Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:26
Static task
static1
Behavioral task
behavioral1
Sample
734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe
Resource
win11-20250619-en
General
-
Target
734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe
-
Size
2.6MB
-
MD5
d232a5e0b7a6b57f0b26dc70b7d7e298
-
SHA1
f7e4f532a61a724bac2b35e7b78362c930993295
-
SHA256
734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100
-
SHA512
15d436a8e08f3d575370f843235c395fd255d300bd8ae46a956a714dfa50aafacbbc5c8261802176ae3222912c5ecd4d70f04252b546fadae2ab6a53bd3e5776
-
SSDEEP
49152:6LoHPM9JQtDw+M4AzO0sE722MumIoZgSj4RQK:2oHPM9K9w+M4AzDsE7dMj4RQK
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/memory/1932-247-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (1181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\hy.txt.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.Reader.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Intrinsics.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\7-Zip\Lang\ms.txt.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.Serialization.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.X509Certificates.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\7-Zip\7-zip32.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.Tools.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Globalization.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\7-Zip\Lang\ar.txt.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\7-Zip\Lang\kab.txt.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\hostpolicy.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Emit.ILGeneration.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Primitives.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.Primitives.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Text.Encoding.Extensions.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.XDocument.dll.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe File created C:\Program Files\7-Zip\Lang\fr.txt.tmp 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe"C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1932
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b3798da8d652e5abd67f4a47de1d8d30
SHA1c67cc357508c51692e42915f7c492eb7ab4b71dc
SHA2560ca5455aa5435ed0806ea7658d975168d0ed2342d9b5cb088b1a8f8a2f51efae
SHA512b508c911cf23a20b19e06bdfa77d3cf3e15164eb5ccdee04071d5bdb4898445d7f22f3a25ff81dd67932125b45c01a94f582ab37b3502a861c318468101cdb49
-
Filesize
2.6MB
MD5513200a24fcd3b379564cbb202af6ba0
SHA177349684c999a6ec55c9444525baaf8fc0f3767e
SHA256cb4fc575e4edc6d44b39ebcba71f7ad2429a2b4ffbdba31a53e637f29950e0fe
SHA512f197b6ec1edd1186c1162e2696e732af56713c7ab6925bf15f0191936ab3effab51a5a6e7811607b6c9c1e42ab4ff2c60987c58fd796bbca1db556ee5f8cd177