Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-h71shadq9y
Target c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5
SHA256 c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5

Threat Level: Known bad

The file c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5279) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 07:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 07:23

Reported

2025-06-05 07:25

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5279) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Input.Manipulations.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySharePoints.ico.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe

"C:\Users\Admin\AppData\Local\Temp\c39252cb773fd7294adb831abe346b1549a6e9bd8da7cc942479e16b92ade8b5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3920234085-916416549-2700794571-1000\desktop.ini.tmp

MD5 851600b7e1bfc09270f44393dd091eb7
SHA1 d65f6edf46fe876c9d37f633dc8b0b4b1ceaa334
SHA256 536e3017fb0d6a34277c1afa102951524b8e9cec2c09f69385e695480b8c63c3
SHA512 2dd373084076bf6a36370b6547e074f3af4876f0fcb97794bde73e626b465b68fd50060a396912c5429eee777edad905a8c29f18813121ff6e0cfb9c2b7db6f0

C:\6eaadd5e1536cd09900c16de307910\2010_x86.log.html.tmp

MD5 bde2d88e188dda6d0435c4aebd173125
SHA1 b5301ee0eda807882c2a85208e2ad32766680b71
SHA256 7a0a8593c1649be9387904c67f655f92122fd95f9abea612c0efd1883c6520ce
SHA512 cc67526074d607b5218365b69de5a6c177e3403fb615764e4311a136fda594fefcb48f7ec9df5d0a4b7f16a67f872de5cf5fc1934d237d7c1775268296837b20

memory/4920-803-0x0000000000400000-0x0000000000407000-memory.dmp