Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:58

General

  • Target

    7db974c0e72757c15415b821f6a22764c00093dce7273ab41f6b8bb91b3f063c.exe

  • Size

    68KB

  • MD5

    956c13e1f38ff53f49a4e7097a753132

  • SHA1

    0163a9811accc1264051214da0417de81063c2e3

  • SHA256

    7db974c0e72757c15415b821f6a22764c00093dce7273ab41f6b8bb91b3f063c

  • SHA512

    54b850c4e2b0889d264cd2927c4660e877714286a5db87937f589867b2b785c983bc54c9feefd44f92a80338bd254fce1405994ed748f16e714bead63642cbab

  • SSDEEP

    768:uZ4FLz8ae+rOn8ae+rO+4jMtfFXYi8jy2ChKuveS5LMjvwZvWXGh0KaKsyRQWOUD:uGII+4jAdCjHKPn8XGSfYRQWX

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5060) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7db974c0e72757c15415b821f6a22764c00093dce7273ab41f6b8bb91b3f063c.exe
    "C:\Users\Admin\AppData\Local\Temp\7db974c0e72757c15415b821f6a22764c00093dce7273ab41f6b8bb91b3f063c.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2788

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp

          Filesize

          69KB

          MD5

          1ae2abc0d622e1ea4da6cf8bf1e4f88c

          SHA1

          86a94be3ba18a53658864ccf82f88c9e1140552e

          SHA256

          52ac8c2e66b49d7190ab58965f78f4c07ecb2ad9db0133fb3ec23167c4ce374c

          SHA512

          6e7224436910e2a305f0038862eedd7d535b470b7493e97c92b0f874a4191645ba3718a17da25c89c2a44dd4bcb1a2b7c772e3a250f4a078b848a948cd09ee8e

        • C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp

          Filesize

          149KB

          MD5

          90f2af2c4131c59c4ecc75e228a2ee4a

          SHA1

          d207f97de079bcfdf429256eed3f85b6c5c5afdb

          SHA256

          e940ae7ae8ccff65a21aac6d52a8198d100b47ed3677aa9f905a1d0b5b7c4e48

          SHA512

          9e7e83f22f8b5fd1e4d4d33e2b0f3d372557b2b761ffe952802df6ffdbda94d478f2212d9c4f8b60220ea7dd74057c0a711101ff3272de375e2ba68969a96732

        • memory/2788-803-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB