Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n5n9kscn6t
Target 65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52
SHA256 65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52

Threat Level: Known bad

The file 65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (4839) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:58

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:58

Reported

2025-05-29 12:01

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (4839) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe

"C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

MD5 525c7210e41d12f93150a23cba336bc0
SHA1 cfc27b79b5f38e1f75dba9d4bce9a1953b165ca5
SHA256 f05c9246dc809a7a1e0d7aab3ffc3079bcb154b8c3b95feaf6950eead92c8179
SHA512 efadbba0abebe80d5a8d62e2509b6ac259c3fac04082f9e7f6310b861bc98bfb9c6cdb0905be3015218ff5840c46a7ec2562c56b16535c3690dcc9dc7e9eed21

C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

MD5 19bef3ecc2afc72fc919a9410bdc2c17
SHA1 2269faa31c0b323db620031cd2edfe5bdde278a2
SHA256 8ba8e187f2e47ee8da7dc8158237c23956ad21368099d9490f96c98e1b81f975
SHA512 76a542dbd3840fee67acf487ed9391ca720ce8ba07634cf1d06f561cbbd05e87a9378145a0b306587af97d02538d3bcfef9768b30bd4c7a36f341e1c89ba9163