Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/07/2025, 05:26

General

  • Target

    734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe

  • Size

    2.6MB

  • MD5

    d232a5e0b7a6b57f0b26dc70b7d7e298

  • SHA1

    f7e4f532a61a724bac2b35e7b78362c930993295

  • SHA256

    734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100

  • SHA512

    15d436a8e08f3d575370f843235c395fd255d300bd8ae46a956a714dfa50aafacbbc5c8261802176ae3222912c5ecd4d70f04252b546fadae2ab6a53bd3e5776

  • SSDEEP

    49152:6LoHPM9JQtDw+M4AzO0sE722MumIoZgSj4RQK:2oHPM9K9w+M4AzDsE7dMj4RQK

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (1254) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe
    "C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:5520

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-707770698-2523217751-1187874351-1000\desktop.ini.tmp

          Filesize

          2.6MB

          MD5

          08e447a906cfed771b04fc118a6923a2

          SHA1

          58e7697cccd1131b7ad930746df8ee581cd920dd

          SHA256

          a678739fe052917df4f4ad12f9c879053cae85b77ddd6f549be97776741843cb

          SHA512

          bcca4d387d6eebba8feec795c42e8d32fc2f4730a244d9159576d70cd667e357c5e624fa615cf7f5841efb09d29e6cc643fa4a962f332ee703e6ba61eacdadbf

        • C:\7219690d69d70c9cdaab3c\2010_x86.log.html.tmp

          Filesize

          2.6MB

          MD5

          c8f052cc9ce813468607dd5633b81613

          SHA1

          1e4a6e8c854f1a02b9d737e405c71a7462ffab72

          SHA256

          b6ab2a23ecb6d677417878a13619cc5b4f5a55c7d21be3d91ed6b7a356889921

          SHA512

          854545c03ea16a999df57f4963fa1e825a507c30bc047dd67a9b3b9ef4a7ffdf059227d0f97ac59e0e32588b92ebb6d185cde02e9756a8ff27f3f51b540a7e6a

        • memory/5520-241-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB