Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n5tjascn6y
Target 4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788
SHA256 4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788

Threat Level: Known bad

The file 4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5208) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:59

Reported

2025-05-29 12:01

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5208) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Formats.Tar.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe

"C:\Users\Admin\AppData\Local\Temp\4a2ac3721bef48e480fea40f5c9f5d30d97e54fc1a9a86cc97ed519616fde788.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

MD5 26235591df534765a82d2bb665a00b60
SHA1 fc3dd307530346df42d86d91dcb6c817d590bd78
SHA256 db78dd80518b347d43f365efa44af8d387561e4666f5eea6eecf75084b4aa25b
SHA512 af75a3755c8962ca7b321c4efc6289002321d4652e277421d6636e158246c5101286986f985830f0eef7edfe84551b74e44683b2c2ea3a59a223712a134040d6

C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

MD5 5ad3f6e275d9f23ff8892f372efa0ad4
SHA1 6a4366e96a45a2e323f49bbae3e7fd4b4d638d79
SHA256 615146c8c02d3ccfc58a8017e0428d31b66d2ac9d09c719b535cabf76ba0ee2f
SHA512 e36995ddd25534920418a7ad8d9cdcd007dbfdee38cb59f223abcbe36c0a2b386d02606f5aa86165763d15c8aec0e39e6b2aa9116325103849c49cf5e1f19837

memory/2896-809-0x0000000000400000-0x0000000000407000-memory.dmp