Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05/06/2025, 08:18

General

  • Target

    11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe

  • Size

    21KB

  • MD5

    2d1a6de4acdbf6a428a07c6b66663cc2

  • SHA1

    81ba1ce1603a648e4ef1a24f6fd6fe04fe5d349f

  • SHA256

    11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8

  • SHA512

    4120a96aa7cdb491f9db61508b4f4ad63213d7dff822d92bb2a8a4850819b3cb98ee8b542d1c40108388fabb7c929c0c2877a10044436fd84865d5a88f0ad61b

  • SSDEEP

    384:hAg+5OCZ4W6/KWLsqmFae+rOAqmFae+rOCNtQNt80u/M0u/r7:uZ4FLz8ae+rOn8ae+rOCjQjYIr7

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5306) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe
    "C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:2824

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\desktop.ini.tmp

          Filesize

          21KB

          MD5

          5aff50154337d1c17835b33c8cb0162f

          SHA1

          0a13fc6e220a1a9bb4ca0704e5b6661a3c90dc9b

          SHA256

          aeafc97ded153e5b5a4a2fe9b6261dc067d7893a482b4446603bb1abb38665c1

          SHA512

          66a4421215e6b9c2372d7b51c5de3f0895bba79bcc9f024b5d10995213143691180c6c3adae496c350395ad1b606ca606d86b5ad6d670c5bf113f4ef29f949ac

        • C:\e62b36dd3cccbd0b2c8aefa1fa8db0\2010_x86.log.html.tmp

          Filesize

          103KB

          MD5

          0ff8f9f71dd8c605ee02b30eaa384f26

          SHA1

          ea4be040eb6a05fe3995d0c2ede5ead0808a8fb8

          SHA256

          a71a5ce73fab8e6b0807e58cff1b48cd84d9efdc3045fa82a0a29dd694b23cae

          SHA512

          bf4e4d7d64aa713532517ae8a874dfa9c4b32e3c1359a5a233a5fc5fa5eb0472d215971eaf82858bc7d10bc7ca6a1baf63296b8330857a445f47a403c6782ad9

        • memory/2824-1233-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB