Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n5nm2scn6s
Target 8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5
SHA256 8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5

Threat Level: Known bad

The file 8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5222) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:58

Reported

2025-05-29 12:01

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5222) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Channels.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msspell7.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe

"C:\Users\Admin\AppData\Local\Temp\8a22c1523e4518c6cc2ac47bc04048d7b16e3a0a1786c32d4ac5ff15eb85c9e5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

MD5 ef393c331c1b8b110da62e36b7146a4d
SHA1 37ec511e573fded7fe306122659d9ec982aeed1a
SHA256 1cebf98b58e8053b3b3cf90e3b7e9a04ea14d84a6f02b16c24153af41a19aac1
SHA512 ddf0a53c87f17382dc25a85e0b96ff584bb0d25626b18d9d3348c48d27c06ec79a0bee0e150c6ab517068394a137934afed77f798647163a5ad7488252301440

C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

MD5 923b2061d42cd53fbc07dff7a59bcbf1
SHA1 c463f5178a430614ad8601be5ce5c5664ca95f6c
SHA256 0426b0a98faa084fecea7f3c1a05c7ccdf75110221522e37cf1e436e3b3c68d5
SHA512 917b52cf6b46f780764e0ef81245ee0404bf98608e0cc9cc8e4b335023b2fd3e2b8d08ec4c2ac39a5ec46fd17fe2e7f52a173321172c12bbd205cdccf71e8683

memory/4856-803-0x0000000000400000-0x0000000000407000-memory.dmp