Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j7d46sen7v
Target 5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730
SHA256 5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730

Threat Level: Known bad

The file 5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5197) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:18

Reported

2025-06-05 08:20

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5197) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxbgt.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Claims.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\uk.pak.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe

"C:\Users\Admin\AppData\Local\Temp\5934cff0f61cddf065e22f543aeb40ec01239be80303e810b4eb324425579730.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3951986358-4006919840-1009690842-1000\desktop.ini.tmp

MD5 69ec2f997c5b3d6c07d361b18b674319
SHA1 a500149b3e9771fbe8c654c689c264d69d557e03
SHA256 f4361bc0c8e52c27d3b5e8c063a932537b0df5f883eddc752ef6a2b9c7402374
SHA512 2944b5aacd3e172f6c1046f5de52c021e523041c59d4c230574293997d9af80ab3c9f050a33b512b34763f85f0f51132fdc779297a63196a29ee032edeed3056

C:\e871de07eca81c0a47\2010_x86.log.html.tmp

MD5 704f11eec3c8a26caecdf92247dc092d
SHA1 c266bfec600d6094c87e35a9be16658698f7abe1
SHA256 eded191eefc09cde346da2b748448b789136ac14f1eb4b7bacc7b9ddac758b7a
SHA512 8a816bc69bfa78acfd96373a255a234f7a79b550767d1cf872ce50b8e6ac940253fcc8c9ddefdde666e6e915d6a379049ff95f57a527db2f226cd33d91419225

memory/1040-787-0x0000000000400000-0x0000000000407000-memory.dmp