Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:59

General

  • Target

    4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe

  • Size

    39KB

  • MD5

    9d8f3d48ce801fa55fa7d81a3b8b4b66

  • SHA1

    c4f5fc214a1dc973e00d6b7ae93391488786a917

  • SHA256

    4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788

  • SHA512

    b5783e523aea34d7128a12bfd9a8c2fd14795b151317d5b0052c4d77e66b131e78e0d4c9d0ef0f30edaaba1cadef0470f8a190b3da8b8102f931f535d359a672

  • SSDEEP

    768:uZ4FLz8ae+rOn8ae+rOrZkZ/7SRDGRDBYyyQxXAYyyQxX0:uGII1GeFGFBYythAYyth0

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5208) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe
    "C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2896

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

          Filesize

          40KB

          MD5

          26235591df534765a82d2bb665a00b60

          SHA1

          fc3dd307530346df42d86d91dcb6c817d590bd78

          SHA256

          db78dd80518b347d43f365efa44af8d387561e4666f5eea6eecf75084b4aa25b

          SHA512

          af75a3755c8962ca7b321c4efc6289002321d4652e277421d6636e158246c5101286986f985830f0eef7edfe84551b74e44683b2c2ea3a59a223712a134040d6

        • C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

          Filesize

          126KB

          MD5

          5ad3f6e275d9f23ff8892f372efa0ad4

          SHA1

          6a4366e96a45a2e323f49bbae3e7fd4b4d638d79

          SHA256

          615146c8c02d3ccfc58a8017e0428d31b66d2ac9d09c719b535cabf76ba0ee2f

          SHA512

          e36995ddd25534920418a7ad8d9cdcd007dbfdee38cb59f223abcbe36c0a2b386d02606f5aa86165763d15c8aec0e39e6b2aa9116325103849c49cf5e1f19837

        • memory/2896-809-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB