Analysis Overview
SHA256
2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9
Threat Level: Known bad
The file 2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9 was found to be: Known bad.
Malicious Activity Summary
Cosmu family
Detects Cosmu payload
Cosmu
Renames multiple (4843) files with added filename extension
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-06-05 07:27
Signatures
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-05 07:27
Reported
2025-06-05 07:29
Platform
win10v2004-20250502-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Cosmu
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Renames multiple (4843) files with added filename extension
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe
"C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp
| MD5 | 2b9fc9073359e7cb2845f312669b0926 |
| SHA1 | 9c27d64a3a3f13930a18411164e3573f9b5a1e88 |
| SHA256 | 1d50944d884ec5e044243756692361eeec41964cce18381552d8049e458c429d |
| SHA512 | c582f28459f004560fa36500fd7849e153626203183f2f51a7e88b010df4be9df9979d50e5e431211acb1c7f33802933c92c69973fdd19527e76d464ab7c1524 |
C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp
| MD5 | 23eea8ed7d86557d23d10c4314e39d32 |
| SHA1 | 0f5e8dbf206f75c0232ee9ee52bef4fcd1a815ea |
| SHA256 | 64e0d26d96fe3fccb6a08fe6a08edcf5e22424a19869200db707a6a74b942105 |
| SHA512 | 4f13172f964860ac2145c63115b65f5d3af8c59688091ce6cab1389f94f0313f06bcea9fe454ee6e48cebffc3a452a576624a797cdfad44705dc656f2c6f5827 |