Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j7e2gaen7w
Target 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5
SHA256 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5

Threat Level: Known bad

The file 972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5214) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:18

Reported

2025-06-05 08:20

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5214) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\d3dcompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe

"C:\Users\Admin\AppData\Local\Temp\972482ea598bb8bd584e1e7f049c6add293ef35b75baf299e6aa9213f8fb28e5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

MD5 9e9ed1c1db2559ef1e8e237656763ff5
SHA1 517cafd7c3d4272de08a4069c9d24fadfd65e942
SHA256 6fc7a6eea79e425b59565d2477d236188a315d2a181d098fb15f6a6b5b4e8e04
SHA512 1e19107747c2902559674d81eff520b9e46bd8f472d1ebe9b182fbd18a90c0bcce096bb207d942b291610d17392799dbcb14885a02c18345dc9f0c4ce6224c87

C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

MD5 8a872585d590290004a764678fa7280f
SHA1 43b8ed34d386869195edbae22541cba3bdf71f1d
SHA256 ea18e19f46a8d94d624bd4d6dc4634e9ea5049d477c2f49a803acc20b01f66dd
SHA512 35e7a47e922b391cd48fee6434de70089bf9de684e567693a9cf64736365a16284359ff31d3708382734ae1230b0a92f827f53dbed0144904d2c022902bf974b

memory/648-829-0x0000000000400000-0x0000000000407000-memory.dmp