Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:58

General

  • Target

    2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe

  • Size

    71KB

  • MD5

    c9ab956edf13c45c7bdc61f6ed93342f

  • SHA1

    18d305389c686684e11ad9016332160a4e14a713

  • SHA256

    2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8

  • SHA512

    ae963d7c9133c7fa46e0500372ad2ee8a87720db7acb5f7eb37f38744f6f851cca62fc518881313f522c73c718a7a4e85811c4afee74d8d02ae16ed4d0f58714

  • SSDEEP

    768:s7BlpppARFbhdLz8ae+rOn8ae+rOoJhiJhYytt:s7ZppApdIIoJhiJhYm

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5123) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe
    "C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4120

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-343936533-1262634978-1863872812-1000\desktop.ini.tmp

          Filesize

          71KB

          MD5

          29b48b35249c76cbe9ef0204031b12fd

          SHA1

          f70de9fe947112fb55f8aa35e4676193f8e4f607

          SHA256

          d29217e35baf484f3b2e90b9100dbda372b133a3051a9c94517f01903643150f

          SHA512

          833b881da30aa72c1946939fb6365265cf63a7052b8e19240e6821667b5946b5762bbedeadc643cf1e6882ea1515f2b15650ac7f38af51efd7803103c7bf853c

        • C:\f21fae8705b262c53286e8\2010_x86.log.html.tmp

          Filesize

          152KB

          MD5

          48cc05c2b894eab50a59c33766e0132b

          SHA1

          478bdbea1daa1001aa3f6c60983fa34216ea4cbb

          SHA256

          a4cecbd1e12bc98b3e1806d1d42a12b6bd7d33a934bbd5fce2983446d7d81054

          SHA512

          e61870feb1dad14fa2507b886dcf9ecae7756dff5913dd53c098247659e35d4b6adaa7de2e6ff73753480ca43827e56e2727020098a38cd72e0e3110f4e85f06