Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2025, 07:27

General

  • Target

    2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe

  • Size

    155KB

  • MD5

    12cdf927eb8ffd678c342e34817b85e4

  • SHA1

    566e35133dad5a82a7ea125d69647c86bfbf792f

  • SHA256

    2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9

  • SHA512

    0df979577907610580e7c7f4c4b92d6ef31e006b214691416b9da841f119e0c8c1490b6bb5be0c6c6826258d6b40021c9b4e87a00a10725aed87c8e5e376521f

  • SSDEEP

    1536:s7ZppApdIIyBoLqrNkW1zN0m0lG1tETSA60uXceS4JseKeFdasat:spWpsBsqrNkMzN0mx7Sr60ug4GF

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (4843) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe
    "C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4120

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

          Filesize

          155KB

          MD5

          2b9fc9073359e7cb2845f312669b0926

          SHA1

          9c27d64a3a3f13930a18411164e3573f9b5a1e88

          SHA256

          1d50944d884ec5e044243756692361eeec41964cce18381552d8049e458c429d

          SHA512

          c582f28459f004560fa36500fd7849e153626203183f2f51a7e88b010df4be9df9979d50e5e431211acb1c7f33802933c92c69973fdd19527e76d464ab7c1524

        • C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

          Filesize

          240KB

          MD5

          23eea8ed7d86557d23d10c4314e39d32

          SHA1

          0f5e8dbf206f75c0232ee9ee52bef4fcd1a815ea

          SHA256

          64e0d26d96fe3fccb6a08fe6a08edcf5e22424a19869200db707a6a74b942105

          SHA512

          4f13172f964860ac2145c63115b65f5d3af8c59688091ce6cab1389f94f0313f06bcea9fe454ee6e48cebffc3a452a576624a797cdfad44705dc656f2c6f5827