Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/06/2025, 08:18
Behavioral task
behavioral1
Sample
6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe
Resource
win11-20250502-en
General
-
Target
6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe
-
Size
281KB
-
MD5
3a85e8a4af518aa58cc7891ee95db231
-
SHA1
df0bae9ae511225ec962aeca1fcf0b3748b37f00
-
SHA256
6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02
-
SHA512
3f825f1033b50d7837ac374280dc6e6e427afe0edf36ad684ac75a8828356e20d41bf48b0483c2e3fd3028d77df3f6996e2c158c41d90b96d4338b2ae4831b80
-
SSDEEP
768:s7BlpppARFbhdLz8ae+rOn8ae+rOb83osGOUiuJtfosGOUiuJt5:s7ZppApdIIC0E
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 2 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral2/files/0x001f00000002adc1-1.dat family_cosmu behavioral2/files/0x00040000000270ed-5.dat family_cosmu -
Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_elf.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\da.pak.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\bg.pak.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\7-Zip\Lang\he.txt.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\UIAutomationProvider.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\System.Windows.Forms.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.Tracing.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Private.Uri.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Input.Manipulations.resources.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe"C:\Users\Admin\AppData\Local\Temp\6d603198b881a83e2d4908e309a2d6f2f5709aaa760766f221f9474c01367b02.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2532
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5cf2813dff340fc4a69d194e84bb5282e
SHA11f8a8d7ebe5f3cd93de67872cec0f8aa3e6b0251
SHA256c1a62961a6fb35184929cca0f23c81323318e6607c25b4ddeca31ad05cb89ae1
SHA512485a4d141cb1e758efbb13e25fdf75b30c7fa76db7febfe1983a3f5b89c573365647fffebbb186663e1f9a3da95deea7ea8f3d8d1eb518eba25f03bd2cef8b84
-
Filesize
363KB
MD59762f1353e83a5cdc9509d859f41b5bb
SHA112da51647bbc455e64125d9e5881edefba4f44dc
SHA256083af4dc06c9ffc1748568cb1959a44076cab434b5947cbc7160444dea5b45c9
SHA512670625877b6e305ce7f73810e78a10664d1090cef554f0c71ab8f5ca2d55a03ae6675eae1d7a2f50f8832274f0e8b92299d76912b26209ae5d39d32c0edb7553