Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2025, 06:58

General

  • Target

    a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe

  • Size

    203KB

  • MD5

    66273e6fcbf0b03ec9f86b432f2acbdd

  • SHA1

    07f7878a112f50839ab4ad6b73763e240e5ddd86

  • SHA256

    a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8

  • SHA512

    635c38106bfc61e92556f9190b9b4d76553ab0ed41c5be974a641419ed7d60491789755266734c20e890ec5e88b740d2507a69f313aab9ef8476da89c4d64710

  • SSDEEP

    3072:cEKEL2pcbOaM4ujkwlcnzhQNv40j0PW1IrEfMtyhud:92pWQNjlYn00rZy4

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5050) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe
    "C:\Users\Admin\AppData\Local\Temp\a036531f169d10e473e89306c21fba364a8e50b209abb4388e3395cc6aa33be8.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5284
    • C:\Users\Admin\AppData\Local\Temp\_AcroServicesUpdater2_x64.exe
      "_AcroServicesUpdater2_x64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:620
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:1096

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2012121138-1878458325-808874697-1000\desktop.ini.exe

          Filesize

          84KB

          MD5

          8fd9e66a936f71ebbe2ee28d4cc5f8c8

          SHA1

          fe4d9f2482ea0b2d5dcd0d82751759f3036adcee

          SHA256

          1cbf09115c52d6376a3ad8ef3a3a0425a4bf71b58a5f0aec8e5aba545fa118a9

          SHA512

          c13ad69b28480ae699a23c167c3315d74a54132670c85070c3acf05c840e3c44637a5781babb694cd4b6fb35baaf33942c98a209428227c82002b96804c163c5

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LN2KZ60H\S3[1].htm

          Filesize

          13B

          MD5

          c83301425b2ad1d496473a5ff3d9ecca

          SHA1

          941efb7368e46b27b937d34b07fc4d41da01b002

          SHA256

          b633a587c652d02386c4f16f8c6f6aab7352d97f16367c3c40576214372dd628

          SHA512

          83bafe4c888008afdd1b72c028c7f50dee651ca9e7d8e1b332e0bf3aa1315884155a1458a304f6e5c5627e714bf5a855a8b8d7db3f4eb2bb2789fe2f8f6a1d83

        • C:\Users\Admin\AppData\Local\Temp\_AcroServicesUpdater2_x64.exe

          Filesize

          119KB

          MD5

          aba284c3712f8cdb2fdc70689933a909

          SHA1

          e836d2554ff9043605d333eace443b95c5ceb55d

          SHA256

          99727a25e431134f75c9342ca608d1007ea31733f7fd4dda32356e5e36c23f9b

          SHA512

          217ab6bfff758b1137aadaa9878727493e3efe5a72412bd4eedcb538854c5e25dcad17c7446443174b0e2ab695a9dbf7c7b67c86c89fd48055c04c2e10dfecd4

        • C:\Windows\SysWOW64\Zombie.exe

          Filesize

          84KB

          MD5

          571e4f97273e546b32b4ef5bbfe6e89e

          SHA1

          3186d27db5e8412e9f20ec3def0720f779a41f09

          SHA256

          112476057a328b07cc8758f2869a348c7bd6e8aba8bd5b44585322dd8381f089

          SHA512

          112af1cc986dd2a8aa0c0ec5fc7408b2b112e7282b5a3773badd4c69d409c590189dccc3904c43a910239dad18a60cca646a24d1baf2e9b383f7f734f6f4c272

        • memory/5284-313-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB