Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2025, 08:18

General

  • Target

    2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe

  • Size

    20KB

  • MD5

    401f409662f02e54c01551556b2b78dc

  • SHA1

    b93006da993eb0fe7871089d7dfd38af05ba64a5

  • SHA256

    2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b

  • SHA512

    ad96633ab0893330c61b08584b58ebdc13a52ac89f3459b771f45d8b03847172628e407fcfd95327174cbc8ef853ad0c929c7dce75e5467d5f3d12f39751e965

  • SSDEEP

    384:gBt7Br5xjL9AgA71FbhvP/KWLsqmFae+rOAqmFae+rOcZHZi:s7BlpppARFbhdLz8ae+rOn8ae+rOcZHQ

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 2 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5282) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe
    "C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4748

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3342576763-1998465526-3870295501-1000\desktop.ini.tmp

          Filesize

          21KB

          MD5

          266d2fc19e3cf43a4f93ac58e3cdf479

          SHA1

          f7fd1168d4c6baa48bab36f2557f87c19138cc45

          SHA256

          fa964d30f09d65bf874fab12436549cee81acb2ce9a2a5c5ca7ab18fe14a557b

          SHA512

          67348c1d19e31603de328cc9eba5dcde608b0a8ff5f054e1c5e6e345e99d88c2b017a9aa888bf73e568439cc7e40661df356b805852536891fd098bb25ae8234

        • C:\fa79de221d524b769d0447\2010_x64.log.html.tmp

          Filesize

          106KB

          MD5

          666203648e58e533ace1458b053a3f4a

          SHA1

          f04b7e7030dd5eed4e94abe0d1c7fe137124bf4e

          SHA256

          a860167b4c56e4ce0c249b20582a91fa106957167b370d232abba28f5ff0ef2a

          SHA512

          fc45766986094ec786ac965c54fc1721aea10683d5016aad5857c9b47b5e791537214c3272114de231d72a6baab1bf60e4568287e3496bf999a18dcdaa963065