Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-h99hesdr7v
Target c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84
SHA256 c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84

Threat Level: Known bad

The file c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5157) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 07:27

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 07:27

Reported

2025-06-05 07:29

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5157) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jre-1.8\Welcome.html.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe

"C:\Users\Admin\AppData\Local\Temp\c9fda8aa3ced28ab18a3f40aa30b85968d3261e1b7ab6316680770420ee17d84.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

MD5 3e5118009fd42e047a35cf7fe53ea521
SHA1 5a461f9961978081e82ff1329498f5773c4675e7
SHA256 38deec03f58ffcd72cea768d4493deb771397a6bdf223a306e9b81bf3399167e
SHA512 5247db663c40c9dc199f33c99a750f4580bdc5f6ea57a7c5fc380271b060fc3186aa0912d0c16d2adadadefc0c948d9aa3065f1b4a5bac663e9a2accec5678df

C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

MD5 e03c9b613ab9ee83d6bf95e23709662b
SHA1 c7c039803c70cdb818624eba1525f2b2cc73aab5
SHA256 222abd1ab12a0e35502ddb96b0590b21082ca7c8f12c61c207b14b9ac8c806f5
SHA512 b4272c7bb9bff37de058477dfef354a04398f3f9094115967ecdc29fd63f9d98665eb6090b8e5310dc0990193c60d8dffd1dd6c8f0dd21d7c8bc9218c0e697c5