Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2025, 08:18
Static task
static1
Behavioral task
behavioral1
Sample
972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe
Resource
win10v2004-20250502-en
General
-
Target
972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe
-
Size
29KB
-
MD5
1dab7b8cffc06987f128a88ccfdc467b
-
SHA1
a8ef5aaefa9b035d28734cec60babbcfcd891399
-
SHA256
972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5
-
SHA512
b96493d83e9c0aa394cd0ddf3563d3fced937e01e5d836cc205ef085665e4bb06277ee0c30aab4ca7fa52b7c667f3e26fa9b2995df83091464730149e67dd35b
-
SSDEEP
384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOfijcijSkR:uZ4FLz8ae+rOn8ae+rOfXHkR
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/memory/648-829-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (5214) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ar.pak.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\PresentationUI.resources.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Specialized.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\WindowsBase.resources.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\d3dcompiler_47.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\System.Windows.Controls.Ribbon.resources.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Extensions.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe"C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:648
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD59e9ed1c1db2559ef1e8e237656763ff5
SHA1517cafd7c3d4272de08a4069c9d24fadfd65e942
SHA2566fc7a6eea79e425b59565d2477d236188a315d2a181d098fb15f6a6b5b4e8e04
SHA5121e19107747c2902559674d81eff520b9e46bd8f472d1ebe9b182fbd18a90c0bcce096bb207d942b291610d17392799dbcb14885a02c18345dc9f0c4ce6224c87
-
Filesize
110KB
MD58a872585d590290004a764678fa7280f
SHA143b8ed34d386869195edbae22541cba3bdf71f1d
SHA256ea18e19f46a8d94d624bd4d6dc4634e9ea5049d477c2f49a803acc20b01f66dd
SHA51235e7a47e922b391cd48fee6434de70089bf9de684e567693a9cf64736365a16284359ff31d3708382734ae1230b0a92f827f53dbed0144904d2c022902bf974b