Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05/06/2025, 07:27

General

  • Target

    3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe

  • Size

    23KB

  • MD5

    3e685475a7d2b2289c7b3e4468b2f40c

  • SHA1

    f1288cfbf64ef40c84caaa94ddae58b9921d97c1

  • SHA256

    3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4

  • SHA512

    a3ccfe3d37a257b69288df9a50a144ff2bd47f3c77cfa50fcb519650a71b7f47084e14271762a10a11bddec8703d8b4beaaff8bd9d60a6684ad0d98c6891ed5e

  • SSDEEP

    384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOr9NNV5H/V36abQD9e0qQD9e0Z:uZ4FLz8ae+rOn8ae+rO2asM0RM0Z

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5376) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe
    "C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:1460

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1245416451-815278583-4285364870-1000\desktop.ini.tmp

          Filesize

          23KB

          MD5

          3f99688f4ac7887a91459bf1a58ca9d6

          SHA1

          9392289d8d77d78830e730dbe47a1693a813a1b6

          SHA256

          d17b6ac8fcecddd2c83c7b650351b4714e400e38a542714a212858a0dc75f3e6

          SHA512

          d5cb6b711eed8858da504657696302160cb1abf140695cfdfbc4680ba406375c0029128870a0fc8c95d87cabc09ff90834faf3ec511d1caa3db8d70b6e310a63

        • C:\09888c3fc6bdc8a345f7\2010_x64.log.html.tmp

          Filesize

          108KB

          MD5

          69bf7ef9b55786ae092f9e0d74657902

          SHA1

          65a0a82f940a87e0ebb53f3b5dd02af429a953ac

          SHA256

          5490f93b0cc682860385ad0f93d3877c55129eb47b11a7daaf4aa319a6605f63

          SHA512

          020d8ae402d3dc25506c716a197d92b266aada97307fef97632f6ce9cfcb212b47eb26343ac425dcfa3925338c03364210d8ce3680e9725717083f46a3ea77e2

        • memory/1460-1237-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB