Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:55

General

  • Target

    121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe

  • Size

    30KB

  • MD5

    ad50c4198037eb09a5487d51412dfbe0

  • SHA1

    fabb445bb8121f9bfa0c56a310d06ff975e35f91

  • SHA256

    121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9

  • SHA512

    cc469d2570cb2a0114b6948f0873cee95e5c33466659031c9b9f0169664df4f81d9694b1eb59a186dadd00c56c2a4e4b88434e3d1d42ae832db87196e7531a09

  • SSDEEP

    768:uZ4FLz8ae+rOn8ae+rO+4500n1kJ00n1kZ/O:uGII+491011

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5124) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe
    "C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4028

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

          Filesize

          31KB

          MD5

          a216a250f2eb783641675ba12d89bdea

          SHA1

          2866599ea8b2b6542ba547bb79e49703f8fe09ab

          SHA256

          6a70d0b30e7eba1904ac641c46fe9171efc24b0a713978a879e9a1ee8c49324f

          SHA512

          452acdd610a1da3c7bd2a684edd1041471c4e6a77a4d62b1cb24d9308479cde80580763c69974173e03fb9b79060ed68bb29861bf71738356036f6babca0d497

        • C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

          Filesize

          112KB

          MD5

          c80f6af449d4ac52255e610815b3e198

          SHA1

          db6ca86dcaf2ff82b17a4c19205f3c25c92dde1d

          SHA256

          b6ffe87e5240acb3a0a35720ffc895cc091a06a643dc0045f30e28a61d515744

          SHA512

          62e3edff9a5ed635aa2c2f756267f01696621a8f4d8f32637892ee725a3f75ceb9f9f669c176d717faed2de597a15ce52e0f8adc3d05638919a058585363a826

        • memory/4028-795-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB