Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j7dteaen7t
Target 2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b
SHA256 2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b

Threat Level: Known bad

The file 2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5282) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:18

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:18

Reported

2025-06-05 08:20

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5282) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe

"C:\Users\Admin\AppData\Local\Temp\2c78c3893ea41ba6088eeb516ead282222eca18d08fa80b907685c369bd4f16b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3342576763-1998465526-3870295501-1000\desktop.ini.tmp

MD5 266d2fc19e3cf43a4f93ac58e3cdf479
SHA1 f7fd1168d4c6baa48bab36f2557f87c19138cc45
SHA256 fa964d30f09d65bf874fab12436549cee81acb2ce9a2a5c5ca7ab18fe14a557b
SHA512 67348c1d19e31603de328cc9eba5dcde608b0a8ff5f054e1c5e6e345e99d88c2b017a9aa888bf73e568439cc7e40661df356b805852536891fd098bb25ae8234

C:\fa79de221d524b769d0447\2010_x64.log.html.tmp

MD5 666203648e58e533ace1458b053a3f4a
SHA1 f04b7e7030dd5eed4e94abe0d1c7fe137124bf4e
SHA256 a860167b4c56e4ce0c249b20582a91fa106957167b370d232abba28f5ff0ef2a
SHA512 fc45766986094ec786ac965c54fc1721aea10683d5016aad5857c9b47b5e791537214c3272114de231d72a6baab1bf60e4568287e3496bf999a18dcdaa963065