Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j7dhmsen7s
Target 2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4
SHA256 2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4

Threat Level: Known bad

The file 2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5043) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:18

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:18

Reported

2025-06-05 08:20

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5043) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\zh-TW.pak.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\de.pak.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\SmallLogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PPRESOURCES.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jmc.txt.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe

"C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

MD5 f46cc6e53805e2d155476074297d5b70
SHA1 40ef949a597709d59fb77e750d3db890cc00b568
SHA256 37e4bf6804adead167f2df189e754f29f9e4f984f7bd500973672b0b9313669b
SHA512 b2d7e1c582c88f18ca74e235a41a004e96ff5873afa4a88919c45183efd267ae2d1e69817865b411916b0337cc44f76237d97c8a3ef9bfe41e5766a630e35aef

C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

MD5 0cc1dc362b81f5243de1df8af03bfd68
SHA1 1d939d251e7db216984a3f93df72fc4a580c2675
SHA256 2a6adfd6cfcd3a049457f276c462906a03a057eee3bb2af9e203e82a48eb13c9
SHA512 49df1052fabfb72c259f2dbce51e7d9deb88a1356caa903131e5a1805358d6ce061405226bf19927c00689a2c088b02b30f283286b6d4f895941bb35904c3a15