Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2025, 08:18
Behavioral task
behavioral1
Sample
6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe
Resource
win11-20250502-en
General
-
Target
6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe
-
Size
281KB
-
MD5
3a85e8a4af518aa58cc7891ee95db231
-
SHA1
df0bae9ae511225ec962aeca1fcf0b3748b37f00
-
SHA256
6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02
-
SHA512
3f825f1033b50d7837ac374280dc6e6e427afe0edf36ad684ac75a8828356e20d41bf48b0483c2e3fd3028d77df3f6996e2c158c41d90b96d4338b2ae4831b80
-
SSDEEP
768:s7BlpppARFbhdLz8ae+rOn8ae+rOb83osGOUiuJtfosGOUiuJt5:s7ZppApdIIC0E
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 2 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/files/0x000d000000023fb0-1.dat family_cosmu behavioral1/files/0x000300000001f083-5.dat family_cosmu -
Renames multiple (4508) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.VisualBasic.Forms.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\eventlog_provider.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Drawing.Common.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Principal.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Globalization.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fr.pak.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\7-Zip\Lang\hy.txt.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\chrome_installer.log.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\mscordaccore.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.Design.Editors.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Pipes.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe"C:\Users\Admin\AppData\Local\Temp\6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4792
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5035edab9eab580be21a60234595f43f3
SHA1c672e55afc4ee66f9e9e5815fede65a6049d39e4
SHA2561b022d566c0b9cdbe0ea801c74637a11ab4f129c1bed7072682951afbadc3e77
SHA512c002de3de6e6ee0c1b58113d8d963c1a912f2830a2c25bee62fd4c637cc6e388fa3a0707f4b3f808bcc577f5b519d9be9a915b9a6ce8ea2cf7a4af73a2d17e16
-
Filesize
362KB
MD57bc04790a3a793eaf560bf05ad4cd326
SHA10df16b525673032a1be9bd370b39ac4011f90af6
SHA25681acd69d97c40afd36903b361585f83c3c97442f9bb2546133f2357db5f88b12
SHA5129b908917cb86ead9a1796be94bed6f16146ed5a5f2ce21141a0866885f7632e129aff9da1143b42a31b08556085a5015390651d9f965328ba4006ac1f89b232b