Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2025, 07:23

General

  • Target

    48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe

  • Size

    79KB

  • MD5

    25cbaade2ecdd1326806f57aa72d9457

  • SHA1

    586f408c97ca0d44e7788ace9e84a9ae123bd359

  • SHA256

    48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654

  • SHA512

    a406f7c2c50342a610b163f6d3ddbef38483065a127a9b201395cd8e766dad1cde2bf5e17262a9e945956da161a88c2bf78de3b4d908fb6e4119291303e23d00

  • SSDEEP

    1536:s7ZppApdIIC0L/twzIzYKBIvubxJZ899OlxfANrWc/ZkgBZs:spWpI0L/tsI987OrfO6qy

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5028) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe
    "C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2084

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

          Filesize

          79KB

          MD5

          9686b65ffcd2bf1e8c749636555cf0c5

          SHA1

          d4fafdb7efbfc251e340e4ef6c909074b03ba0f1

          SHA256

          3fcf59c57b9c611fb94cbf27c68864d3811e7cbbd368e8cb6ff3905f44392ecf

          SHA512

          05e588f85888341315fee7e3a690ec0feabf0071ad690188bf898991cfabfc4ad072559b19ba15f9c9435c73329f3052cf8f0e8e16df8c61e7b3f52e5ae0e473

        • C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

          Filesize

          160KB

          MD5

          b81f19b61a479e72559ff27160e2e8a2

          SHA1

          26054f0bb6af14bd2d70d4e66219551f784b9413

          SHA256

          a2db4f5ffcf8baec227e9869b15112f5ae6211574e67c3a3e080620470061dd8

          SHA512

          88cc07da73fce238d8fa4bfc2de6c60ed3f85b2365bcaa11f9a7e24a295233f7f551b116fc2b5aca4333b646f90d8756b146ab95b7d035f74ed304b66a0e71e5