Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/05/2025, 11:55

General

  • Target

    2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe

  • Size

    7.3MB

  • MD5

    3d8ff4e557fda46d35764966472eafd0

  • SHA1

    99c2d5a979ab966ff2a02a9137446af9fcbc9870

  • SHA256

    2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a

  • SHA512

    120fab64f0df9c62767166f938af617e0861557d279daba307d23bea22d4e19c8e0e24b3e854ef5c8aaa7621b5fa6030629ab0e53fd9811b17a5bc1612d30c5f

  • SSDEEP

    98304:+waCELMjOLIalJ67sj4jmpRMTcToaxLQsp1RXp9nGeyYnXrwFZN8M4:+waCYLIal06MTo9RPGeyurwmL

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (350) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe
    "C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:3724

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1283078542-320785498-2248628612-1000\desktop.ini.tmp

          Filesize

          7.3MB

          MD5

          16e1dcf6610233508b5f47884929c6a1

          SHA1

          e1da555385fdf75824129e02b5da423892f9e5b3

          SHA256

          c5292dcca371b6144f751a06b6ea83c1a04c6a92d9cba0d8b6c24b3ecd6c985c

          SHA512

          9ccc1e0bf0c23f264045778b655804583a11619f1ccc88c0c73bd6a4c34c192717bf93fa54bbe9906cb7da7b02bdf4323c88c73edb72b2ec146397678a781ad2

        • C:\caf455ed4ae411b0ba0aa2\2010_x64.log.html.tmp

          Filesize

          7.4MB

          MD5

          e5778a5a0aa7ae43828bcc33ba2d4fcd

          SHA1

          31795adc08f4f6cc737bbbe35ba138193823d048

          SHA256

          3cda5bcd692b443e01775f0eeb2cc1acf479cf59dddf9c7e5ca2e47c2dc7a821

          SHA512

          832edd962a7a5bd5a60987d5dd0377e7d2b43927ad736129de5ce8469790830e8f6dc4e74365056176f739ef83068650e66941af011b5c37ffb87b6477236acb

        • memory/3724-85-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB