Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j7kxqaen7z
Target 24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b
SHA256 24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b

Threat Level: Known bad

The file 24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (4691) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:18

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:18

Reported

2025-06-05 08:21

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (4691) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ko.pak.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jre-1.8\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Http.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\nb.pak.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe

"C:\Users\Admin\AppData\Local\Temp\24f2eb90845e42c7b83d4cc2d690e14e29881d033253741af02d9a10b768b94b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

MD5 6513880aedd653d644de4c595b34ed30
SHA1 1e3147fec60e2d351805a7f2fa816cddee315650
SHA256 bcd2f62b3b12d45bb4651be30b0deec2ef8a85dcc8d1f46ca33b46447e97c7f6
SHA512 3289f963dc95dddaa44d10d35df4ca7e6bf3cd2b97c55fdc3c637beb03e0695b4ece018810d8d8e14fac0fcaa86cbd296f22a22ca1235a0cdb5f3b741475b2c7

C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

MD5 355fa9966c6c790fa6e76ca3efe298fa
SHA1 b0dc95e4cff6f07c1d91971c308a75d2b7a0968a
SHA256 4abc7efb894ee1c44fd838c284d553b58a55f840e7c60f0d68ff0b99e68141d9
SHA512 5c33022545f47e8ecd87b5a0efbf80aeb0623928d1cb840719fa303a35a208ced0105fa1ef1ff533934b849bfd255d6b74baf70197fc93dc6034bf79c95879a8