Analysis Overview
SHA256
2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4
Threat Level: Known bad
The file 2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4 was found to be: Known bad.
Malicious Activity Summary
Cosmu family
Detects Cosmu payload
Cosmu
Renames multiple (5043) files with added filename extension
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-06-05 08:18
Signatures
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-05 08:18
Reported
2025-06-05 08:20
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Cosmu
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Renames multiple (5043) files with added filename extension
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe
"C:\Users\Admin\AppData\Local\Temp\2c05e3341362b0581f72dc9f94247d40654cc379996f4e0f8a88423d5a3fb0c4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp
| MD5 | f46cc6e53805e2d155476074297d5b70 |
| SHA1 | 40ef949a597709d59fb77e750d3db890cc00b568 |
| SHA256 | 37e4bf6804adead167f2df189e754f29f9e4f984f7bd500973672b0b9313669b |
| SHA512 | b2d7e1c582c88f18ca74e235a41a004e96ff5873afa4a88919c45183efd267ae2d1e69817865b411916b0337cc44f76237d97c8a3ef9bfe41e5766a630e35aef |
C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp
| MD5 | 0cc1dc362b81f5243de1df8af03bfd68 |
| SHA1 | 1d939d251e7db216984a3f93df72fc4a580c2675 |
| SHA256 | 2a6adfd6cfcd3a049457f276c462906a03a057eee3bb2af9e203e82a48eb13c9 |
| SHA512 | 49df1052fabfb72c259f2dbce51e7d9deb88a1356caa903131e5a1805358d6ce061405226bf19927c00689a2c088b02b30f283286b6d4f895941bb35904c3a15 |