Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/05/2025, 10:07
Behavioral task
behavioral1
Sample
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Resource
win11-20250502-en
General
-
Target
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
-
Size
152KB
-
MD5
d3d0b83acb1010b38bd7b4c9c6d2a4c9
-
SHA1
44af10e830257831f5ea90be0c74fc0b1fa43510
-
SHA256
7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2
-
SHA512
562fc402f086946c40d14ae0a684db35b9f6a7bf24d6d74c17c9a05a194d3f4fabddda0e2f6f24cbadb63f74d5beb9e52933492cbabda128dd665373e7dbb807
-
SSDEEP
3072:spWpkqcPZkxjRbMl2k7ueySZl/L52hRDdfYh6qtz7wqLTfzv/q:NWNZkxB82k7uRST/2RDdAh5lRLLu
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 2 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral2/files/0x000f00000002ac36-1.dat family_cosmu behavioral2/files/0x00040000000270b6-5.dat family_cosmu -
Renames multiple (4926) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Controls.Ribbon.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\UIAutomationClient.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Windows.Forms.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Numerics.Vectors.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\7-Zip\Lang\az.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\ReachFramework.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.Primitives.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps\external_extensions.json.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.X509Certificates.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"C:\Users\Admin\AppData\Local\Temp\7e70754070a194ddbaeb7bb830aac040f676bc9b2aa1a5022e36c8c97c212da2.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2368
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD55bfee5826ce7681e090433f46014685e
SHA1edd6440d3f1aadef1c298ac8506b7558ab50e7cb
SHA256797742a3f8a97b4da06d81f5e1c0f3742bc0159071ec4ff642ce6f4642c10e48
SHA512f63ad438951a0db69f067380ca4acd705b93711592bf2e651988349fc540273c080798d38cb3c257f1d45ca867cdf5a8ed78df382f219e9ce497cfbec5ef4ce2
-
Filesize
233KB
MD528adc0e1308f2dd9e86c197cf6aa2743
SHA12bcb21a089af691feb9f0bc5e32b20bd8b193b62
SHA256ef601b5c0d251f33931553c8e5f7922fff93ceaeea054ca0ea14892936f8c38d
SHA512a99d2a007276e5ff5bd69cc9e81ccb1c0b3e640b9dd50ab646e68a0b02b9dc3131054eef306c07e22db248547d29a51f24a244eeecf016f48a77f8c071350f1a