Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:58

General

  • Target

    59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe

  • Size

    133KB

  • MD5

    d01f29ca822ea6d0b65d4997aa8252a9

  • SHA1

    e3800ae952beed650dd328008460d730395d21f7

  • SHA256

    59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d

  • SHA512

    b2614f72ab9299e3bff94e6a2c8684d8733d4373c67b2d3b254f257109d25044d9eb392478c9efa708b00492f36f51c2faec70a6ab7c5bf334dbb8d845e2a6a7

  • SSDEEP

    1536:s7ZppApdIIXJUDJUzreQvow2GIIXJUDJUzreQvowe:spWp1reVwDreVwe

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 4 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (4867) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe
    "C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:1732

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-343936533-1262634978-1863872812-1000\desktop.ini.tmp

          Filesize

          133KB

          MD5

          3e890b606efa6ee02c254405e39435c6

          SHA1

          67d4d8f1e70c48c6492c7bd14fcd953e8b0e9a6f

          SHA256

          17126e00fe33b713ec900501959fde295929b5d9cc42ca30d28ea83d0804c169

          SHA512

          9fd345b1c8a97eb0a3fcf5c0388251dff340c8941d05ddf2bed6b9c9febf83f72e67d588a49a630869fa20f587e4fd031aa7c811cc721b76251f2402a7b97783

        • C:\f21fae8705b262c53286e8\2010_x86.log.html.tmp

          Filesize

          214KB

          MD5

          f6f775706bf66b17c531efe07df2ef1e

          SHA1

          f3c3f36c9de31fc6b7a852d054e1d28a986c2e08

          SHA256

          1e939fd3539b682727d207ad772a7a0527aa68e38404df810ba827039a4daa29

          SHA512

          d8e179ee7d3568e0f8d1772187a9550d3134be13fce83212bf83ac4d9f7bb95b1069ca7f2f3c74f2631c1d6ecade4c110ac46226c07c48ae7ef76b9a8e66ce80

        • memory/1732-0-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

        • memory/1732-676-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB