Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 11:58
Behavioral task
behavioral1
Sample
2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe
Resource
win11-20250502-en
General
-
Target
2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe
-
Size
71KB
-
MD5
c9ab956edf13c45c7bdc61f6ed93342f
-
SHA1
18d305389c686684e11ad9016332160a4e14a713
-
SHA256
2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8
-
SHA512
ae963d7c9133c7fa46e0500372ad2ee8a87720db7acb5f7eb37f38744f6f851cca62fc518881313f522c73c718a7a4e85811c4afee74d8d02ae16ed4d0f58714
-
SSDEEP
768:s7BlpppARFbhdLz8ae+rOn8ae+rOoJhiJhYytt:s7ZppApdIIoJhiJhYm
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 2 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/files/0x000c000000023fa1-1.dat family_cosmu behavioral1/files/0x000300000001f0de-5.dat family_cosmu -
Renames multiple (5123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.Writer.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\7-Zip\Lang\uz.txt.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\System.Windows.Forms.Design.resources.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ja.pak.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\WindowsFormsIntegration.resources.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.EventBasedAsync.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\7-Zip\Lang\nb.txt.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Data.DataSetExtensions.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe File created C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.tmp 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe"C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4120
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD529b48b35249c76cbe9ef0204031b12fd
SHA1f70de9fe947112fb55f8aa35e4676193f8e4f607
SHA256d29217e35baf484f3b2e90b9100dbda372b133a3051a9c94517f01903643150f
SHA512833b881da30aa72c1946939fb6365265cf63a7052b8e19240e6821667b5946b5762bbedeadc643cf1e6882ea1515f2b15650ac7f38af51efd7803103c7bf853c
-
Filesize
152KB
MD548cc05c2b894eab50a59c33766e0132b
SHA1478bdbea1daa1001aa3f6c60983fa34216ea4cbb
SHA256a4cecbd1e12bc98b3e1806d1d42a12b6bd7d33a934bbd5fce2983446d7d81054
SHA512e61870feb1dad14fa2507b886dcf9ecae7756dff5913dd53c098247659e35d4b6adaa7de2e6ff73753480ca43827e56e2727020098a38cd72e0e3110f4e85f06