Analysis Overview
SHA256
c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84
Threat Level: Known bad
The file c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84 was found to be: Known bad.
Malicious Activity Summary
Cosmu
Cosmu family
Detects Cosmu payload
Renames multiple (5157) files with added filename extension
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-06-05 07:27
Signatures
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-05 07:27
Reported
2025-06-05 07:29
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Cosmu
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Renames multiple (5157) files with added filename extension
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\7-Zip\Lang\lv.txt.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\SmallLogoCanary.png.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\fa.txt.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\be.txt.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\lij.txt.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework-SystemDrawing.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\Welcome.html.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe
"C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp
| MD5 | 3e5118009fd42e047a35cf7fe53ea521 |
| SHA1 | 5a461f9961978081e82ff1329498f5773c4675e7 |
| SHA256 | 38deec03f58ffcd72cea768d4493deb771397a6bdf223a306e9b81bf3399167e |
| SHA512 | 5247db663c40c9dc199f33c99a750f4580bdc5f6ea57a7c5fc380271b060fc3186aa0912d0c16d2adadadefc0c948d9aa3065f1b4a5bac663e9a2accec5678df |
C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp
| MD5 | e03c9b613ab9ee83d6bf95e23709662b |
| SHA1 | c7c039803c70cdb818624eba1525f2b2cc73aab5 |
| SHA256 | 222abd1ab12a0e35502ddb96b0590b21082ca7c8f12c61c207b14b9ac8c806f5 |
| SHA512 | b4272c7bb9bff37de058477dfef354a04398f3f9094115967ecdc29fd63f9d98665eb6090b8e5310dc0990193c60d8dffd1dd6c8f0dd21d7c8bc9218c0e697c5 |