Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-h98k5adr7s
Target 0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621
SHA256 0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621

Threat Level: Known bad

The file 0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5030) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 07:27

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 07:27

Reported

2025-06-05 07:29

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5030) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Internet Explorer\hmmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\mscordaccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\zh-CN.pak.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe

"C:\Users\Admin\AppData\Local\Temp\0892a3e368f8ad141d218e880613462374b3f9906ce3faff977952677c3af621.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

MD5 83ddf28db65cdec34bf2f32c94598406
SHA1 df138d1610a2a9f79c0c19c6ac76d5efabbba099
SHA256 54ac0993cbdf893baf83a35f6e191ee04807b5ab0338386423c3e79a05374901
SHA512 1a2b1321339b61b5665f7f2752fc2809dda9a6415a721435e3271199b10a41be8e03919599e1c09fa649f9f70a3141759f7fb88ba95135f44c1176aa5b5b1b00

C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

MD5 292050d799e90028ba59e7429b573ad8
SHA1 d3b1b00c72e12355d1b2961ed229e64844943980
SHA256 45ec1fc604b9ba9d1a9367e2a7acbe71552c49204eee70a24b5e4ef964933493
SHA512 55f48724917e9cf9b63290e7f197bd12db9aeb965fb22ce09d37f321b92d14a7b5e947a0c0ddbac7f70a8d2156c8bbee9bbf73cb89c4bec4256b4540c799d2c7