Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n5qseacn6v
Target 684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130
SHA256 684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130

Threat Level: Known bad

The file 684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5277) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:59

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:59

Reported

2025-05-29 12:01

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5277) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\eventlog_provider.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxl.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe

"C:\Users\Admin\AppData\Local\Temp\684b848e80e4c95ecb7f2b390d64cc8564219ff506492d64a5d82af7eb911130.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini.tmp

MD5 156f6fe3dcaded100ed61c18bcbfd4c0
SHA1 aba5aa452c3050719d86cff9b297e10cefa246a9
SHA256 e0e005fd3ed44e662ce9a405014450cb14f5d989b7142600025a76bb3100eb92
SHA512 5510a67c38764d2574d844b8129a32f6427d2cb8223720d01ff9aba09aa687ab7590bcb08f4b40afbc20be83a01f030514f473e93ebc121bd204c5f5c2221e64

C:\f32c6debfbe15d219b06a854\2010_x64.log.html.tmp

MD5 d35608ec52edc7a35742e76a96af7b71
SHA1 6ab35c6c29fef77e486d561a03ad6c7e81211b7c
SHA256 a46ab5cf5fbf8962a58dfd8920b0af1e7f1df26ef041c6e459ea2bda24ef4863
SHA512 2d29d4979372a75d58d72eb0c42bf17d10c2a653d24d2e061d1c0d5e10b2734a7d76ccb7bcd848df3e662533e59e709306c0cb94f2e1ab308e9f84032d84dee8