Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-h74jdsdr2v
Target 48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654
SHA256 48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654

Threat Level: Known bad

The file 48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5028) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 07:23

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 07:23

Reported

2025-06-05 07:26

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5028) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Internet Explorer\ExtExport.exe.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Java\jdk-1.8\release.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe

"C:\Users\Admin\AppData\Local\Temp\48fcc0d0c84ae454ffc631274663046a7377e0765e407f73268d190f3ff64654.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

MD5 9686b65ffcd2bf1e8c749636555cf0c5
SHA1 d4fafdb7efbfc251e340e4ef6c909074b03ba0f1
SHA256 3fcf59c57b9c611fb94cbf27c68864d3811e7cbbd368e8cb6ff3905f44392ecf
SHA512 05e588f85888341315fee7e3a690ec0feabf0071ad690188bf898991cfabfc4ad072559b19ba15f9c9435c73329f3052cf8f0e8e16df8c61e7b3f52e5ae0e473

C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

MD5 b81f19b61a479e72559ff27160e2e8a2
SHA1 26054f0bb6af14bd2d70d4e66219551f784b9413
SHA256 a2db4f5ffcf8baec227e9869b15112f5ae6211574e67c3a3e080620470061dd8
SHA512 88cc07da73fce238d8fa4bfc2de6c60ed3f85b2365bcaa11f9a7e24a295233f7f551b116fc2b5aca4333b646f90d8756b146ab95b7d035f74ed304b66a0e71e5