Malware Analysis Report

2025-06-16 06:24

Sample ID 250530-czyqaahp2v
Target abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f
SHA256 abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f

Threat Level: Known bad

The file abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (2087) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-30 02:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-30 02:31

Reported

2025-05-30 02:33

Platform

win11-20250502-en

Max time kernel

62s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (2087) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\d3dcompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe

"C:\Users\Admin\AppData\Local\Temp\abc8e361a8acfeeaaa247945b4ca4e0f6378334e97f4bb6ea23f4951d3976b3f.exe"

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 199.232.214.172:80 tcp

Files

C:\$Recycle.Bin\S-1-5-21-1178639776-3244803473-3821071008-1000\desktop.ini.tmp

MD5 8c36b99d3f367549fdae735bb6dcdb8b
SHA1 19b85f01c7c2f47316de8804ce30745626f847e9
SHA256 7cd04bcdfed9d591be84cb2f24231bcf0b2d77610cc2731af758127efba2a877
SHA512 88116117b45f48bf147cc7200218a9149e84f8360cd2bed7bea1851e146ba31a56f67ddb5ad6214af80e1edb6690606b3f5eb126dbbd33e0365e9b4f327ec3c7

C:\f8efe770fb160c3e4e\2010_x86.log.html.tmp

MD5 e951c92e0922de3e67f12a1ce7a1c777
SHA1 4b825898cdcf67a68fad81cf47e2a0f27da999d6
SHA256 b9be90caf2772c842ad48485ce97d94a707c8b19a8a1b6a40dcd09ba15d586aa
SHA512 3b198ca7781ab9dd09f7311ad367c39f95bde376e0cffd11b68031db30730ecf84bbada66cfcff64b6d6bd05d409de054ee10f588759e15fc2becaa5fc1f8a38

memory/3248-1187-0x0000000000400000-0x0000000000407000-memory.dmp