Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:55

General

  • Target

    2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe

  • Size

    7.3MB

  • MD5

    3d8ff4e557fda46d35764966472eafd0

  • SHA1

    99c2d5a979ab966ff2a02a9137446af9fcbc9870

  • SHA256

    2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a

  • SHA512

    120fab64f0df9c62767166f938af617e0861557d279daba307d23bea22d4e19c8e0e24b3e854ef5c8aaa7621b5fa6030629ab0e53fd9811b17a5bc1612d30c5f

  • SSDEEP

    98304:+waCELMjOLIalJ67sj4jmpRMTcToaxLQsp1RXp9nGeyYnXrwFZN8M4:+waCYLIal06MTo9RPGeyurwmL

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (333) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe
    "C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2268

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

          Filesize

          7.3MB

          MD5

          819592e45f0069a2e7bf1a1cc7a2f905

          SHA1

          9cb2e02292bc1bfe0864e85a9013e41ad69481fc

          SHA256

          1cf5da50ce1f71a7e32b48433d1acbf1e475dcba33b6308e0c922f2f53a65090

          SHA512

          feaf7e7640c6e3f3cc548cbdd509e5ce31cf1857d055ff416c87b4ee1a9e5f1cf9197e834e828f6d4e2595cc7cb1a0a9516927e32703b06645e930944a507d5c

        • C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

          Filesize

          7.4MB

          MD5

          99d30de333585091fc90a1144a77853f

          SHA1

          cd0ce1c2ebe12685927a122c92cb949a151065c3

          SHA256

          bc8d0500c315070bc3a99fc24ffa600e40a9259101d36ebd4f1c4382fb14fd92

          SHA512

          ea76c0d496028c70884402434899a705c27de979af8cc69716da7da49b0342b1bfb9bd2e809675f7cec8d3a8c3e1506cdd3f6e91f3ec90e79a996681fb3eb0b2

        • memory/2268-85-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB