Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j5r81sen5x
Target 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5
SHA256 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5

Threat Level: Known bad

The file 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5279) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:15

Reported

2025-06-05 08:18

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5279) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_200_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ALRTINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Channels.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\vk_swiftshader_icd.json.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe

"C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

MD5 2b9c57d5307371616c9b6c4c5c9677ac
SHA1 a1abb20e108b3f7f1048241cdd3564d4065f632a
SHA256 f2c86ba44e330799f70a2e6f5ec14c7d49022d1b999d464bbd27a624b3c2093b
SHA512 e9317b7f951da142d269249710b1e09fe72a6fb35d449ebf0233303e3ade82694d93fc755c9b7910cb96160f0224f94995a77f33759576c91e638cfa4a86fda7

C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

MD5 e2f6ae9f7f589c65bd22d0ef919bf8eb
SHA1 6125563aea69898dd51b12d61b8cb922df9af560
SHA256 88b0a3bb280e43ecda9ad84f9bbf2f901f7f3ac4af0aef7f8031fc07ff83cb2c
SHA512 171eb410899eb4f9b97939d43525c7307bef0d3f41c80f59aeb82da91a9d1960780bcdf227415dbcd13b237ed53674def4052b6af10a04cd4c3061e02fef4c64

memory/1536-815-0x0000000000400000-0x0000000000407000-memory.dmp