Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2025, 07:27

General

  • Target

    0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe

  • Size

    71KB

  • MD5

    184fbd147e905c578080872c45b9c023

  • SHA1

    2d091ba90484937a93570a2526bac8b52c8ccce0

  • SHA256

    0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621

  • SHA512

    d3467847da1eb5d9425c6adf3473f210d8a766a0cf3cbfe45ab08c99ee2a1a8d1aa356980c046c9cd9572e050529559292f184c3fdee2e3efd6600d9689364f1

  • SSDEEP

    1536:s7ZppApdIIC0/2YtBUOqHCQNm2zs+dD8dlxhiCW1aQx6:spWpI0/2YjUOqHxNmMdIdlxhu0

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5030) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe
    "C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4100

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

          Filesize

          71KB

          MD5

          83ddf28db65cdec34bf2f32c94598406

          SHA1

          df138d1610a2a9f79c0c19c6ac76d5efabbba099

          SHA256

          54ac0993cbdf893baf83a35f6e191ee04807b5ab0338386423c3e79a05374901

          SHA512

          1a2b1321339b61b5665f7f2752fc2809dda9a6415a721435e3271199b10a41be8e03919599e1c09fa649f9f70a3141759f7fb88ba95135f44c1176aa5b5b1b00

        • C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

          Filesize

          157KB

          MD5

          292050d799e90028ba59e7429b573ad8

          SHA1

          d3b1b00c72e12355d1b2961ed229e64844943980

          SHA256

          45ec1fc604b9ba9d1a9367e2a7acbe71552c49204eee70a24b5e4ef964933493

          SHA512

          55f48724917e9cf9b63290e7f197bd12db9aeb965fb22ce09d37f321b92d14a7b5e947a0c0ddbac7f70a8d2156c8bbee9bbf73cb89c4bec4256b4540c799d2c7