Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/05/2025, 11:58

General

  • Target

    2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe

  • Size

    71KB

  • MD5

    c9ab956edf13c45c7bdc61f6ed93342f

  • SHA1

    18d305389c686684e11ad9016332160a4e14a713

  • SHA256

    2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8

  • SHA512

    ae963d7c9133c7fa46e0500372ad2ee8a87720db7acb5f7eb37f38744f6f851cca62fc518881313f522c73c718a7a4e85811c4afee74d8d02ae16ed4d0f58714

  • SSDEEP

    768:s7BlpppARFbhdLz8ae+rOn8ae+rOoJhiJhYytt:s7ZppApdIIoJhiJhYm

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5078) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe
    "C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:5820

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-434880884-4028056734-3558218839-1000\desktop.ini.tmp

          Filesize

          71KB

          MD5

          8f33470bed9650c7080a36ab025526fd

          SHA1

          dc7fa77cf9392b2946e85eb4690bb068a7e2eafd

          SHA256

          b5656af1f227c40bd9471c9ef2e4ddd32860cf83ed2948673e0036140c29910c

          SHA512

          def55de4019ab769a716cccda170a999c3f5facf64582add1d55a29a44fd1ea8851add07bf91601451d312f38fa81ae3facf040707a72d9474dee57f9b95da22

        • C:\adad24410ad15e7b1e4f8836d3a6\2010_x86.log.html.tmp

          Filesize

          152KB

          MD5

          dc9cc2476d2cfc936f71d74f46e5da18

          SHA1

          5725af0f0586284174e019533f3b555863eea866

          SHA256

          6dbcafd7eaed6e7b0d1ae4bcaf40f72065b3d6c94f9f61e99abae851b6294519

          SHA512

          7e85566ebe60de8a6a24b9ffefcc0658bad915060faef277f3c029ba57f38085db02a91c3611a2503ec3548e94105b11c089c3dd36bc602b9d0e0673661d29ce