Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:23
Static task
static1
Behavioral task
behavioral1
Sample
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
Resource
win10v2004-20250502-en
General
-
Target
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
-
Size
28KB
-
MD5
6ba02c3b1bbd1f3526e98624a714f317
-
SHA1
91d9f99383564c255d50fb326f54232bbe6d9b6c
-
SHA256
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0
-
SHA512
1bc2e6b737a2731cf82a46adddc5786046dafcdc9d24549c729c7d7c03487a048775bdf524918267a78d11b2c69f834fdc985771ba6b513f13eb0fa76b94767c
-
SSDEEP
768:uZ4FLm8Q8Boxn6oxSoxn6ox1YFlLYFlnb9g:uGsx1xtx1xWgn9g
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/memory/6080-789-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (5196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.LEX.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\QuizShow.potx.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\id.pak.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\7-Zip\Lang\mr.txt.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\strings.resjson.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Principal.Windows.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.TypeConverter.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework.Aero.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Formats.Tar.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:6080
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD586be624cba1c5273611c9578d44df08f
SHA15fc8672aec0af3588d512b47df4115c57dec4a80
SHA256351d1b39676f7b94aec037e0aff62502ce27fcb00bc653734745a1c774004bd5
SHA51245796ce41791ecac7f38f07124af0a4f5638f1303593d59829fdf7db710f5ef6c033525340a2d7a79f2ad5efca3269cce6588eaec8b4ecc7fbb35b4425f4b1ce
-
Filesize
108KB
MD566ad297ca6cdf1f3ed0e8379c187edb4
SHA1810e5408fbf3119410a218867181d541bec331ea
SHA25655f697c52b1e8b900b1e8e3ce7a43231477866a7b5a1e2fd0c5d9f6d6b5f743e
SHA512b9ca09a04774b7821254229c56d4091129601d93c4c11b864c7d9b6fe95a5aa8e8e2429b844c479848278a62b5502057009f2b11f645488de54f8e13c308291c