Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/05/2025, 11:58

General

  • Target

    7db974c0e72757c15415b821f6a22764c00093dce7273ab41f6b8bb91b3f063c.exe

  • Size

    68KB

  • MD5

    956c13e1f38ff53f49a4e7097a753132

  • SHA1

    0163a9811accc1264051214da0417de81063c2e3

  • SHA256

    7db974c0e72757c15415b821f6a22764c00093dce7273ab41f6b8bb91b3f063c

  • SHA512

    54b850c4e2b0889d264cd2927c4660e877714286a5db87937f589867b2b785c983bc54c9feefd44f92a80338bd254fce1405994ed748f16e714bead63642cbab

  • SSDEEP

    768:uZ4FLz8ae+rOn8ae+rO+4jMtfFXYi8jy2ChKuveS5LMjvwZvWXGh0KaKsyRQWOUD:uGII+4jAdCjHKPn8XGSfYRQWX

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5209) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7db974c0e72757c15415b821f6a22764c00093dce7273ab41f6b8bb91b3f063c.exe
    "C:\Users\Admin\AppData\Local\Temp\7db974c0e72757c15415b821f6a22764c00093dce7273ab41f6b8bb91b3f063c.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:3776

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.tmp

          Filesize

          69KB

          MD5

          53379a10e4f85044dbcab1d0b2067e10

          SHA1

          97026bd2b9418385b4cf89c2a8c19ad98c79c3f5

          SHA256

          6114a96542c1ebf6667e64f9f957cc26331fedc64629e2d234ca644604aead55

          SHA512

          21f5a6a233c10bb39af3802ded84c23f2bd9efdc77e809411e72ad19401abae4b955bfd3445973200c6d0abce786ed942fc9948d5abd85385f78091f22c95114

        • C:\ef24ccacc0fb7a1128713900cef14716\2010_x64.log.html.tmp

          Filesize

          154KB

          MD5

          fd8859155a526194680e62c1d56bf8af

          SHA1

          ddf992b9e3635970313968a5a226909d6991064d

          SHA256

          7e597e69455dfbe295ddc9c2b5eca45e15e7ed14e53b92d28258180ec90fb153

          SHA512

          4218dc25511c53e49a2c188b48abf3c2acfa6549e20cfb15fafcdf52325819a8a7cd47026ffab7ba304a553de9203441c978dc358c69f74e8fb616c636b8c3ab

        • memory/3776-1085-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB