Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2025, 07:27

General

  • Target

    3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe

  • Size

    23KB

  • MD5

    3e685475a7d2b2289c7b3e4468b2f40c

  • SHA1

    f1288cfbf64ef40c84caaa94ddae58b9921d97c1

  • SHA256

    3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4

  • SHA512

    a3ccfe3d37a257b69288df9a50a144ff2bd47f3c77cfa50fcb519650a71b7f47084e14271762a10a11bddec8703d8b4beaaff8bd9d60a6684ad0d98c6891ed5e

  • SSDEEP

    384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOr9NNV5H/V36abQD9e0qQD9e0Z:uZ4FLz8ae+rOn8ae+rO2asM0RM0Z

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5197) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe
    "C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:1444

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

          Filesize

          23KB

          MD5

          2328ec75a4747fc65dee6a057d15d638

          SHA1

          95c42ba3a316d971e28de76d0496e84c1acb8462

          SHA256

          3cab7598c0f55cbe619880987c3b4d9682b6f7c14742f22c76351b9821bb0ae8

          SHA512

          e1e23437fd6c1ba9a84071cc9da222f89c2078d9500abb8a341a05df041b9fcd18b198c5562aa74bf1e9c3d28085e87992fbad9d8f70f88a87df3d08bd01ca96

        • C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

          Filesize

          108KB

          MD5

          6b3d177596098dde81a4a1f09bb650f4

          SHA1

          31cef651544d31b4e23500865156f2199182ea3d

          SHA256

          835c14f5a613a0db921feef6962094215180ea908d0e1b97ccae9d9819d677c2

          SHA512

          804b8cbf1751fd31e1ab653c71df5a942d633d31c8fc778db996ff966bd8d3b412dbc0272803a231c739e258ed5431cb3fe5cdd33eb9f5d56cd5245713b98d69

        • memory/1444-799-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB