Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j7c7waen61
Target 3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82
SHA256 3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82

Threat Level: Known bad

The file 3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5047) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:18

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:18

Reported

2025-06-05 08:20

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5047) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WordCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe

"C:\Users\Admin\AppData\Local\Temp\3bd983a439a55277a98b813b27babc9b8c0cccf54a088478b8b1cdacf4cbec82.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp

MD5 9f85a90dab8278849d2e8b6ba7b464c3
SHA1 1ef8111001c2b5546714fe5aab937fe81944f0fc
SHA256 50476bf3efb60a4b37f68909efdafe310c0bb8fdcf3585d0b2ff5f109681f56f
SHA512 706c9aa46883bf3034e6d823c4c9682463aa4734145e147993109f36dac77a320ebb3a0a76788ece7ad594dad187bd9006287b3f376d88153e35004ce7e8afe2

C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp

MD5 929d1db62a8da09b40bdd5f45b310eb5
SHA1 e4c5ff0253b48275ee0c99d8ee4ab338d8f7d6f6
SHA256 00f681e4b994f2e05b1f1254882d74fcb45ba6bffa23601c0aadbfa4c19f37e2
SHA512 d8f6cb6cf1430fc7662f41d3e0722bb1b6cadd1a1de75d0a82ea263e58e462285b0532741eab8b228d099d6a66306328377e05b8ea2bbca236a287e5ec23767e