Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-h994ysdr7x
Target 2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9
SHA256 2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9

Threat Level: Known bad

The file 2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (4843) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 07:27

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 07:27

Reported

2025-06-05 07:29

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (4843) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.DiagnosticSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe

"C:\Users\Admin\AppData\Local\Temp\2e8d90b61b615387f92e3a778e15d4051cecfce2e97d63e85146babe8314cba9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

MD5 2b9fc9073359e7cb2845f312669b0926
SHA1 9c27d64a3a3f13930a18411164e3573f9b5a1e88
SHA256 1d50944d884ec5e044243756692361eeec41964cce18381552d8049e458c429d
SHA512 c582f28459f004560fa36500fd7849e153626203183f2f51a7e88b010df4be9df9979d50e5e431211acb1c7f33802933c92c69973fdd19527e76d464ab7c1524

C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

MD5 23eea8ed7d86557d23d10c4314e39d32
SHA1 0f5e8dbf206f75c0232ee9ee52bef4fcd1a815ea
SHA256 64e0d26d96fe3fccb6a08fe6a08edcf5e22424a19869200db707a6a74b942105
SHA512 4f13172f964860ac2145c63115b65f5d3af8c59688091ce6cab1389f94f0313f06bcea9fe454ee6e48cebffc3a452a576624a797cdfad44705dc656f2c6f5827