Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-h73xvsdr2t
Target da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5
SHA256 da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5

Threat Level: Known bad

The file da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (4951) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 07:23

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 07:23

Reported

2025-06-05 07:26

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (4951) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Security.Cryptography.Pkcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Common Files\System\ado\msado28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\vk_swiftshader_icd.json.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe

"C:\Users\Admin\AppData\Local\Temp\da3aac9e5bbabfadd5fcfa5169dc151e4be023f88c8f39260cfda6284a0b9ce5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

MD5 ca0e61703cc64da43fc0c4ba7c03ef4e
SHA1 c73ec86751cc10b153ea2075f4959e5d8f5a8b70
SHA256 437d55313af7a9f38109cd899fbab1e44ef2b76b2ddf2b82dd389d250e00be50
SHA512 cfd1cc53ce80ffd00225daf606c663558c2026b47df7ccfc5cacea183aea3e8e31abeda602786c06fc5e0f808538c78d6a858230407f3b0f6e45ad26b4080723

C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

MD5 e112c8ad0fa9e3fb859191c3977a964e
SHA1 6c934a05256e78457940cb6e3c01e81d3a7438ac
SHA256 8957985095f3cde55c05132547c5c0535e78a9d30f2f75df043eb81d64d07c79
SHA512 c750515b49e78665847eb64e6bd5c226d52c5ea41e578ce9c5f82168e19568b3241925b705e3f7f7e2df3eef0b26076ad8e742107cb579db39f9b2a6f95ce6cc