3f1aadef1c298ac8506b7558ab50e7cb

          SHA256

          797742a3f8a97b4da06d81f5e1c0f3742bc0159071ec4ff642ce6f4642c10e48

          SHA512

          f63ad438951a0db69f067380ca4acd705b93711592bf2e651988349fc540273c080798d38cb3c257f1d45ca867cdf5a8ed78df382f219e9ce497cfbec5ef4ce2

        • C:\f8efe770fb160c3e4e\2010_x86.log.html.tmp

          Filesize

          233KB

          MD5

          28adc0e1308f2dd9e86c197cf6aa2743

          SHA1

          2bcb21a089af691feb9f0bc5e32b20bd8b193b62

          SHA256

          ef601b5c0d251f33931553c8e5f7922fff93ceaeea054ca0ea14892936f8c38d

          SHA512

          a99d2a007276e5ff5bd69cc9e81ccb1c0b3e640b9dd50ab646e68a0b02b9dc3131054eef306c07e22db248547d29a51f24a244eeecf016f48a77f8c071350f1a