Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n3zbrscn5v
Target 6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740
SHA256 6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740

Threat Level: Known bad

The file 6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (4853) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:55

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:55

Reported

2025-05-29 11:58

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (4853) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\vk_swiftshader_icd.json.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A
File created C:\Program Files\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe

"C:\Users\Admin\AppData\Local\Temp\6f977507c2351c072005e4d0e5a2d07b262b25b239f326cebf5931870b24f740.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

MD5 20b56da0f4f612bb4dbefdf28566c557
SHA1 ef245b71251b6d94bc6bf11b32910e8fadc72eda
SHA256 e69ea636b997bceb49b603120100e35b62492596a34b4a4a0ba766a3ea6fa1e3
SHA512 ddfb061504d83c2a59e0185cca34f485991c3ad6b933e55cd53593877fe5d16e3aa7426e8ff89f2c0822faaa64c684b725599f3b69df7542c231f2cbb7313d35

C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

MD5 b749f7526d32ea5192a8632ab8f93174
SHA1 a741b929be63f701eb0280cf5b4ff6f9f49edcc8
SHA256 89b92699d4c73f68a8625fc1adddd947290b3f884922a990ab94e0b21dad3a79
SHA512 8f8c61ddde911b61f2c03d9ddb05acdf38ecda146b62ec19a2079b4217db233dc92088a5b84365ed30d7bbe33bafd5dea8992c2ff62c2518b6ed00ab8a908a8a