Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 14:07
Behavioral task
behavioral1
Sample
420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe
Resource
win11-20250502-en
General
-
Target
420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe
-
Size
38KB
-
MD5
aede2dfb077f70e26175c5e385378632
-
SHA1
5f2218409dae60500b8ee6f6f0e186245b5a2348
-
SHA256
420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761
-
SHA512
e20873343a4d1d65f6a90a1e8e6d32ff45971d7a9370054812aa3822a6d8f05b111f6ede16aac5b01ccae8e6a62e6b089a285921b2e29da8d3b64cce6a25f1b1
-
SSDEEP
768:s7BlpppARFbhdLz8ae+rOn8ae+rO2aNQP+UDQvu:s7ZppApdIIJQP+UDQvu
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 2 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/files/0x00040000000232d9-1.dat family_cosmu behavioral1/files/0x000c000000023f87-5.dat family_cosmu -
Renames multiple (5204) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\sl.pak.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.TraceSource.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Forms.Primitives.resources.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Diagnostics.EventLog.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\PresentationCore.resources.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Parallel.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\PresentationUI.resources.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Concurrent.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.ResourceManager.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\UIAutomationProvider.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\7-Zip\Lang\pl.txt.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe File created C:\Program Files\7-Zip\Lang\fi.txt.tmp 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe"C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4976
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD55819c84b510a1a83d41ab3d37e5e8e6d
SHA1279ef4f82336fac6573110b5d8d21e27f6d36385
SHA2564d4ec3502638c64dfa9696f0853308dce4ffb56a837f4448ebfcbde5dde2cee3
SHA51260dcb3e811fbe65a181967c8dec94126ada632a88923bf3e4ab5a9e43d52c223532bfc96d16dacb7bcd95fb521e0dd42c96aa7e73a8d9bd3f4d63172aef66005
-
Filesize
120KB
MD59eb634c618760aa30f4263f11166c69f
SHA11540e1b9c8ccdfdeef8d5cf01b78a8ad2d318893
SHA2560ad8404e2ea58553d66751d96ec3710ba4cc305da570df4640fce246a7d42e5f
SHA5129a02c250cf03f95d4ab541308768f5c8ae2ae5f600cf87561c2af437ac39ac24ad5b1acb7000e9a042d9aea29ff342362ac7bbeb381cdf5fb2f677ee14dd0d56