Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:26

General

  • Target

    734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe

  • Size

    2.6MB

  • MD5

    d232a5e0b7a6b57f0b26dc70b7d7e298

  • SHA1

    f7e4f532a61a724bac2b35e7b78362c930993295

  • SHA256

    734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100

  • SHA512

    15d436a8e08f3d575370f843235c395fd255d300bd8ae46a956a714dfa50aafacbbc5c8261802176ae3222912c5ecd4d70f04252b546fadae2ab6a53bd3e5776

  • SSDEEP

    49152:6LoHPM9JQtDw+M4AzO0sE722MumIoZgSj4RQK:2oHPM9K9w+M4AzDsE7dMj4RQK

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (1181) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe
    "C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:1932

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3008489981-1977616533-741913813-1000\desktop.ini.tmp

          Filesize

          2.6MB

          MD5

          b3798da8d652e5abd67f4a47de1d8d30

          SHA1

          c67cc357508c51692e42915f7c492eb7ab4b71dc

          SHA256

          0ca5455aa5435ed0806ea7658d975168d0ed2342d9b5cb088b1a8f8a2f51efae

          SHA512

          b508c911cf23a20b19e06bdfa77d3cf3e15164eb5ccdee04071d5bdb4898445d7f22f3a25ff81dd67932125b45c01a94f582ab37b3502a861c318468101cdb49

        • C:\84738cc25964774ab2d2ce2181\2010_x86.log.html.tmp

          Filesize

          2.6MB

          MD5

          513200a24fcd3b379564cbb202af6ba0

          SHA1

          77349684c999a6ec55c9444525baaf8fc0f3767e

          SHA256

          cb4fc575e4edc6d44b39ebcba71f7ad2429a2b4ffbdba31a53e637f29950e0fe

          SHA512

          f197b6ec1edd1186c1162e2696e732af56713c7ab6925bf15f0191936ab3effab51a5a6e7811607b6c9c1e42ab4ff2c60987c58fd796bbca1db556ee5f8cd177

        • memory/1932-247-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB