Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n3xg6scn5s
Target 121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9
SHA256 121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9

Threat Level: Known bad

The file 121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5124) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:55

Reported

2025-05-29 11:58

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5124) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Extensions\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VVIEWER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Drawing.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\133.0.6943.60.manifest.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fr.pak.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\es-419.pak.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe

"C:\Users\Admin\AppData\Local\Temp\121f20c82d0c2e7fd44e6f52e78cc84ed80dca691a7a49a79796036a3d15c0f9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

MD5 a216a250f2eb783641675ba12d89bdea
SHA1 2866599ea8b2b6542ba547bb79e49703f8fe09ab
SHA256 6a70d0b30e7eba1904ac641c46fe9171efc24b0a713978a879e9a1ee8c49324f
SHA512 452acdd610a1da3c7bd2a684edd1041471c4e6a77a4d62b1cb24d9308479cde80580763c69974173e03fb9b79060ed68bb29861bf71738356036f6babca0d497

C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

MD5 c80f6af449d4ac52255e610815b3e198
SHA1 db6ca86dcaf2ff82b17a4c19205f3c25c92dde1d
SHA256 b6ffe87e5240acb3a0a35720ffc895cc091a06a643dc0045f30e28a61d515744
SHA512 62e3edff9a5ed635aa2c2f756267f01696621a8f4d8f32637892ee725a3f75ceb9f9f669c176d717faed2de597a15ce52e0f8adc3d05638919a058585363a826

memory/4028-795-0x0000000000400000-0x0000000000407000-memory.dmp